Balancing Security and Agility with DevSecOps

You can dispel the myth that security and agility are opposing forces and achieve cloud security with these tips.

istock 1054585876
iStock

Security and agility are often viewed as opposing forces. While DevOps is inherently geared towards removing as many barriers as possible to shorten application development lifecycles and provide continuous delivery with high-quality software, security teams tend to be more cautious, taking time to rigorously test all new services and applications to ensure there are no weaknesses that could pose a risk to the organization. These opposing forces can create friction.

Thankfully, it’s not necessary to sacrifice one for the other. You can achieve agility and security simultaneously in the cloud with development, operations, and cloud security best practices.

Adopting DevSecOps practices as well as automated security testing and compliance solutions can speed development and reduce costs while helping achieve continuous compliance.

Building security into your environment benefits development and operations in three key ways:

  • Faster delivery - With this model, development and operations can focus on service throughput rather than coordination. By securing and automating the injection and inspection processes, these two teams can focus on code throughput rather than stopping to coordinate security details. With security acting like breaks on a car, teams can work faster knowing that security is built into the system.
  • Reduced risk - With a secure foundation in the form of a secure landing zone, risk is reduced. And, with security automated, the chance of human error goes down, further reducing risk. When taken together, these security features empower development to move faster, with greater confidence.
  • Faster time-to-market - Faster delivery with reduced risk means services can be delivered to market more quickly. As teams spend less time on manual, tactical work, they are freed to work on strategic initiatives that further business initiatives. This creates a virtuous cycle that helps the business achieve its goals, such as grow customer satisfaction, adapt to changing customer expectations, and increase revenue through new business models.

Case In Point

Flux7, an NTT DATA Company, recently worked with a SaaS customer analytics company to build security into its new DevOps-based processes and technology foundation. For this company, we helped design a secure landing zone, pipelines with security embedded, and a set of inspectors – automated tools to monitor, log and inspect, and detect any activity that reduces security or opens the firm up to a breach. Specifically, we built a process where security inspectors examined code, software, and infrastructure – all at one time – across pre- and post-production for security vulnerabilities.

In this instance, pipeline triggers checked configuration rules while inspectors in the pipelines checked artifacts. These inspectors were in addition to our work ensuring that the landing zone was secure and that the firm had injectors – tools and automated processes – to efficiently provide security information for services when and where required. 

The result: the firm successfully migrated its public-facing application to AWS while increasing scalability and availability globally. Its development productivity grew, allowing it to much more quickly and easily evolve its application, providing demanding customers with new features and functionality they had asked for. Using ISO 27001 as its security standard, the firm met these control objectives in its new environment at the same time it increased its competitiveness in the market through faster service delivery.

Building “Security with Agility” will allow you to create secure environments without slowing down the engineering teams’ work. In turn, this allows security, development, and operations to deliver on their key goals for the business.

Assess the security of your cloud workloads with this helpful checklist.

Copyright © 2020 IDG Communications, Inc.