I attended my first official DevOps conference in Israel in September 2013. But I was initially introduced to DevOps by my customers – firewall and network managers who, through their efforts to automate security policy management, found themselves dealing with a new and like-minded set of IT stakeholders – DevOps teams.
They said DevOps was also all about automation – automation that allowed IT to increase their business contributions by enabling new applications and other IT services to be rolled out faster with greater control and efficiency.
Conceptually, it was clear to me that the DevOps value proposition is just as relevant to Security as it is to Operations and Development groups, especially since Security teams apply automation with the same fervor as DevOps.
In fact, using automation to accelerate IT has caught hold in the network security world to fuel a new movement and class of solutions, called Security Policy Orchestration. As the CTO of Tufin, a Security Policy Orchestration company, I could not help but recognize the synergies. I was (and still am) intrigued by DevOps, so when I heard about the conference, I decided to go.
And I am so glad I did.
The alignment between DevOps and Security Policy Orchestration is obvious. They both champion the use of automation to accelerate the pace of business. We Security Policy Orchestration folks are just coming at it from a different area within the organization. Kindred spirits, right?
In theory, absolutely, but in reality…not so much.
The conference as a whole was great. It completely validated my theories regarding the synergies between Security Policy Orchestration and DevOp. But what surprised me was that security was a topic that was not being discussed at all at the conference. Maybe a hat-tip to application security, but network security was not even on the DevOps radar, at least not at this particular conference.
It needs to be. For DevOps, to really be able to move the needle, we have to work together. If history has taught us anything, it’s that when new applications and services are not created or rolled out with security in mind, at some point we will have to go back and retrofit it back in.
Envision the typical experience: the development team builds a new application, brings IT Operations in to implement it. Once that is done, IT Ops prides itself on all the corkscrewing it took to make the application work on the actual infrastructure. Except for once the app is in production, it doesn’t work. The troubleshooting begins. Invariably, issues of network connectivity come up. Solving them requires app, dev and security managers to break down the cultural and organizational barriers that exist within their organizations to work together to ensure the application is architected correctly into the network. This starts and the process of change requests between AppDev and IT to get the app up and running.
If that process is not automated, it can take months longer than it needs to resolve everything. Not to mention any company subject to PCI has to consider terms like secure zoning, a concept that is not second nature to DevOps folks. If PCI is not an issue, there are plenty of other internal and regulatory mandates and security –related considerations that, if for no other reason than common sense, can exponentially reduce the chances of a company ending up in the headlines due to an APT.
These are just a couple of many scenarios that can be avoided if development, IT and security work together from the get go.
The net/net is that Dev and ops have the same goal but they are siloed, which is slowing down the pace of business – inhibiting it. Collaboration is not some warm and fuzzy team-building thing – it is a fundamental business requirement.
And that’s why I am so excited to have the opportunity to do this blog. I think I can add a unique perspective on how DevOps and Security can work together to reach our common goals.
My next post will explain will dig into what Security Policy Orchestration actually is, so we can begin to tease out the similarities and determine how to build on that to true alignment and partnership.
Stay tuned as the drama unfolds! This should be fun….