Aligning security to the new wave

Opinion by Sandeep Godbole

It is important that the architecture, development approach and deployment pathway be capable of meeting the objectives of responsive, nimble and quickly deployable IT solutions.

Rome wasn't built in a day, says the common proverb. The contemporary IT world, however, has expectations to the contrary. It is expected that a few edifices at least, if not the whole of Rome, be built within a very short span of time. 

The environment of the day, the competitive pressures and the stakeholder expectations require that IT systems be responsive to changing requirements, nimble with developing solutions and deploy IT solutions quickly, within a short span of time. It is thus important to deploy an approach where these expectations are met effectively. 

Achieving these expectations requires that the IT architecture of the solution be amenable to changes without adversely impacting other parts of the system. An architecture that is not flexible would not be able to implement changes in a short span of time. Along with an enabling flexible architecture, deploying nimble practices for developing the code for the expected changes to the IT systems is important. After the changes to the code are developed, the changes need to be reflected in the production environment is a seamless, efficient and rapid manner. Thus, it is important that the architecture, development approach and deployment pathway be capable of meeting the objectives of responsive, nimble and quickly deployable IT solutions.

Microservice architecture, Agile system Development Practices and DevOps address the different aspects necessary to support systems that are capable of adapting to the stakeholder expectation, nimble enough to service the expectations by implementing the code and efficient enough to deploy the changes to the production environment. 

Microservice architecture is based on the concept of deploying multiple independent services that together provide the IT solution. This approach is different than an IT architecture that is a monolith and hence less amenable to changes without impacting other components of the system. An Agile approach to development aims at using organisational structures, development practices that deliver incremental products that can be deployed. 

This approach enables solutions to be delivered in an incremental manner. Considering that parts of the solution become available in an incremental manner as the development progresses, these parts can be deployed as they become available. There is no need to wait for the entire development activity to be completed prior to deploying parts of the solution. DevOps seeks to move the code as quickly as possible into the production environment by integrating the development and the IT operations processes. This is achieved thorough a collaborative approach between the development and IT operations team as well as deploying tools and automation to support the DevOps process.

Microservices, Agile and DevOps thus provide a capable framework or a solution set capable of responsive, nimble and quickly deployable IT solutions. This represents a ‘new wave' in the development and maintenance of IT systems. A significant aspect of these approaches and process is the empowerment of teams and a decentralised approach. Controls have traditionally favoured centralised controls to ensure that risks are identified, tracked and closed in an effective manner. 

This approach of centralised controls is not very helpful in the ‘new wave'. Curtailing Microservices, Agile and DevOps is not desirable considering the value it delivers. At the same time, it is important to understand these new approaches and deploy practices and processes that provide assurance, controls and security.

That will necessitate gaining a comprehensive understanding of these approaches, identifying inherent risks and deploying controls and processes that meet the control, assurance and security objectives. This requires both an identification of the new set of controls relevant to the tools, technology and workflows as well as deploying traditional controls in the context of the new approaches. 

For example, the automation for continuous deployment used as part of DevOps may require new controls related to dependency mapping, hardware availability, virtual machine images, version and integrity checks etc. At the same time, certain controls or interventions, such as static code analysis and dynamic security testing inherent to traditional development processes, may be essential to Agile. Though deploying these traditional controls may be essential, the placement or order may need to be modified in the context of the Agile approach.

The technology world is an ever-evolving environment. It is important to accept the new approaches and implement controls in the context of the new wave!

Contributed by Sandeep Godbole, head, information security, Syntel.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK, Haymarket Media, Syntel, ISACA or other organisations, entities or individuals.

Editor's Note: Sandeep Godbole presented on this topic at ISACA's EuroCACS 2018 conference on 28 May in Edinburgh.

Topics:
Security

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events