Recent agile development trends combined with the availability of IT infrastructure and deployment automation have changed how software is delivered. Billed as a movement, or even a methodology, the term DevOps has emerged to describe the nascent collaboration between software development, IT operations, as well as other stakeholders in the application delivery process. DevOps minded organizations turn code deployments into an automated and continuous processes involving different teams and focused on measurable business outcomes rather than just technical metrics. But with information security being more mission critical than ever before, companies must inject security into their DevOps processes to ensure a strong security posture without slowing down the business.
With DevSecOps, security controls are automated and built into each step of the application delivery process. Previously developers would spend months or years building an application only to wait until the very end of the project to engage the security team; with DevSecOps, security teams are part of the process from the outset and can thus address security continuously and holistically. Just as modern cloud infrastructure platforms and the applications running on them are dynamic and fast changing, so too are the security tools and processes necessary for organizations to be secure in a fast paced DevOps environments.
Since DevSecOps is all about automating security controls, it makes sense to begin your DevSecOps journey with a playbook to help you assess your current controls, map out responsibilities, and determine success metrics. The SANS Institute put out a really useful DevSecOps Playbook that’s an excellent place to start. One of the reasons a playbook is such a valuable is how much collaboration is required between teams. To build out your automated security controls, you need to understand and be engaged with each step of the development cycle. This type of collaboration, much like the technology that drives the movement itself, is new to most organizations so having a playbook to chart the initial course is invaluable.
Cloud platforms like Azure have everything you need to embrace DevSecOps. Automated resource provisioning with ARM templates, log monitoring with Azure Monitor, security monitoring with Azure Security Center, and a robust REST API to interact with all aspects of your infrastructure. The challenge becomes aligning the Azure feature or capability with the desired security control. Something that’s made more complicated with the shear breadth of Azure’s service portfolio and the frequency in which they’re continuously updated and changing.
OpsCompass is a product built around the DevSecOps mindset so we’ve made it simple to be doing real-time, continuous configuration auditing and assessment, with integrated data from core Azure services like Monitor, Security Center, and Log Analytics, and of course policy and governance enforcement. We’ve also abstracted away much of the Azure specific knowledge requirements and instead provide a turnkey solution that can be deployed without Azure expertise and with a few clicks. In short, for us to help our customers adopt Azure safely and meet their security and compliance obligations in the cloud, we’ve had to completely align our product and services with the DevSecOps approach.
It’s no secret, the programmable nature of clouds like Azure and AWS make it much easier to control and secure than traditional data centers. But you need to have a firm understanding of what you need to control in the cloud, how you go about doing it, and what are the business/success metrics you track throughout your application lifecycle. Security and compliance in Azure should always be automated, embedded in your processes, and produce the information that allows businesses to track their security posture in real-time the same way they do other key performance indicators. This is the essence of DevSecOps and it’s how the most successful companies are safely transforming their businesses in the cloud.