This article by Niklas Jakobsson, CEO of Axiomatics, originally appeared in SC Magazine.

SC Magazine: DevOps to DevSecOps: How to ensure a smooth transition

Security technologies must fit into an automated model so they can be deployed and managed in the same manner as a microservices architecture or the full potential of DevSecOps will not be achieved.

Merging software development and software operations teams to immediately provide products and services to customers is critical in today’s fast-paced business environment. Consumers expect the companies they do business with to deliver and update applications rapidly. If those expectations aren’t met, customers may leave the application altogether.

Up until about 2003, all software teams were siloed within either development or operations teams, which was often a barrier to productivity and efficiency. Then, in 2003, Google hired Ben Treynor to head a team of seven software engineers to run a production environment. The job of Ben and his team was to ensure Google’s websites run more smoothly, efficiently and reliably. The results were successful and this new approach of having software engineers run the production environment was coined, Site Reliability Engineering (SRE).

However, a few years later, the word DevOps started to generate buzz. The idea behind DevOps was similar to SRE, when software teams are no longer confined to a particular role, group or task, they can engage members across teams to increase an organisation’s ability to deliver applications at high speeds. The combined development approach is more agile, cost-effective and customer-focused.

Along with the many benefits to delivering applications with the DevOps framework, and at such a rapid pace, there are also challenges. If security technologies are not part of DevOps from the very beginning, organisations risk leveraging security controls that aren’t in tune with the DevOps process. When security controls aren’t aligned with the process, they cannot be streamlined via automation to deliver and update applications at high speeds. As a result, security must play a pivotal role in the DevOps process.

By incorporating security controls into DevOps, businesses are embracing the new DevSecOps model to realise the full potential of continuous integration/continuous delivery (CI/CD). When security or access control technologies are deployed from the beginning, organisations can ensure that those controls are in tune with a CI/CD flow.

Security at Inception

Security controls play a key role in DevSecOps and must be ingrained throughout the entire process. When security processes are introduced and vetted at the onset of the development cycle businesses can proactively and consistently address different security facets across the organisation. For example, by incorporating security objectives early in the development lifecycle, businesses can automate critical tasks such as code analysis and penetration testing.
The same goes for security technologies, they must also fit into an automated model so they can be deployed and managed in the same manner as a microservices architecture. If the security technologies deployed are not in concert with a CI/CD flow, the full potential of DevSecOps will not be achieved.
To conform to a DevSecOps approach, organisations require security and identity services that are deployed and managed in the same manner as any application code.

Not all security controls are created equal 

To transition to a DevSecOps approach, businesses must deploy technologies that are in sync with a CI/CD cycle. Some legacy security or identity and access management (IAM) technologies can present a challenge, such as IAM systems that leverage access control lists (ACL’s) or Role Based Access Control (RBAC) because they cannot be deployed and managed in the same manner as APIs and microservices. The results are a more cumbersome and less modernised development process.
However, access control technologies like externalised dynamic authorisation can help streamline and automate the development process. With dynamic authorisation, users are authorised to access resources based on attributes. Access decisions are then determined dynamically at runtime by evaluating centrally managed rules and policies.

Automation is critical

With dynamic authorisation, businesses can easily automate policy changes the same way they can automate code changes. The ABAC service itself is also managed like a microservice, meaning it has the same flexibility, deployment and automation characteristics as any application microservices. In the end, the lifecycle of redeploying the application and security components is fully automated and any changes to policies are part of the automation process.

Businesses deliver a multitude of benefits with the automated approach, including:

* Relieving pressure on developers since they are no longer required to write security rules into their code.

* Access rules are now enforced consistently across applications, APIs, microservices and data resources, reducing the risk of overexposure to information and security breaches.

* Developers can now spend the bulk of their time on business functionality instead of worrying about access security.

Security technologies like dynamic authorisation delivered with ABAC play an integral role in the DevSecOps process. Dynamic authorisation implanted directly into the development cycle, allows organisations to successfully achieve DevSecOps, compete more effectively and securely in the market and better serve customers across the globe. Are you ready for the evolution?

 

Contributed by Niklas Jakobsson, CEO, Axiomatics.