Organizations that have adopted DevSecOps processes may be making progress when it comes to improving cybersecurity, but it’s far from easy. A survey of 618 IT decision-makers conducted by Dimensional Research on behalf of Barracuda Networks, a provider of IT security software and appliances, finds half have adopted either DevOps, DevSecOps or a continuous integration/continuous development (CI/CD) platform. A full 93 percent of those IT decision-makers said they faced challenges integrating security into those practices.
Top challenges cited include: Existing security technologies don’t integrate with application development environments (63 percent), application developers are not comfortable with security (48 percent), and security processes have not evolved (48 percent).
Much of the frustration can be tied to reliance on firewalls that don’t feature application programming interfaces (APIs) or are natively integrated with a public cloud, said Tim Jefferson, vice president for public cloud at Barracuda Networks. Each cloud service provider has a unique environment that requires providers of IT security software to write code that natively integrates with that platform. IT organizations can’t simply cut and paste security controls created for on-premises IT environments mainly because the cloud provider has already implemented its own controls at the infrastructure level. The IT organizations need to develop their own controls for the application layer, each of which then must be layered on top of the controls put in place by the cloud service provider.
In the absence of those capabilities, developers get frustrated because a firewall running on a virtual machine on a public cloud presents them with a graphical user interface (GUI) rather than an API. Developers in the age of the cloud are not going to engage with any technology that they can’t programmatically invoke via an API, Jefferson said.
Not surprisingly then, the survey finds the most requested firewall capabilities requested are cloud-native integration (74 percent), ease of deployment and configuration by cloud developers (59 percent), ability to regulate traffic flows between on-premises IT environments and public clouds (56 percent) and distributed policy enforcement (53 percent).
Because many IT professionals don’t have these capabilities many of them conclude on-premises IT environment are more secure than public clouds. More than half the respondents (56 percent) say on-premises cybersecurity is still superior to a public cloud. Clearly, there a lot of technical and emotional factors that go into those assessments, but regardless of the truth, perception remains reality.
Regardless of the approach taken, however, organizations that deploy firewalls in the cloud are expecting to pay for those services on a consumption basis, which doesn’t always align with taking a firewall running on virtual machine and then deploying it on a public cloud.
Jefferson said that as cybersecurity in the age of the cloud continues to mature, expectations are rising regarding the capabilities a firewall should be able to provide—especially when it comes to controlling the flow of traffic coming into and out of a public cloud.
Obviously, anything to do with DevSecOps these days is still evolving. But whatever the cybersecurity future holds the relationship between on-premises and cloud security is far more nuanced than many appreciate.