DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Five Great DevOps Job Opportunities
  • Items of Value
  • Grafana Labs Acquires Pyroscope to Add Code Profiling Capability
  • Four Technologies Transforming Data and Driving Change
  • Neural Hashing: The Future of AI-Powered Search

Home » Blogs » DevSecOps » Security Policies For DevOps 101

Security Policies For DevOps 101

By: Andrew Storms on March 13, 2014 Leave a Comment

A while back I was talking with some friends about how to ensure security inside a devops environment.  The simple first thought was that no where does DevOps say to do away with security.  Instead, consider how your existing information security practices and policies need to adjust given the changes that DevOps brings to the working environment.  Veteran security professionals understand that many security practices begin with policies.  Furthermore, no policy is ever set in stone. Failing to update policies and procedures at least every year is already a recipe for disaster.

Recent Posts By Andrew Storms
  • Lean Security: How Better Development Can Protect Your Business
  • DevOps Security Talks At RSA USA 2015 Conference
  • Security Should Be the Top Driver for DevOps
More from Andrew Storms
Related Posts
  • Security Policies For DevOps 101
  • Enterprise DevOps: Standardize for Security
  • New DevOps Research From Sonatype Reveals Changing Attitudes Toward Application Security
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • cloudpassage
  • devops
  • policies
  • security
Show more
Show less

I tell a lot of people to think back when the iPhone was first introduced.  The natural tendency of security professionals inside IT organizations was to either 1) simply ignore the device or 2) establish a flat out denial kind of policy.  Neither choice was even near the right answer.  I can say first hand that I was victim to this kind of tunnel decision making.  We updated our mobile device policies with a flat out “no iPhone for you…come back in 2 years” doctrine.  My feeble attempts to fend off iOS devices lasted maybe a year.  Meanwhile, lots of people at the office were seen with iPhones in hand who continuously said things like “but I’m not using it for work”.  Flat out denial on both mine and their parts.

Bottom line, policies are meant to be changed for the changing environments.  DevOps is no different.

The Minimum Requirements

Just like in development how we talk about the minimum viable product, we can apply the same concepts to implementing security practices.  For starters, make sure your organization has a few policies drawn up, agreed upon and stamped with the approval of your executive staff.  The minimum set of policies any organization needs should include: network or Internet security, computer security, information and intellectual property security policies; secure software development policies and procedures.

 Be the Champion

But the job doesn’t stop at policy creation.  Even having your executives agree to the policies doesn’t mean they will be followed or even understood by your DevOps teams.

I speak to security heads often and tell them they need to get out of their seats and speak to all the employees in a company.  One of the first conversations to have is to begin championing the security policies.  Make sure people understand the policies and more importantly understand the reasons for the policies which have been selected.

Do you remember going to high school and being told you have to follow a rule that you thought was totally asinine?  Non security folks will probably think the same about silly policies and might even act out purposely against them. A champion needs to teach and live those policies.  And when someone challenges the policies, then take the time to have a two-way conversation with them.  Make sure you understand their point of view first before you try and push your silly security ideals on them.

Taylor Your Policies

While the policy template available online, like those available from SANS, are a great starting place, don’t just slap those on the intranet as-is.  Read them and make adjustments for your company, for your culture and your development practices.  Even better, include policies that are specific to cloud and DevOps.

One area of customization to start with is to create policies for specific cloud vendors.  For example, consider setting policies around how to the company should be using the Amazon’s IAM feature.  Make specific policies around how IAM users and groups should be configured and used.  Use the doctrine of least privilege and design a sane access control policy.  Consider a policy where only a few trusted users have full admin access and other users are in a power users group where they can launch instances, but cannot alter AWS console configuration or access.  You might want to give your accounting team limited access to the console as well to review billing and usage.  While you are at it, develop specific policies around the use, distribution and storage of cloud API keys.  Furthermore, consider enforcing two factor authentication.  These kinds of specific use case policies will go a long way for security teams in gaining confidence with the DevOps teams.

DevOps might be the cool new hotness that is making waves in every kind of organization, but that doesn’t mean we can forget our information security requirements in a DevOps environment.  One of the starting points in ensuring DevOps organizations follow good security practices is to start with a minimum set of security policies.  Make sure you champion these policies and tailor them to your specific organization and use case.  With a little luck and determination even your DevOps teams can follow security best practices.

Filed Under: Blogs, DevSecOps Tagged With: cloudpassage, devops, policies, security

« In the DevOps Journey, Culture Comes First
Having DevOps In Your Job Title Is Doing You Harm »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

How Atlassian Scaled a Developer Security Solution Across Thousands of Engineers
Tuesday, March 21, 2023 - 1:00 pm EDT
The Testing Diaries: Confessions of an Application Tester
Wednesday, March 22, 2023 - 11:00 am EDT
The Importance of Adopting Modern AppSec Practices
Wednesday, March 22, 2023 - 1:00 pm EDT

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

Five Great DevOps Job Opportunities
March 20, 2023 | Mike Vizard
Items of Value
March 20, 2023 | ROELBOB
Grafana Labs Acquires Pyroscope to Add Code Profiling Capability
March 17, 2023 | Mike Vizard
Four Technologies Transforming Data and Driving Change
March 17, 2023 | Thomas Kunnumpurath
Neural Hashing: The Future of AI-Powered Search
March 17, 2023 | Bharat Guruprakash

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

SVB: When Silly Valley Sneezes, DevOps Catches a Cold
March 14, 2023 | Richi Jennings
Low-Code Should be Worried About ChatGPT
March 14, 2023 | Romy Hughes
Improving the DevOps Process for Mobile App Developers
March 13, 2023 | Tom Tovar
Understanding Cloud APIs
March 14, 2023 | Katrina Thompson
NETSCOUT Taps F5 to Optimize Custom App Performance
March 13, 2023 | Mike Vizard
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.