Security Rises While IT and Developer Efficiency Soars with Infrastructure as Code (IaC)
The enterprise IT world is changing fast as computing drives from on-premises to the cloud and out to the edge. Meanwhile all manner of devices, like set top boxes, train signaling equipment, cameras, automated vehicles and Internet of Things (IoT), abound. All these form factors make DevOps systems and processes radically more complex.
The Complexity Seemingly Never Ends
Those are not the only DevOps challenges. Besides an astounding array of hardware devices, there are myriad operating systems and a bevy of different cloud services including AWS, Google Cloud Platform, Microsoft Azure or Rackspace.
Meanwhile, IT grapples with a range of cloud approaches such as migrating legacy apps to the cloud, building cloud native or going hybrid.
Developers are faced with different types of environments; development, test, integration and production are but a few of the choices, not to mention life cycle support. Oh, and developers deal with all manner of code types, such as leveraging open-source libraries when working with cloud services. And don’t forget you must make sure all this code is trusted.
All the while the number of nodes and apps continues their explosion. As all this is happening, IT must act upon security, compliance and collaboration.
At the same time, collaboration occurs not just between Dev and IT, but between designers, testers, security folks and line of business owners.
What is DevOps?
Before we get ahead of ourselves, let’s step back and define DevOps. DevOps is an IT practice that lies at the very center of organizational transformation. DevOps relies on collaboration across teams such as IT, security, development and operations
and involves the adoption of automation and consistent delivery paths for all applications.
Today’s smart enterprises know that the best and perhaps only way to scale DevOps is to build a coded enterprise. By collaboration through code, groups with different languages, areas of responsibility and goals can efficiently and productively work together.
To learn more about the code enterprise, download our Embrace DevOps eBook.
Why DevOps?
A key benefit of DevOps is the ability to bring applications and user experiences to end users in an agile and quick way. Businesses these days are moving at lightning speed and IT and developers need to respond just as fast.
One massive change is the move to distributed work brought about by Covid. Now it is taken as a given that people work effectively in a distributed manner and in a distributed team setting across time zones.
But this shift meant IT and dev teams had to quickly create and manage the remote-friendly infrastructure, taking care of security and compliance.
Aside from this massive mandate, IT teams need to make sure that the transition to the cloud continues to happen and, through DevOps and management, occur fast enough that the enterprise realizes the benefits clouds provide in terms of elasticity
and the ability to grow as usage increases.
But all these moves mean nothing if they make the enterprise more vulnerable. In times of disruptions and complexity, security is paramount. As a result, cyber security teams are increasingly vital, charged with securing the complex swath of IT systems, including infrastructure, the network, data processes, workflows and intellectual property — making sure nothing bad happens to these assets.
Simplifying DevOps Through Automation
Development teams are made vastly more productive by simplifying the complexity of the technology they use, deploy, manage, and iterate. Attaining a high level of automation takes that complexity. However, achieving that high level of automation is difficult for many organizations without a technology solution.
Automation also eliminates human errors by removing manual tasks and freeing up team members to do what they do best: adding value through their expertise, not mere grunt work.
The first step is to find common IT and dev tasks, understand them, then automate. Many app dev lifecycle tasks can be automated, including test, build, security and monitoring.
IDG defines these tasks further in its IDG Security Compliance Survey as follows, “Ideally, DevSecOps encompasses processes and tools that integrate security and compliance considerations and/or testing across all eight stages of the SDLC. Those stages:
- Plan
- Release
- Code
- Deploy
- Build
- Operate
- Test
- Monitor
The key is to find the right balance and approach to DevOps automation and the right way to support infrastructure. This balance ensures that team members responsible for automation are more productive.
The Benefits of Code
Code drives much of IT, whether it is the source code underlying enterprise software or the scripts that perform IT tasks.
Infrastructure as Code (IaC) is an IT approach that manages, configures and provisions IT infrastructure through code rather than time consuming, error-prone manual processes. IaC automates common, often complex tasks, and performs them in a proven, tested and error-free way.
IT can take code a step further, leveraging the benefits of a code approach correctly that facilitates collaboration between teams using a human readable approach to code. This serves as documentation as well as realizing all the benefits of a coded DevOps approach.
Take version control. Who made the last change? Code itself can be eased by — that’s right, code! With Infrastructure as Code (IaC), DevOps can rely on IaC tools and platforms to remove the heavy work involved in coding.
The Human/Automation Balance
The right balance of DevOps automation involves deciding where IT wants humans to be involved in making decisions and which manual tasks should be automated. This is part of the IT movement towards a human-free zone.
This is complemented by the ability to provide continuous scanning of devices and infrastructure elements based on policies. These policies are not dependent on implicit trust but are encoded and adhere to policies the company or the security team wants to make implementable.
Security Factors
Infrastructure as Code (IaC) drives security in both the IT infrastructure and DevOps worlds, much of which has or will shift to the cloud.
For instance, there are a lot of concerns around public cloud workflows. When we put our infrastructure platform apps on the public cloud, how do they behave? Are we leaving gaping holes?
IT can allay these concerns by applying an implicit coded policy. This is particularly critical in regulated industries with compliance requirements from regulators and legal folks.
A Single Feedback Loop
To increase security, IT must detect issues and misconfigurations in the environment. Through IaC automation, or automation as code, one can achieve a simple feedback loop, detect the problem, figure out how to correct, do the correction and then automate it. In essence, IT learns from that problem, so it doesn't happen again.
This issue discovery and correction covers everything from defining a base configuration for your organization's infrastructure, deploying updates to application code, patching and upgrading systems, to remediating vulnerabilities.
All of these must be fixed and are best handled in a coded, automated way.
These automated processes include the detection side as well as the fixing side. With fast feedback loop, you can re-run your detection after every change that happens in the environment. That's how you get the speed and agility you're engineering, or dev teams need to get to market.
Policy as Code and the Beauty of a Shared Language
Every organization has policies that govern how they do their business. These policies define security standards, regulatory issues and other organizational mandates. Typically, these policies are defined as text in PDF documents, Word files or Excel worksheets. But that text must be interpreted by humans before it can be implemented or enforced.
In contrast, codified policies help organizations better document their policies in an unambiguous, shareable, actionable way. Chef's approach is to define and document these policies as unambiguous human readable code.
“One challenge in adding security and compliance elements to all these stages is that operational, development, security, and compliance professionals have their own language and corporate culture. Fortunately, the software code itself, along with codified infrastructure configurations, can serve as a common source of truth shared and understood by all the participants who play a role in the SDLC,” an IDG Security Compliance Survey argued.
With IaC, teams collaborate in a common language that is in human readable form.
Policy as Code results in shared languages and vocabulary. “Policy as Code brings configuration management and compliance into a single step, eliminating the security silo and moving everyone into a shared pipeline and a shared framework. Making DevSecOps an automated reality brings together all the critical steps, allowing you to overcome technical skills gaps and scale automation across your teams and environments,” argued the 7 Benefits of Policy as Code blog.
Collaboration
With IaC, you can thread the needle through a common collaboration language right between the different stakeholders, the security folks, development folks, compliance folks, and DevOps.
Compliance as Code
Having a common language shared among your teams fortifies security and compliance. That language is where your stakeholders — from folks who care deeply about security or compliance or those who simply need to understand what's being codified in order to certify compliance — manage security.
Compliance as Code is the only way to achieve continuous compliance. An example of continuous compliance is when you make a compliance report, perhaps for an auditor. Almost as soon as that report is made, the report is no longer valid as your infrastructure and configurations have changed. With Compliance as Code, that report is a living document updated as infrastructure changes are made.
Continuous Compliance means security is no longer a barrier, but the enabler of speed and agility in developing what the market wants.
Scaling DevOps
IaC offers the ability to scale beyond a single system in a consistent, repeatable, resilient and reliable way, to shift your security testing left from the end of the process to as far into the development cycle as possible. It also allows IT to continuously monitor the status of your security and compliance posture.
One large bank is achieving these results with the help of Progress Chef. “How do you take the continuous delivery, DevOps concepts and scale them across a much larger organization? We proved that what we thought was provable really works and the benefits we suspected we would see we absolutely do see,” said Mike Murphy,
Head of IT Operations for Standard Bank.
Simplifying Security
The same approaches that detangle DevOps complexity work equally for security. “To be effective, security defenses must be designed, applied, tested, and validated at multiple levels. The process starts with the code that makes up each application, and ultimately extends to infrastructure configurations, application interdependencies, and the security policies that companies institute,” an IDG Security Compliance Survey found.
DevSecOps, Survey Says!
An IDC survey published by CSO Magazine finds that DevSecOps, including automated testing, bolsters security and blocks cyber threats that attack misconfigurations, unpatched and un-updated systems and exploit faulty code.
But not all enterprises embrace DevSecOps. “Unfortunately, information and application security has often been an afterthought in the software development process. With cyberattacks escalating dramatically, the risks and consequences associated with flawed code and faulty infrastructure configurations have grown severe. This new reality has sparked intense interest in adding security and compliance testing throughout the software development lifecycle (SDLC),” the
IDG Security Compliance Survey.
The IDG survey commissioned by Chef Software found that:
- “59% of respondents believe integrating security into the software development lifecycle (SDLC) is crucial for their organization’s success
- Nearly 9 out of 10 DevSecOps adopters
found security to speed up – or at worst have no impact on – software delivery
- 60% of organizations believe that adopting DevSecOps reduces the risk of breaches”
Applying automation to DevOps and DevSecOps practices can speed development while boosting security. “Among adopters, nearly half (47%) said that security team involvement speeds the pace of development. Another 39% said that such involvement has no negative impact on development time,” the IDG report found.
DevSecOps pros interviewed by IDG agree. “All teams work in tandem, so the timelines are squeezed,’ explained the director of a midsize technology company. Another adopter—the CIO of an education solutions company—said, ‘Recognizing errors and finding solutions makes distribution fast,’” the report stated.
The opposite is also true, not applying best slows development. “42% of the non-adopters say security team involvement slows the pace of development. ‘There is ongoing intervention by the security team, therefore we factor in delays, said one survey respondent, a director of a midsize financial services company,” the report argued.
Leave it to Chef DevOps Automation Tools
Learn how Chef can radially simplify your DevOps with our DevOps Solutions and bring new levels of protections by perfecting your DevSecOps.
Chef democratizes DevOps with a way to configure, deliver, and manage from any cloud to any edge that is secure and compliant.
