DevOps has been a popular topic in IT circles over the past few years. It's important to understand that DevOps itself isn't a product or a market. IDC won't be forecasting the size of the DevOps market anytime soon (although they do forecast DevOps tools) because DevOps is a philosophy for running IT.
DevOps is a software development method that aligns application development with IT operations. To fulfill on the vision of DevOps, IT has had to adopt a number of new tools and technologies. Some examples of these new tools are automation tools, containerization and orchestration platforms. The DevOps process is radically different than legacy processes, so it makes sense that IT departments would need new technologies to support this shift.
What about security, though? How has that changed? The fact is that security has lagged behind when it comes to enabling the transition to DevOps. To better understand how security needs to evolve, I interviewed PJ Kirner, CTO and founder of security startup Illumio, which developed its product with an eye towards solving the DevOps security challenge.
PJ and I discussed how the adoption of DevOps creates more security risk for organizations. As he put it, the primary drivers of DevOps are agility and speed of development. For most organizations, this means many smaller projects that can go from concept to development to deployment much faster than traditional applications. It also means more de-centralized control, as many different teams can run these smaller projects simultaneously.
For the security team, this poses many problems. The first is that understanding the risks becomes much harder and more complicated. With traditional IT, development and deployment times can be long, and the security team has the time to harden security at the end of the development cycle. With DevOps, getting visibility into the possible security gaps before an application is launched is more complicated because there isn't the time to take weeks or months to ensure the security is hardened.
Automation is one of the cornerstones of DevOps, so it stands to reason that security also needs to be automated. However, with traditional security tools, there are some significant challenges with automating security using DevOps practices. This includes:
- Security policies are dependent on inflexible network parameters. This leads to rigid security architectures that cannot adjust to application or infrastructure changes.
- A massive amount of firewall rules need to be reviewed when the environment changes or new applications are introduced. Typically, these rules are reconciled manually, which can often bring the process to a screeching halt.
- Traditional security products lack the APIs required to automate security management and integrate into DevOps tools.
- No visualization tools to “see” configuration changes before they are implemented. The lack of visibility makes it challenging to make an informed decision on security.
Kirner and I talked about why there should be urgency around IT to automate security with DevOps. He gave me five reasons, which include:
- Ensure security is no loner the bottleneck.
- Security teams currently need detailed visibility into their computing environments to accurately assess security gaps.
- Security balanced with the business goals in a continuous software delivery model ensures better alignment with business goals.
- Rapid application deployment through standardized security configurations.
- Better-performing infrastructure and operations teams as they are no longer fighting fires and working with unrealistic time frames.
Solving these challenges requires a security tool built specifically with DevOps in mind. Kirner listed five attributes of Illumio that aligns its product with how DevOps works:
- Security policies that use application context instead of relying solely on IP addresses, enabling DevOps to define and include security changes at every phase of the application lifecycle instead of just at the end (see exhibit below).
- APIs that enable security to integrate with third-party orchestration tools like Puppet and Chef.
- Live visual verification of security policies prior to the enforcement of them.
- Enables applications to automatically inherit contextual policies.
- Faster application development time since developers no longer need to wait for security policies to be added after development is done.
Despite the security challenges of making the shift to DevOps, I want to be clear that PJ Kirner was very bullish on the philosophy and feels there's tremendous value in it. The key is to think about how to bring the same level of agility to security as the rest of the application development cycle has.