The digital world is changing the way businesses work with their customers, partners and employees. This digital transformation uses DevOps speed, agility and innovation to capitalise on market opportunities, and create competitive differentiation. This has already resulted in more than 60 percent of organisations adopting DevOps approaches. However, as DevOps pushes a need for speed, little attention has been paid to going fast while protecting security. This is because security is often viewed as hindering the speed of delivery for DevOps and creating hurdles for teams that want to work fast. Just like Formula 1 engineers that enable drivers to push the limits, the opportunity for security teams is to help DevOps go faster, safely.
Business benefits of DevOps
There are numerous benefits for businesses that successfully adopt DevOps, namely:
- Faster response times address market changes or customer requirements more quickly. Companies that have embraced a DevOps methodology increased their speed to market by 20 percent.
- Increased customer satisfaction is achieved through frequent product updates based on continuous feedback from users.
- Better operational efficiency due to automation has resulted in more than 60 percent of organisations adopting DevOps approaches.
Why security is often lacking in DevOps
So why are security measures, such as the use of strong encryption and authentication, so often overlooked by DevOps teams? It's all about speed and simplicity. Obtaining keys and certificates in a DevOps environment takes too long and results in bottlenecks. Security teams might measure SLAs in weeks while DevOps expects seconds or less. So DevOps looks for workarounds. Whether it's not using encryption at all, using self-signed certificates that make it difficult to know what's good or bad, or copy the same keys many times, DevOps will find ways to go fast even if that means introducing new risks.
The lack of visibility – such as whether a developer has installed trusted and unique keys and certificates – and when they are following enterprise policies, means security teams are unable to tell which pieces of software can and can't be trusted. Nearly 80 percent of CIOs are concerned that the speed at which DevOps operates makes it more difficult to know what's trusted and what's not. There are three steps companies must address to tackle the lack of visibility or control over keys and certificates and secure the DevOps environment.
1. Automated security
25 percent of the costs associated with building a new app, including a single application's development, testing, deployment and operations life cycle, is wasted. This also includes resources spent on manually acquiring keys and certificates. Companies need to implement procedures to automate the creation and distribution of encryption keys and certificates throughout the build process, so that DevOps teams don't have to do it themselves. DevOps is all about consuming APIs – so security teams need to serve up keys and certificates automated through APIs that easy and fast. By doing so, IT security will be able to align with fast IT practices while decreasing the number of vulnerabilities potentially introduced via manual processes.
2. 2. Gain visibility
Customer satisfaction is an ongoing endeavour; one service outage and your customer satisfaction rating can plummet. Failure to track expiration dates for certificates used for HTTPS services can result in an average downtime cost of up to US$1 million per hour (£760,000). DevOps teams are not security experts, nor should they be. However, in most cases, DevOps teams acquire and install certificates themselves, and IT security teams don't know about the certificates to track them. Businesses need to be able to discover where all application certificates are being used and bring them under IT security control. Then policies can be applied to certificates, tracking expiration dates to avoid service outages and maintain customer confidence.
3. 3. Integrate security
The improvement of operational efficiency is a primary driver for DevOps. For legacy IT practices, it's acceptable to spend 4.5 hours to provision each certificate manually; however, for ‘New IT' and DevOps teams that is simply too long. They need to be able to integrate the provisioning of keys and certificates as part of the automated build process to deliver thousands of certificates in a matter of seconds—nothing less will suffice. Firms should enable this by providing simple solutions such as APIs for DevOps teams to use.
Understanding and managing these three key issues are critical for companies looking to gain the advantage of speed with DevOps without compromising security. With fast and easy automation, businesses are able to remain secure while moving at the speed of business.
Contributed by Kevin Bocek, VP of security strategy, Venafi