Each month, through our partnership with Harvard Business Review, we refresh our resource library with five new HBR articles we believe CIOs and IT leaders will value highly.
DevOps and security: 4 steps to end culture clash
DevOps and security pros grew up in different tribes. Here's how to beat cultural barriers and ensure agility and security
More enterprises are embracing DevOps to improve development agility and speed up the rollout of business applications. However, speed can also increase security risks. Striking the balance between increasing business agility and ensuring information security requires that you integrate the security team into the DevOps methodology. This presents several challenges, including the time and effort required to break down the cultural barriers that separate the security and DevOps roles. Here are four key steps any organization can take to overcome these challenges.
[ What are the signs of great vs. mediocre DevOps organizations? See our related article, DevOps Jobs: How to spot a great DevOps shop. ]
We developed these best practices after discovering just how many enterprises have committed to integrating security with DevOps. We recently polled 300 senior management professionals within IT, DevOps, and security teams with small, medium, and large organizations that have already implemented a DevOps posture. The DigiCert 2017 Inviting Security into DevOps Survey found that a whopping 98 percent of respondents have made integrating their security teams into their existing DevOps methodology a priority.
They fall into two equal groups, with 49 percent in the process of integrating security, while the other 49 percent have completed their efforts – and report this integration has improved both development agility and information security.
The majority are driven by concerns that failure to do so will create problems that will impact their organizations’ bottom lines:
- 78 percent cite increased costs
- 73 percent cite slower app delivery
- 71 percent cite increased security risks
Underscoring the risks, 59 percent of the respondents say they sometimes or often have rogue certificates; in other words, those issued in their organization outside of security controls and often not visible to security until issues arise.
If you’re preparing to undertake this integration, your first question is likely “Where to begin?”
Step 1: Appoint a social leader
First, find your champion. This person will drive this necessary cultural change by clearly defining the roles IT, security, and DevOps will play, and oversee the integration of these disparate teams and personnel. That person may be your chief data officer or chief risk officer, or anyone who exhibits an ability to evangelize and bring people together. That requires finding someone who is passionate about making this change happen because they understand doing so will help the entire business succeed.
You may decide you need more than one evangelist, with a representative from different backgrounds and roles within your technical teams. You’ll need people who can bridge the cultural divides that often exist.
“The security folks are just different animals, but then, so are the developers,” said one survey respondent who is a senior project manager for a large New York-based printer manufacturer. "You have to deal with egos and fights over methodologies.”
Step 2: Bring security to the table
Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, and implement automated PKI to require signing and encrypting everything within the network.
Too often, security is the gatekeeper at the end of the development lifecycle and may be viewed as a roadblock. After all the work that goes into building and testing an application is complete, security enters the process – and finds problems that grind the rollout process to a halt. The more cost-effective and efficient approach is to involve security much earlier. That way, everyone knows what the goals are on day one.
“The faster that we implement something, the more likely it is to have vulnerability issues,” said an IT manager for a large central U.S. manufacturing firm. “That’s why for us security is so important; it saves us time and money in the long run.”
Step 3: Invest in automation
Automate baseline security practices within the DevOps workflow, including certificate management, patching, vulnerability scanning, and static code analysis.
The goal is to simplify the development process, and that includes security procedures. For example, consider vulnerability scanning, which ensures libraries your developers are working with are up-to-date with all security patches. If not, you’ll waste time and money.
Certificate management presents another opportunity for automation. Instead of asking your security team for a digital certificate when beginning a new project, automate the process of requesting and provisioning a certificate to make it more efficient and significantly reduce risk.
This is not a call to automate everything, just the right things. 100 percent automation should not be your goal. If a simple task takes a minute to complete manually, or is not easy to automate, don’t bother.
Step 4: Integrate and standardize
Implement controls on certificate management processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes. Look to standardize wherever possible. For example, don’t have users across different teams picking from a hodge-podge of libraries. Select one library and use it enterprise-wide.
The process of integrating security and DevOps is not easy or fast, but it is well worth the effort. The enterprises surveyed that have finished integration are much more likely to feel they are doing well with information security, meeting application delivery deadlines, and lowering application security risks.