Speed is essential in today’s business climate, hence the rise of DevOps. Unifying development and operations compresses development cycles and enables more frequent deployments that align closely with business objectives. It’s no wonder executives love DevOps.
But one question is often left unasked in DevOps strategy meetings: what about security?
When speed and agility are paramount, it’s easy for data protection to take a backseat. Continuous delivery leaves little time to consider security controls.
We’re deploying to the cloud and our cloud vendor is secure, isn’t it?
Well, yes and no. The infrastructure of the cloud is very secure. Buildings, processes, systems, and personnel resources are all architected to be highly secure and highly available.
But anything the we deploy into the cloud is our responsibility, just as if we built it in our own data center. It’s called the “shared responsibility model.” It’s not only operational money for every new deployment but protection of our systems and our data. The tools and configuration options are available, but it is up to us to implement them.
The question is, how do we gain visibility into this ever-changing environment to know what’s going on under the covers and empower management to make smart business decisions? That’s our DevOps blind spot!
Many times, what happens is that our development and testing teams are spinning up servers with no regard for cost or security. Every system is a target for the continuous train of malicious actors all over the world and we don’t prioritize securing our configurations until after we discover a breach. Every system also costs the business money and we don’t see it until the charges get so high that payment approval rolls across our CIO’s desk. Once DevOps has the ability to create new systems and infrastructure at will, no developer will go unserved. Systems will be spun up continuously and our developers’ jobs are to write code, not build secure configurations.
With the average costs of a data breach reaching $3.62 million last year, this is not something we can ignore!
But how do we gain visibility and control over our DevOps processes and eliminate our blind spot? It was easy when we released once a quarter or once a year. We provisioned new servers in our data center and spent days of work deploying, testing, and architecting our networks to provide the security that the business required.
Automated DevOps requires automated SecOps as well.
Powertech Security Auditor from Core Security gives you the visibility and security that your management teams require. As systems are deployed to your public, private, or hybrid clouds, Security Auditor will automatically apply security controls and audits, instantly reporting on what it finds. No matter what regulatory framework you are working with, Security Auditor’s automatic application of security controls will alert you to vulnerabilities and misconfigurations.
Controls can be applied differently to different groups of systems based upon your preferences. For example, one set of configurations for development systems and a more stringent configuration set on your production deployments.
- Are blacklisted services disabled?
- Have critical system files been altered?
- Are remote access settings properly secured?
- Are unknown entities attempting to access our systems?
These settings and hundreds more can instantly be audited and reported on, adding SecOps to your DevOps. Security Auditor can even automatically change non-compliant findings to the desired configuration settings if desired.