The missions of government organizations and DevOps are well-aligned, according to F5 system engineer Scott Van Kalken, who works with many organizations at various levels of government around Australia.
That’s because government organizations provide services to the community, and DevOps is about providing services to a community of users.
He sees more use of DevOps in the government sector than in corporations.
Increasingly, DevOps is embedding security from the start of a project. “That’s really exciting for me,” he said, as it shows DevOps is working and allows faster iteration with security issues being picked up earlier.
For example, the COVID-19 pandemic has resulted in more people working at home. That makes security considerations even more important than ever.
All levels of government have seen massive increases in remote working capacity and functionality. Applying DevOps principles to security practices has allowed them to adapt rapidly to those increased levels of working from home.
One large department took just three or four days to go from 1,000 to 20,000 people working from home. Van Kalken said this was possible partly because they “automate absolutely everything they are doing,” allowing rapid implementation of security policies. They quickly stood up additional cloud infrastructure with the right security settings by using DevOps practices. Similarly, DevOps teams can use APIs to easily and quickly apply security policies to SaaS applications.
Cross-disciplinary Cooperation and Coordination
One government department that Van Kalken is involved with was new to DevOps but very good at getting representatives of the relevant groups into the same room. They all focused on reaching the desired outcome with “no turf wars” and agreed that establishing appropriate security policies was part of that process.
In his experience, the private sector tends to be more siloed, which can make it more difficult to make the right security-related choices from the outset.
For government organizations with more mature DevOps practices, “it’s just an incremental ramp-up,” he said. The collaboration between the various functions makes a big difference to successful outcomes.
So the role of the security organization changes from being akin to a nightclub bouncer (“No, you can’t”) to that of a partner in the delivery of services.
The private sector can learn from this, Van Kalken suggested. Government organizations have a “laser-like alignment” on service delivery. In contrast, the differing and competing objectives of various departments or functions within corporations may be a handicap.
Most organizations have adopted one of the published security frameworks, but project teams have the responsibility to decide how to comply with them. Government entities are different, he said, in that they must at a minimum meet the requirements of the Australian Government Information Security Manual (ISM). That leads to more alignment between departments and functions within the organization.
DevOps and Security Hygiene
From a more general security perspective, “governments are targeted in various ways” as they increasingly make services available online, he said.
“Government is no different to every retailer, every bank, and so on,” in the sense that all the usual threats apply, said Van Kalken. But some players specifically attack government organizations because of the types of data held about individuals. Fortunately, DevOps practices assist in responding rapidly to changing situations.
As a simple example, organizations can quickly deploy new policies to distributed firewalls by using DevOps principles including automation. That gives skilled individuals more time to deal with any exceptions that occur.
Organizations can apply similar practices to improve security hygiene by more quickly rolling out new versions of commercial software.
“That element of speed is something very new to the security space,” he said.
Recommendations
Van Kalken’s recommendations are:
- Get all the right people—including security—together in the project team from the outset.
- Ensure they all understand the objective.
- “All swim in the same direction.”
- Make sure everyone continues to work collaboratively.
The rest “will just happen if you do these things,” he said.