This article was originally pubished on Infosecurity Magazine.
The shift from mainframe to client-server computing between 1980 and 2000 led to an explosion of choices for IT. Until 1980, there was usually a piece of big iron (from IBM) that sat in the data center and ran a limited number of applications. The post-mainframe generation of IT expansion came with a corresponding growth of specializations and silos in the IT organization.
CIOs, throughout this transition, increasingly presided over a range of organizations and titles that reflected the various infrastructure categories (networking, compute, etc.), the application development process (developer, architect, etc.), and related functions that enabled the performance and protection of company business processes and IP (security, architecture, etc.).
From the perspective of building new applications, much of this choice actually slowed business by introducing many human touch-points in both decision-making processes and technology integration. When industries were defined by long-term structural competition, the speed of IT was not a gating factor. Today, when software is eating the world, however, speed is everything.
DevOps (and Speed) Come to Security
Specific IT roles that developed evolved into personas or stereotypes, sometimes grounded in truth and sometimes not. Application developers were the fast or ‘go’ crowd as they faced the changing needs of the business and were tasked to respond. Infrastructure teams were ‘slow’, reflecting the challenges of bringing up new systems mired in a range of complexity. And the security teams were the people who said ‘no’ to doing new things, often leading to forms of shadow IT and even larger risks for the enterprise.
There are reasons why security and risk professionals often react with a ‘no’. When you are tasked with assessing and reducing risk, going fast might not be the first instinct. Orchestration tools and infrastructure virtualization have removed many of the barriers from DevOps and infrastructure from going fast. Now, even in the era of the mega-breach, there are tools that have emerged giving security teams an opportunity to move at DevOps speed — making them a true partner as opposed to a traffic cop.
DevOps-style Security and the CISO Who Says ‘Yes’
In a recent podcast with Jawbone CISO Justin Dolly, he discussed how a CISO can move rapidly through new technologies but also still mitigate risks by understanding which technology assets, people and processes must be prioritized. By instantiating security directly into the development process – when a workload spins up to create a new application – and continuously delivering security directly on the compute layer, IT teams can fully support new movements such as DevOps without fear of increasing risk. This is especially true when it comes to providing security for the newest compute innovations as well as dynamic environments such as Amazon Web Services (AWS) and Microsoft Azure.
By enabling continuous security at DevOps speed, IT can both have fine-grained controls of computing but also adapt to changes in the environment. This requires a new approach with the following five principles:
- Security gets built into applications and not bolted on afterward
- Security becomes increasingly a distributed responsibility that mirrors the computing it is protecting
- Security integrates with modern orchestration tools such as Puppet Labs, Chef and Ansible
- Automation and continuous monitoring and enforcement will replace manual management of rules and policies; security teams can focus on high-risk threats and incursions vs. lower-level infrastructure management tasks
- Security becomes decoupled from the infrastructure so it can adapt to new infrastructure, and it must provide the same or better visibility and segmentation/isolation that the infrastructure supports in computing today
As DevOps speeds make their way into the security cycle, it is likely new security titles will appear as well, including, security automation architect or security workflow expert. A key attribute of each will be that they will all get to say, ‘Yes, let’s go fast’.