A User’s Guide to DevSecOps Success
Massively scalable, responsive, fast, reliable, fault-tolerant, and secure, it is no wonder that organizations are increasingly embracing the many modern cloud-native computing techniques. Cloud enables enterprises to benefit from PaaS, microservices, agile, containers, DevSecOps, CI/CD, data engineering, IoT, AI, and machine learning. However, shifting gears from an organization’s existing processes to a DevSecOps model of design and deployment can be daunting. For organizations that have recently shifted to cloud-native, or are considering the move in the near feature, there are some practical steps to help unlock all the benefits of cloud.
Start by getting to grips with what has changed. One of the most apparent differences is that with CI/CD in the cloud, security checks and policy-driven privacy rules need to be now integrated into the coding pipeline and other tools. This is why you’ll often hear people talking about “baking in” security into the DevOps process (to result in DevSecOps). Automation levels will be far higher than previously, which will enable much greater speed and agility. The surface attack area will need to be re-examined too, and different tools deployed to protect against a new threat landscape.
This is a time for dev and security teams to learn from each other as well as learning together. While CI/CD might be well understood by some teams, others could need some extra time and training to understand the new processes, priorities, and tools they should use. Choosing teams carefully is essential too. Agile working has taught us a lot about the benefits of small, focused groups. The same applies to DevSecOps. Wherever possible, incorporate mentoring or coaching opportunities so that necessary security experience disseminates through the team.
In the age of multi-cloud and cloud-native development, organizations need to thoroughly understand the security (and other) responsibilities and the lines of accountability between themselves and the cloud provider. These divisions of responsibility are not just between the cloud provider and customer, because often, different business units will end up owning different cloud environments, data streams, and more. Everyone must be clear about who “owns” what from a security perspective. If there are any doubts, this is where you will be most exposed. In Apexon’s joint white paper with our cloud consulting partner, AWS, we’ve outlined exactly the sort of support and services you can expect if you develop and deploy initiatives in the AWS cloud right from how it can be used as a development platform, how to create a pipeline, how to test in the cloud and disaster recovery options.
Organizations quickly come to realize that managing a cloud environment – and by extension, cloud security – can become highly complex. This is down to multiple and often overlapping cloud environments ‘owned’ by different business units, shared responsibilities between the cloud provider and the customer, and the various new tools and processes with which organizations need to become thoroughly familiar. Different approaches currently exist for managing this complexity and providing end-to-end visibility. The approach your organization opts for will depend on several factors, including its size, skills, and resource availability. For example, cloud management platforms (CMPs) operate as a sort of standard security layer within multi-cloud environments and can be very useful at improving security, providing visibility, and enabling admins to roll out security measures across different environments. They are highly abstracted from the level of the code. By contrast, cloud-native management tools have grown in popularity recently because they offer much more granular control over the cloud environment as well as being faster and more efficient. There are other options in between, and they all have their distinct pros and cons.
Alongside helping clients take advantage of the acceleration, scalability, reliability, agility, and efficiency of the cloud, Apexon leverages accelerators and our deep cloud expertise to support all aspects of cloud engineering from cloud strategy to cloud migration and cloud-native build and transformation. To find out how to get your DevSecOps up and running while improving your security coverage and without disrupting your delivery efforts, get in touch using the form below.