Virtualization and Cloud executives share their predictions for 2017. Read them in this 9th annual VMblog.com series exclusive.
Contributed by Reuven Harrison, CTO, Tufin
DevOps and Security: Divided we fall
The DevOps movement is picking up speed as an increasing number of organizations
realize the many benefits of the DevOps process. Built on the principles of faster
software development, collaboration and innovation, why wouldn't an
organization jump on board the DevOps train? A common myth surrounding this
trend is the belief that DevOps and security teams lead
separate lives, where DevOps teams view security as a nuisance and security
teams view DevOps as a risk. Unless DevOps and security teams break out of
their silos and debunk this myth, businesses may face the unintended
consequences of DevOps oversights becoming the new data breach.
According to recent
research, 20 percent of enterprises reported that they were the victim of
four or more data breaches in the past year. It's not a stretch to say that
cybercriminals will be expanding their targets and adding new attack vectors.
While DevOps has many benefits, they are also a prime target for cybercriminals.
For starters, DevOps teams, with their "move fast, break
stuff" philosophy, have little oversight from management or other
organizational departments. Without proper oversight, who is confirming that
development is being done securely? In addition, because DevOps teams want to
quickly get the finished product out the door, more people on the team have
access to privileged, sometimes sensitive information. Too much access can widen
the attack surface and leave companies vulnerable as cybercriminals will
continue to target privileged users with high-level access.
Additionally, DevOps teams adopt a "DIY" mentality when it
comes to software development tools and testing apps - their first order of
business is to acquire the tools necessary to get the job done. That means the
IT security team may not have a clear view of all of the applications accessing
the network, or have the chance to do any vetting or code analysis before these
tools are brought in. Teams may be using outdated software or bug-ridden tools
- the perfect environment to attract a cybercriminal.
Data breaches caused by DevOps oversights are completely
preventable, and there's an immense opportunity to leverage the agility that
DevOps teams bring to the table to actually help simplify and ensure compliance
rather than steamroll over it.
An easier way
In the new world of cloud and DevOps, the traditional silos
dissolve and developers gain control of the entire stack, all the way from the
application code down to its underlying infrastructure including compute,
storage and networking. While developers should be security-aware and should
write code that adheres to security best practices, enterprises cannot expect
developers to own security and compliance. The fundamental principle of
"Separation of Duties" still holds. Security managers should "bake" security checks
into the DevOps toolchain, without interrupting agility. This will help mediate
the "DevOps versus security" saga and reduce the likelihood of human error and misconfigurations
in a complex environment. Continuous development and integration must be
complemented by continuous security which is fully automated.
In the new year, don't let your DevOps team be the cause of
a data breach. DevOps and security teams must break out of their silos and
unite. With the right automation tools, DevOps can enable compliance rather
than risk it, and security won't get in the way of the DevOps process.
##
About the Author
Reuven Harrison is
CTO and Co-Founder of Tufin. He led all development efforts during the
company's initial fast-paced growth period, and is focused on Tufin's product
leadership. Reuven is responsible for the company's future vision, product
innovation and market strategy. Under Reuven's leadership, Tufin's products
have received numerous technology awards and wide industry recognition.
Reuven brings more
than 20 years of software development experience, holding two key senior
developer positions at Check Point Software, as well other key positions at
Capsule Technologies and ECS. He received a Bachelor's degree in Mathematics
and Philosophy from Tel Aviv University.