IaC provides a connection between security and DevOps teams in a subtle, non-intrusive manner
Companies often choose DevOps as means to provide value and responsiveness through rapid, high-quality service delivery. Instead of traditional siloed development and operations teams, DevOps embraces multidisciplinary teams that share efficient practices and tools. Essential DevOps practices include agile planning, continuous integration, continuous delivery and application monitoring. But how does security fit within this framework?
Traditional models of product development have explicitly defined processes and people dedicated to security assessments, analysis, testing and maintenance. While this doesn’t offer the efficiency and agility of DevOps, many organizations find comfort in having a set place and time for security.
In DevOps, with the absence of strictly defined and linear processes, there is perhaps a less explicit definition of where and how security fits in. But sometimes there is power in the less obvious aspects of life. In fact, just because there aren’t dedicated, standalone security processes as there are in traditional product/project management models doesn’t mean that security isn’t there.
Some could argue that the less apparent security is, the higher its efficacy. This is particularly true in the DevOps world, where security teams are sometimes perceived as impeding the speed and agility of DevOps teams. This perception is unjust because, quite often, it is not the security team that is necessarily impeding the progress of the DevOps team. The root of the problem is a fundamental disconnect between the security and DevOps teams.
So, how can teams overcome this divide? By evolving their DevOps team into a DevSecOps team. Every company’s goal should be to make security part of the development workflow. Again, DevSecOps is the natural evolution of DevOps. The process can either take the benefits that DevOps gives to the development and operations branches of your IT department and extend them to the security team, or it can integrate the security processes into the DevOps team. With the latter approach, the bridge is then built by shifting cloud security left using infrastructure as code (IaC) plans and templates. Security teams can build these plans and templates for developers as a way of guiding them toward security and compliance and preventing policy violations and cloud misconfigurations from the very beginning. Shifting much of the security team’s work earlier in the development life cycle, long before runtime, is a smart and efficient approach.
Through the use of IaC templates and plans, DevSecOps teams are engaged in security from the very start. And, for the most part, the layer of security in the form of an IaC template or plan is silent. It is a noninvasive way for security to participate in DevOps, without the friction that sometimes arises in the midst of chaotic runtime security fixes. Though its presence may be subtle, the benefits of hard-coding cloud security through IaC are pronounced.
Most conspicuously, it prevents the need for security to intervene in recurring problems. The same security issues, policy violations and misconfigurations that took time and resources to resolve can be addressed at a global level through IaC plans and templates. Secondly, the efficiency of the security team grows exponentially. Time previously spent tracking down the right developers to fix ephemeral security issues and misconfigurations is redirected and refocused. Security teams are able to spend their time more wisely, creating thoughtful, holistic approaches delivered through IaC plans and templates. Another benefit of creating DevSecOps teams and using IaC is that it can empower individual teams to use the tools of their choice.
While some companies mandate the use of specific cloud service providers or third-party tools, others do not. When used correctly, security achieved through the use of IaC templates provide the flexibility of incorporating variables from any cloud environment. DevSecOps teams that have the opportunity to use the cloud service providers and tools of their choice will work more efficiently and effectively. The final and most significant benefit is the connection that IaC provides between security and DevOps teams. Not only does it broaden participation in security, it does so in a gentle, non-invasive manner.