DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Blogs » DevSecOps » Security Policies For DevOps 101

Security Policies For DevOps 101

By: Andrew Storms on March 13, 2014 Leave a Comment

A while back I was talking with some friends about how to ensure security inside a devops environment.  The simple first thought was that no where does DevOps say to do away with security.  Instead, consider how your existing information security practices and policies need to adjust given the changes that DevOps brings to the working environment.  Veteran security professionals understand that many security practices begin with policies.  Furthermore, no policy is ever set in stone. Failing to update policies and procedures at least every year is already a recipe for disaster.

Recent Posts By Andrew Storms
  • Lean Security: How Better Development Can Protect Your Business
  • DevOps Security Talks At RSA USA 2015 Conference
  • Security Should Be the Top Driver for DevOps
More from Andrew Storms
Related Posts
  • Security Policies For DevOps 101
  • DevSecOps in Azure
  • Why is Security Still in the Way? A Look at DevSecOps Right Now
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • cloudpassage
  • devops
  • policies
  • security
Show more
Show less

I tell a lot of people to think back when the iPhone was first introduced.  The natural tendency of security professionals inside IT organizations was to either 1) simply ignore the device or 2) establish a flat out denial kind of policy.  Neither choice was even near the right answer.  I can say first hand that I was victim to this kind of tunnel decision making.  We updated our mobile device policies with a flat out “no iPhone for you…come back in 2 years” doctrine.  My feeble attempts to fend off iOS devices lasted maybe a year.  Meanwhile, lots of people at the office were seen with iPhones in hand who continuously said things like “but I’m not using it for work”.  Flat out denial on both mine and their parts.

DevOps Connect:DevSecOps @ RSAC 2022

Bottom line, policies are meant to be changed for the changing environments.  DevOps is no different.

The Minimum Requirements

Just like in development how we talk about the minimum viable product, we can apply the same concepts to implementing security practices.  For starters, make sure your organization has a few policies drawn up, agreed upon and stamped with the approval of your executive staff.  The minimum set of policies any organization needs should include: network or Internet security, computer security, information and intellectual property security policies; secure software development policies and procedures.

 Be the Champion

But the job doesn’t stop at policy creation.  Even having your executives agree to the policies doesn’t mean they will be followed or even understood by your DevOps teams.

I speak to security heads often and tell them they need to get out of their seats and speak to all the employees in a company.  One of the first conversations to have is to begin championing the security policies.  Make sure people understand the policies and more importantly understand the reasons for the policies which have been selected.

Do you remember going to high school and being told you have to follow a rule that you thought was totally asinine?  Non security folks will probably think the same about silly policies and might even act out purposely against them. A champion needs to teach and live those policies.  And when someone challenges the policies, then take the time to have a two-way conversation with them.  Make sure you understand their point of view first before you try and push your silly security ideals on them.

Taylor Your Policies

While the policy template available online, like those available from SANS, are a great starting place, don’t just slap those on the intranet as-is.  Read them and make adjustments for your company, for your culture and your development practices.  Even better, include policies that are specific to cloud and DevOps.

One area of customization to start with is to create policies for specific cloud vendors.  For example, consider setting policies around how to the company should be using the Amazon’s IAM feature.  Make specific policies around how IAM users and groups should be configured and used.  Use the doctrine of least privilege and design a sane access control policy.  Consider a policy where only a few trusted users have full admin access and other users are in a power users group where they can launch instances, but cannot alter AWS console configuration or access.  You might want to give your accounting team limited access to the console as well to review billing and usage.  While you are at it, develop specific policies around the use, distribution and storage of cloud API keys.  Furthermore, consider enforcing two factor authentication.  These kinds of specific use case policies will go a long way for security teams in gaining confidence with the DevOps teams.

DevOps might be the cool new hotness that is making waves in every kind of organization, but that doesn’t mean we can forget our information security requirements in a DevOps environment.  One of the starting points in ensuring DevOps organizations follow good security practices is to start with a minimum set of security policies.  Make sure you champion these policies and tailor them to your specific organization and use case.  With a little luck and determination even your DevOps teams can follow security best practices.

Filed Under: Blogs, DevSecOps Tagged With: cloudpassage, devops, policies, security

Sponsored Content
Featured eBook
Hybrid Cloud Security 101

Hybrid Cloud Security 101

No matter where you are in your hybrid cloud journey, security is a big concern. Hybrid cloud security vulnerabilities typically take the form of loss of resource oversight and control, including unsanctioned public cloud use, lack of visibility into resources, inadequate change control, poor configuration management, and ineffective access controls ... Read More
« In the DevOps Journey, Culture Comes First
Having DevOps In Your Job Title Is Doing You Harm »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Deploying Microservices With Pulumi & AWS Lambda
Tuesday, June 28, 2022 - 3:00 pm EDT
Boost Your Java/JavaScript Skills With a Multi-Experience Platform
Wednesday, June 29, 2022 - 3:30 pm EDT
Closing the Gap: Reducing Enterprise AppSec Risks Without Disrupting Deadlines
Thursday, June 30, 2022 - 11:00 am EDT

Latest from DevOps.com

Developer’s Guide to Web Application Security
June 24, 2022 | Anas Baig
Cloudflare Outage Outrage | Yet More FAA 5G Stupidity
June 23, 2022 | Richi Jennings
The Age of Software Supply Chain Disruption
June 23, 2022 | Bill Doerrfeld
Four Steps to Avoiding a Cloud Cost Incident
June 22, 2022 | Asim Razzaq
At Some Point, We’ve Shifted Too Far Left
June 22, 2022 | Don Macvittie

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

The State of the CI/CD/ARA Market: Convergence
https://library.devops.com/the-state-of-the-ci/cd/ara-market

Most Read on DevOps.com

Survey Uncovers Depth of Open Source Software Insecurity
June 21, 2022 | Mike Vizard
One Year Out: What Biden’s EO Means for Software Devs
June 20, 2022 | Tim Mackey
Open Source Coder Tool Helps Devs Build Cloud Spaces
June 20, 2022 | Mike Vizard
Not Everything That is Necessary Adds Value
June 20, 2022 | Lance Knight
TechStrong Con: Downturn Brings Additional Sense of DevOps U...
June 21, 2022 | Mike Vizard

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.