Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

C suite must champion Infrastructure as Code

Today, developers are coding infrastructure, which brings speed and agility to enterprises. But DevSecOps is a nonstarter without C-suite support.

Many companies are turning to new IT models to bring agility and speed to doing business. But departmental silos and security issues can easily get in the way.

Also known as Infrastructure as Code, the IT infrastructure provisioning model DevOps enables developers to dynamically provision infrastructure –- servers, networking and storage -- through code rather than manual scripting. DevOps can bring automation to previously onerous processes and enable IT to make dynamic adjustments to suit the environment. This kind of IT provisioning model has become more critical in the era of cloud computing. While today about 40% of application workloads run in the cloud, 451 Research expects that number to increase to 60% by 2018. IT teams need to break their operational silos to get there.

Source: "Coding DevSecOps," Jason Suttie, The Sketching Scrum Master. https://sketchingscrummaster.com

Today, development and security teams may be governed by different mindsets. Development teams may speed ahead to try and deliver the infrastructure quickly, where their goals are to deliver to the business at its pace. Security teams, on the other hand, want to ensure security and integrity of code. In turn, security professionals are often perceived as a roadblock to getting things done in an agile, cloud-driven environment.

That caution is valid, say experts; as developers use code to spin up infrastructure, they may flout best practices. “When an organization speeds up development by skipping steps meant to identify flaws,” wrote Dave Shackleford in A DevSecOps Playbook, “it exposes itself in ways that would have been unthinkable under traditional development models.”

Moreover, breaches at the application layer are en vogue. According to Verizon’s Data Breach Investigations Report (DBIR), more than 40% of 2,000-plus data breaches involved compromised Web apps; indeed, apps were the primary target.

Creating secure DevOps (with DevSecOps)

That's why security professionals are turning to DevSecOps to address the new agility required in the cloud – without leaving security by the wayside. It requires, say those who have made the transition, a radical shift in strategy and tactics.

"My journey was about changing completely how I thought about security inside an organization," said Aaron McKewan, chief security architect of New Zealand-based Xero, an accounting software company that has migrated to Amazon Web Services (AWS)-based cloud infrastructure. "—that’s what the public cloud did to me".

To build security into the infrastructure design process up front, McKewan and his team turned to DevSecOps, which joins security teams together with DevOps teams. "Cross-functional teams are . . . how you get things done in the cloud," he said.

McKewan noted that, at Xero, security became a high-level priority given his company’s move to Infrastructure as Code. Having an Infrastructure as Code model required building in security upfront and everywhere. "You need multiple layers of defense: hosts, infrastructure, your networks, your ecosystem all need to be defended," McKewan emphasized.

But even if bringing teams together is more efficient in the cloud, McKewan underscored the importance of getting the executive-level sponsorship for this way of working. DevSecOps will be a nonstarter if security teams push it on their own.

"At Xero, this approach was driven from the top," said McKewan. At first, "developers didn’t want to have anything to do with what we were doing. It was decided at a much higher level," McKewan said.

"The CIO is the one in IT who can 'do something about this',” said Gartner’s David Cearley in a SearchCIO article, because all IT teams – operations, security, applications-- report to him. "The CIO has to direct his team to say, 'If you don't work together, get another job somewhere else.'"

The journey to break silos and join teams for more secure infrastructure is going to take time, though. Today, 38% of enterprises use DevOps, and 50% will use it by the end of 2016. Adoption doesn't mean conversion, however: Nearly 90% of companies that have adopted DevOps treat it as an afterthought, according to a recent report by Gartner Inc.

Tips to make DevSecOps successful

McKewan said there were several lessons to be learned from Xero’s transition to the cloud.

  1. Build security by design. "The key thing is to build security into every layer," McKewan said. That means factoring security into infrastructure design up front.
    "In any public cloud environment, it's important to have defense in depth. It’s important to know you have multiple layers of defense inside your environment: your hosts, your infrastructure, your networks, including AWS need to be defended."
  2. Infrastructure as Code. Use cross-functional teams. Team silos don't work in a cloud-computing world.
  3. Iterate, iterate, iterate. Mirror agile development and deliver in short, frequent cycles
  4. Measure. If you don’t measure, you don’t know what normal looks like. You don't have to measure continuously, but "you need to know what's going on with your infrastructure."
  5. Build security into the product lifecycle. "This is about getting developers invested in security," McKewan emphasized. "It needs to be a day-zero activity and have them come to security team when they are spinning up a new project -- not six weeks after they have already done it.
  6. Share information, communicate regularly. While in traditional projects, you might designate a spokesperson, cloud computing may require everyone to be in a position to evangelize. "Now, it's important to have everyone on your team as a spokesperson," McKewan said. "Even my intern does presentations. You need to get everyone on the team to share what they're doing so other teams can respect it."
  7. It's a shared journey. Making the transition to DevSecOps requires your whole ecosystem to work in lockstep. "It's a shared journey for developers, staff but also for security partners; they are learning as well. It's not just you and your public cloud provider. It's you and the other organizations in your ecosystem."

Lauren Horwitz

Managing Editor, Cisco.com