There is no single path to a Rugged DevOps approach that works for every organization, but there are key principles and techniques used by the DevOps elite that give them distinct advantages. Here are 10 ways you can renovate your organization’s processes and behaviors to gain huge efficiencies in your security operations in the cloud.
Observe Your Value to Attackers
The best way to understand how your organization, product, or users will be attacked is to define the valuable asset(s) that you hold. Do you have millions of logins/passwords for a service? Do you hold medical records for hundreds of thousands of people? Do you have credit card numbers, security codes, and billing addresses? Attackers want to steal something they can monetize — you need to understand what your organization’s value is to the attacker in order to better understand their objectives and to best defend yourself.
Once you understand the prize that attackers are after, you can better identify and simulate the attack vectors and paths that they will attempt to take during real breaches. Use these paths to run war games on your own infrastructure in order to thoroughly identify what security controls work, which controls do not work, and document the new security controls you should put in place based on your findings. You can hire professional firms like Accuvant to execute such security exercises on your behalf. You can often tag along as part of the defined engagement, so you are better equipped to run your own exercises in the future.
Identify Your Rugged Allies
Rugged DevOps is not a solo endeavor — you need to build a team with a shared vision. Find your allies among the business owner, engineers, operations team, and other key stakeholders and thinkers. These Rugged Allies will be the lifeblood of your approach — they own the end-to-end decisions around direction, product capabilities, service management, and more. By aligning yourself with these key actors, you can work together to define your battlefield.
Define Your Battlefield
Few organizations operate in every cloud region available. It’s much more likely that your organization has a select few regions or locations from which it delivers goods and services — and you can easily articulate the logic behind this. Once you can describe, in plain English, what your expectations and definitions are for your environment(s), you can codify them as security rules. These rules describe the usage model you follow in the cloud — deployment windows, resource types in use, use identity configurations, and regional preferences. Understanding how those are defined and configured creates simple test cases to validate your security posture and state.
Automate Security Acceptance Tests
One of the biggest challenges organizations face is moving to a DevOps-powered continuous deployment practice. This rapid creation and modification of infrastructure renders most traditional security tools useless, or at least severely limited in capability. DevOps teams love A/B (red/blue) deployment environments, but pushing a vulnerable build out to production after functional tests pass is an embarrassing moment for everyone involved. Tie your security acceptance tests, a subset of your key security controls, right into the end of your functional testing process. If you add automated security validations to your automated functional testing, you can promote builds with confidence at greater speed.
Embrace Continuous Security
Security should no longer be thought of as being a separate step in the launch — instead, security needs to be integrated into the overall processes of development and deployment. As organizations move more deeply into continuous patterns of development and deployment, the importance of implementing continuous security behaviors becomes non-negotiable. Your cloud environments undergo dramatic changes during deployments, auto-scaling events, and natural growth. While static data center environments from the previous era were simple enough to be evaluated by humans, the dynamism of cloud environments is far too fast and complex for people to digest effectively. Your operational tools deliver continuous monitoring and alerting — why doesn’t your security suite?
Invest in Security Solutions that have APIs
While on the topic of continuous security… make sure you are evaluating and investing in security solutions that work well in DevOps environments. This new generation of security products natively delivers today’s expected user experience — a UI, a RESTful API, and a SDK on which to extend or build customizations for your environments. Think about the powerful capabilities you can enable by integrating security solutions inside your DevOps toolchain: post-deploy automated security sweeps that can pass or fail builds, reconfiguration of deployed resources to known good states, and so much more! The sky is the limit when you can take a great product off the shelf and make it part of your organization’s unique strategy.
Operationalize Your Alarms
With API-enabled, continuous security tools, you can now operationalize security alarms just like any other operations incident. Have a server down? Your DevOps team responds within moments. Have a vulnerable version of Apache deployed on a new webserver? How does your team discover and react to this today?
Have no fear — continuous security solutions not only alert you to this type of issue, but they integrate tightly into DevOps mainstays like PagerDuty, Splunk, and even custom dashboards through raw JSON outputs. Now your team gets notified as soon as a security issue arises, and also has access to all the data they need to address the issue without waiting for backup. Attackers of opportunity don’t stand a chance.
Layer Your Defense
As with any good security strategy, you need to layer your defenses to create a strong security posture. Layering automated security testing, continuous security assessments, rapid operational responses, and other key aspects discussed here put you in a great position to augment your existing and planned security efforts. Now that third-party penetration test will be more valuable because it delivers on deeper security issues and not the threats you can manage yourself.
The final, and probably most important, aspect of Rugged DevOps journeys is to give back to the community that inspired and facilitated your journey. We’re all in this together as technologists, and a little advice or guidance given to the wider Rugged DevOps community can quickly turn into the next great tool or service you depend on at your next job. So be sure to share your lessons and insights — and your generosity will be rewarded.
Rugged DevOps is not a one-time practice or a stand-alone process — it’s a whole new approach and a whole new way of working. There are always going to be some learning curves and initial obstacles that go with adopting a new way of integrating security into your daily operations — but the benefits far outweigh any initial costs. Follow these top ten tips and insights and your organization will be well on its way to achieving the competitive advantages offered by Rugged DevOps.