The promise of secure DevOps can be realized through security technologies such as dynamic authorization
Fundamentally, DevOps is all about speed and agility. Customers expect companies to deliver and update applications at an accelerated pace and businesses must adopt modern technologies to meet customer expectations. With DevOps, organizations can implement a continuous development and deployment cycle to reap a multitude of benefits.
Not only can organizations operate and evolve applications at high speeds with DevOps, but they also can do it more cost-effectively by automating all steps involved with software construction to avoid manually deploying code or configuration changes for each application.
While speed and security are not necessarily enemies, if the security or access control technologies deployed are not in tune with a continuous deployment flow, the full promise of DevOps will not be realized. Waiting until the end of a development cycle to review security opens organizations up to security issues that could have been more easily resolved had security controls been implemented in the first place. Late discovery of security concerns also slows down the process—which is, of course, counter to some of DevOps’ primary objectives. To obtain the full potential of DevOps, organizations must ensure that security controls, such as externalized authorization, are an integral part of the security process from the very beginning.
The Importance of Security Controls
Security controls can proactively and consistently address different security aspects across the enterprise. A continuous integration/continuous deployment (CI/CD) cycle is a critical piece of the DevOps process; it implies that the application environment is potentially changing at any moment and possibly on a frequent basis. With constant changes to the production environment, it is critical to ensure that security controls are a part of this process—hence, the term “DevSecOps.”
If security processes are not part of the overall process, then you risk the chance that security controls have not been vetted properly or consistently enforced with every new release or new application/API/microservices. However, the security controls must also conform to a DevOps approach, meaning they must fit into a model that is streamlined via automation to be deployed and managed in a manner much like modern-day applications.
Conforming to a DevOps approach can have different perspectives. What we are focusing on here is to suggest that security and identity services should be deployed and managed in the same manner as your application code. Cloud-native capabilities, clearly defined interfaces, REST and JSON enabled interfaces and containerization are some of the characteristics that make security and identity services look and feel like the business applications and services.
Integrating the Right Security Controls
To realize the full benefits of DevOps, organizations must deploy security or identity management technologies that are in sync with a continuous deployment/integration cycle. If identity and access management (IAM) systems cannot be deployed and managed in the same manner as your APIs and microservices, then it makes the DevOps process more cumbersome and less streamlined.
One technology to consider is externalized dynamic authorization delivered with attribute-based access control (ABAC). With dynamic authorization, users are authorized access to resources based on attributes. Authorization is then determined dynamically at runtime by evaluating centrally managed rules and policies.
With dynamic authorization, you can automate policy changes the same way you can automate code changes. In addition, the ABAC service itself can be managed like a microservice, giving it the same flexibility, deployment and automation characteristics as your application microservices. Ultimately, the life cycle of redeploying the application and security components can be fully automated. Similarly, any changes to policies can also be part of the automation process. Furthermore, you can automate the activation of additional authorization servers for peak load conditions and remove them when less capacity is required.
With an automated approach you can relieve pressure on developers, because they no longer will have to write security rules into their code. In addition, access rules are enforced consistently across applications, APIs, microservices and data resources, reducing the risk of overexposure to information and security breaches. This also means that your developers can spend their time on business functionality, not worrying about access security.
Security technologies such as dynamic authorization are a critical part of the DevOps process. With dynamic authorization embedded directly into the development cycle, organizations can automatically address a wide variety of security aspects across the enterprise and ensure a continuous and secure development cycle.