Electric Cloud 2016 Predictions: InfoSec in a DevOps-Driven Enterprise : @VMblog

Article

Search:

Follow VMblog.com:

Improve end user experience in VDI, DaaS and physical endpoint environments

Electric Cloud 2016 Predictions: InfoSec in a DevOps-Driven Enterprise

Virtualization and Cloud executives share their predictions for 2016. Read them in this 8th Annual VMblog.com series exclusive.

Contributed by Anders Wallgren, chief technology officer at Electric Cloud

InfoSec in a DevOps-Driven Enterprise

Today, software applications are the lifeblood of most businesses. The relentless consumer demand for new functionality, along with advances in virtualization and data integration, have all increased the pressure on organizations to release software faster than ever before. This has led many to explore DevOps and Continuous Delivery practices as means to accelerate time to market and improve product quality.

Yet, some stakeholders in the organization - primarily Information Security (InfoSec) - have been hesitant to adopt DevOps. In fact, at this year's DevOps Enterprise Summit (DOES15), we discussed Security and Compliance as one of the top five DevOps challenges faced by large organizations. Regulatory burdens, increase in data breaches, vulnerabilities of open-source components, and cybersecurity threats - all initially led InfoSec to perceive DevOps as a risk, with the increased velocity of software releases seen as a threat to governance.

But lately, this pattern has shifted, with 2016 posed to be the year that InfoSec gets on the DevOps bandwagon!

As enterprises continue to prove that DevOps practices actually mitigate potential security problems, discover issues faster and address threats more quickly, we see DevOps as an enabler to security and compliance.

2016 will be the year DevSecOps matures:

Enterprises will need to manage the stack and code of the application in a more rigorous way, particularly due to the open source components used as part of the solution, ensure there are no breaches and to enable compliance.

InfoSec will become an integral part of the software delivery pipeline - rather than a "necessary evil" or almost an afterthought at the end of the process. InfoSec will collaborate with other stakeholders in the organization, to bake-in Security measures and Auditability into the software delivery pipeline from the start. This leads to Security and Compliance becoming another indicator of quality, and a shared responsibility of all groups involved in the software lifecycle. As InfoSec is brought into the fold to share the "regular" delivery pipeline with other groups in the DevOps process, Dev and Ops teams too, will embrace security measures as part of their natural course of work.

This will also lead to a shift in traditional team structures and work processes. As we move into 2016 and beyond, collaboration between InfoSec and other organizations in the enterprise will increase. Subsequently, the implementation of security controls will evolve to ultimately be better aligned with business goals, as will transparency, cooperation and trust between teams.

About the Author

Anders Wallgren is chief technology officer at Electric Cloud. Anders brings with him over 25 years of in-depth experience designing and building commercial software. Prior to joining Electric Cloud, Anders held executive positions at Aceva, Archistra, and Impresse. Anders also held management positions at Macromedia (MACR), Common Ground Software, and Verity (VRTY), where he played critical technical leadership roles in delivering award-winning technologies such as Macromedia's Director 7 and various Shockwave products. Anders holds a B.SC from MIT.