Rawpixel - Fotolia
The alignment struggles between DevOps and IT security teams -- both culturally and functionally -- are well-known. The manual and often cumbersome processes required to work with an organization's IT security team can make DevOps teams less agile, and agility is the last thing DevOps teams want to give up. At the same time, the typical IT security team tends to believe that DevOps teams and their continuous deployments mean sacrificing security and compliance for the sake of speed. Without communication, it's impossible for DevOps and security teams to come up with an automation pipeline for security.
Because of this speed vs. security conflict, many DevOps teams delay involving IT ops in their work or even reject that involvement altogether. Because development is one of the most important functions at a company in today's software-driven world, organizations have given DevOps teams more leeway in how they choose to get the job done and who to involve in that process.
As such, there is a myth that DevOps teams ignore security. Developers are, in fact, keen to know that their apps are secure, but at the same time, they don't want security to get in the way of rolling out cool new features.
How can DevOps teams embrace security without impacting agility? Can the integration of DevOps and security be done in a way that mitigates struggles and promotes collaboration, while actually improving both security and agility in the process? The answer is yes -- and the key is automation.
The reconciling power of an automation pipeline
With the C-suite paying more attention to security, DevOps teams should take the opportunity to define how they want to secure their multiple development projects and production environments. DevOps teams that automate security as part of the CI/CD process can easily follow company security policies, because the work will be embedded into the automation pipeline.
This automation pipeline can remain in the background and effectively reduce the stress surrounding security. By automating policy changes, this pipeline will significantly reduce chance of error. Although the automation process remains out of sight, DevOps teams can still use it at any point to view data on vulnerabilities, compliance requirements, security policies and network connectivity, via its continuous scanning abilities.
Additionally, DevOps teams are already accustomed to dealing with automated tools in their day-to-day operations and communications and are likely to be more inclined to adopt and use a security process that integrates with their existing processes, rather than bowing to legacy ones.
Automation is the key to creating true, collaborative DevSecOps teams. It effectively makes security the easy option. And it meshes DevOps' existing use of automated tools to achieve its ultimate goal of continuous, on-time and on-budget deployments with security's aim to reduce human error and maintain continuous visibility into potential vulnerabilities.
How to boost acceptance and adoption
One of the guiding principles of DevOps is collaboration, which is often equated with the idea of shared responsibility. In order to successfully embed security into the DevOps process, security teams and developers must work together and establish shared responsibility. But how?
Some organizations may assign a security envoy in each development team. They would act as the bridge between their development team and the security team. Not only does this improve communication, but it works toward building a balanced process that considers the mutual needs of both teams. With ongoing communication, organizations can proceed to the next level of maturity, an automation pipeline folded into the CI/CD process.
Security teams can begin to define guardrail policies that allow development teams to deploy continuously, provided they adhere to security and compliance policies. This is critical for both teams: Developers will have the means to test their security posture at every step in the CI/CD pipeline and correct things as needed, and security teams have the oversight they need to ensure security and compliance throughout the development process.
The myth of separation
The disconnection between DevOps and security teams is a myth. Both teams have an impact on the other and, by working together, can help each other achieve their bottom-line goals. Collaboration and shared responsibility is the first step. Then, an organization can deploy an automated security process to improve the efficiency and outcomes of both departments. That's how DevOps becomes DevSecOps.