Virtualization and Cloud executives share their predictions for 2017. Read them in this 9th annual VMblog.com series exclusive.
Contributed by Reuven Harrison, CTO, TufinDevOps and Security: Divided we fall
The DevOps movement is picking up speed as an increasing number of organizations realize the many benefits of the DevOps process. Built on the principles of faster software development, collaboration and innovation, why wouldn't an organization jump on board the DevOps train? A common myth surrounding this trend is the belief that DevOps and security teams lead separate lives, where DevOps teams view security as a nuisance and security teams view DevOps as a risk. Unless DevOps and security teams break out of their silos and debunk this myth, businesses may face the unintended consequences of DevOps oversights becoming the new data breach.
According to recent research , 20 percent of enterprises reported that they were the victim of four or more data breaches in the past year. It's not a stretch to say that cybercriminals will be expanding their targets and adding new attack vectors. While DevOps has many benefits, they are also a prime target for cybercriminals.
For starters, DevOps teams, with their "move fast, break stuff" philosophy, have little oversight from management or other organizational departments. Without proper oversight, who is confirming that development is being done securely? In addition, because DevOps teams want to quickly get the finished product out the door, more people on the team have access to privileged, sometimes sensitive information. Too much access can widen the attack surface and leave companies vulnerable as cybercriminals will continue to target privileged users with high-level access.
Additionally, DevOps teams adopt a "DIY" mentality when it comes to software development tools and testing apps - their first order of business is to acquire the tools necessary to get the job done. That means the IT security team may not have a clear view of all of the applications accessing the network, or have the chance to do any vetting or code analysis before these tools are brought in. Teams may be using outdated software or bug-ridden tools - the perfect environment to attract a cybercriminal.
Data breaches caused by DevOps oversights are completely preventable, and there's an immense opportunity to leverage the agility that DevOps teams bring to the table to actually help simplify and ensure compliance rather than steamroll over it.
An easier way
In the new world of cloud and DevOps, the traditional silos dissolve and developers gain control of the entire stack, all the way from the application code down to its underlying infrastructure including compute, storage and networking. While developers should be security-aware and should write code that adheres to security best practices, enterprises cannot expect developers to own security and compliance. The fundamental principle of "Separation of Duties" still holds. Security managers should "bake" security checks into the DevOps toolchain, without interrupting agility. This will help mediate the "DevOps versus security" saga and reduce the likelihood of human error and misconfigurations in a complex environment. Continuous development and integration must be complemented by continuous security which is fully automated.
In the new year, don't let your DevOps team be the cause of a data breach. DevOps and security teams must break out of their silos and unite. With the right automation tools, DevOps can enable compliance rather than risk it, and security won't get in the way of the DevOps process.
About the Author
Reuven Harrison is CTO and Co-Founder of Tufin. He led all development efforts during the company's initial fast-paced growth period, and is focused on Tufin's product leadership. Reuven is responsible for the company's future vision, product innovation and market strategy. Under Reuven's leadership, Tufin's products have received numerous technology awards and wide industry recognition.
Reuven brings more than 20 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS. He received a Bachelor's degree in Mathematics and Philosophy from Tel Aviv University.