DevOps orchestration tools represent a new risk to the enterprise

orchestra tiltshift
Credit: ABC Informática

Editor's note: After publishing CSO's original story, we asked the two main sources to write first-person accounts of the standing of DevOps in security. You can find the counterpoint here.

What was once a new, exciting, seldom-used methodology is now picking up steam across all industries. DevOps is becoming a preferred software development technique, and automated orchestration tools have become the lifeblood of this mindset. While this shift undoubtedly brings countless perks, it also provides a whole new set of concerns.

Orchestration tools help manage configuration and application deployment. They track and control code base changes and store file versions in a central configuration management database, allowing different developers to work on the same code base without worrying about version control. They also automate releases, enabling DevOps teams to achieve one of their core goals: continuous delivery.

Essentially, these tools control and automate everything about the delivery pipeline in software development. Automated processes reduce governance and compliance risks while allowing for a regular cadence and predictability around all DevOps tools.

The numbers regarding the use of DevOps and continuous delivery show promise. In fact, a recent survey found that companies that embraced a DevOps methodology increased their speed to market by 20 percent, leading to a 22 percent boost in customers and a 19 percent increase in revenue. Another survey revealed that 52 percent of companies that adopt DevOps methods increased their customer satisfaction and conversion rate, and 38 percent increased their sales.

The cultural aspect of a DevOps team — a team that’s busting down siloes, working together, being flexible, and striving to improve — is an added bonus. So why hasn’t every enterprise adopted this DevOps mindset? The answer: security risks and fear of the unknown.

The risks of trusting DevOps orchestration tools

DevOps methodologies completely disrupt traditional team setups, and implementing automated orchestration tools is sometimes seen as too far of a departure from traditional deployment techniques.

But companies that do embrace these orchestration tools often put too much trust in them. You could become a target for hackers when you rely on them as centralized tools that enforce policies across your whole enterprise. Once hackers get into your system, they hold the keys to the kingdom. They can modify any configurations they want — like altering firewalls, adding accounts, granting remote access to production systems, extracting data, changing prices, and installing known vulnerable software.

Keep in mind that the tools themselves — like Chef, Puppet, and Ansible — are not the threat. The real threat is the lack of identifying the risk and making plans to reduce it, so DevOps adoption simply needs to be accompanied by a thorough risk analysis.

How to safely implement these tools

A DevOps attitude primarily focuses on benefits without focusing on information security risks. Security is mostly looked at as a simple speed bump while the main focus remains on getting products out the door. But overlooking security isn’t the best plan.

While orchestration tools are huge business enablers, it’s crucial to devise a security strategy and designate a team to oversee that practice.

Here are four key topics to cover when coming up with your security plan:

  1. Risk identification: Identify every possible risk your orchestration tools could pose to your company.
  1. Damage control: Come up with a companywide strategy that prevents, mitigates, or remediates as many potential risks as you’ve identified.
  1. Crisis management: Identify a swift response plan in the event of a catastrophe.
  1. Backup plans: Consider keeping some old systems around that aren’t centrally and automatically managed. Having a homogenous infrastructure is risky because one single attack could wipe everything out in just a few short minutes.

A DevOps mindset paired with automated orchestration tools is a double-edged sword. While this methodology is widely viewed and implemented as a way to simplify deployment and reduce traditional security risks, it also brings a whole new set of risks with it. Although this methodology can greatly help enterprises thrive, it should never be adopted without conducting a proper risk analysis.

Andrew Storms is the vice president of security services at New Context, a systems architecture firm founded to optimize, secure, and scale enterprises. Andrew has been leading IT, security, and compliance teams for the past two decades. Previously, he was the senior director of DevOps for CloudPassage and the director of security operations for nCircle (acquired by Tripwire).

This story, "DevOps orchestration tools represent a new risk to the enterprise" was originally published by CSO.

Download the CIO October 2016 Digital Magazine
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies