Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Why Security is DevOps

DZone's Guide to

Why Security is DevOps

· DevOps Zone
Free Resource

The Nexus Suite is uniquely architected for a DevOps native world and creates value early in the development pipeline, provides precise contextual controls at every phase, and accelerates DevOps innovation with automation you can trust. Read how in this ebook.

Written by  for CloudPassage.

Security is DevOps, but many think it’s not the case. Different teams collaborate to quickly and swiftly bring a product to fruition in the DevOps world. However, it’s often felt that Security will slow the process down. In this post I’m going to explain why it’s important that Security is at DevOps collaborative table, and how it fits within DevOps realm.

Security is in the Public Eye More than Ever

As our culture and society connects worldwide through the digital age, security and privacy are growing concerns for the general public. This is exemplified in brand name vulnerabilities, such as “Heartbleed”, which affected anybody with a web server, or “Shell Shock”, which affected nearly every user of bash. You have breaches in the thousands, crossing social media, retail, insurance, and even entertainment realms.

Teenagers and even younger children are more aware of the idea of Denial of Service attacks, and the effects of hacking from cyberbulling. So more than ever, the DevOps paradigm needs to include Security when providing services to the masses in order to be firefight ready

Security Matches Up with DevOps

Security isn’t just a necessity. It also easily interweaves into a healthy approach to DevOps. Take for instance the Information Security Triad, consisting of Availability, Integrity, and Confidentiality to secure data and services. Each of these can also be applied to objectives/goals of DevOps.

Availability

For any information system to serve it’s purpose, the information must be available when needed.” 1

Just like Security wanting to be able to weather/recover from attacks or downtime, so does DevOps with availability. We’re always looking to provide fast services and to be able to automate our way around ensuring uptime when bad things happen (because they will).

Integrity  

That a system and it’s data are not manipulated for unauthorized functionality or alteration.” 2

Providing integrity that allows us to find holes when they occur means that as DevOps, our processes must not only be consistently to an agreed-upon standard, but repeatable (on top of providing the fast uptime from our availability). By having standardized and repeatable process for how we build apps and infrastructure, we’re better equipped to enforce policy as well as detect anomalies in our services.

Confidentiality  

The requirement that private or confidential information not be disclosed to unauthorized individuals.”2

After we’ve created a service or product that is fast, standardized, and repeatable, we want to make sure that the people who get to the service are only those who should. Especially in terms of the tools that help us do DevOps, such as Chef or Puppet servers, we also want to keep in mind that while it should be controlled, it shouldn’t be silo’ed. It should provide enough control to still allow a collaborative spirit and agile process.

So now with all of that in mind you can see why security aligns well with DevOps, and why it is important. But how do we apply this to the process of deploying tools we use in DevOps, such as an automation and infrastructure management tool like Chef Server? Look to my next blog post to find out more, or, if you’re around at ChefConf on April 1st, 2015 at 3:20pm, come see my presentation.

Sources

———-

1.Information security. (2015, March 19). In Wikipedia, The Free Encyclopedia. Retrieved 21:52, March 27, 2015, from http://en.wikipedia.org/w/index.php?title=Information_security&oldid=652104012

2. NIST Special Publication 800-33, csrc.nist.gov

No related posts.

The DevOps Zone is brought to you in partnership with Sonatype Nexus.  See how the Nexus platform infuses precise open source component intelligence into the DevOps pipeline early, everywhere, and at scale. Read how in this ebook

Topics:

Published at DZone with permission of Tatiana Crawford, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}