Story image

How cybersecurity will evolve to become part of DevOps

14 Feb 18

DevOps has been breaking down business siloes and improving efficiency, but it’s time those principles were brought to cybersecurity initiatives, according to Palo Alto Networks.

DevOps relies on the idea that teams should automate the tasks involved in deploying, securing, maintaining, and phasing out the processes that IT and security teams have done manually in the past. This lets DevOps teams to deliver applications and support services faster. 

DevSecOps is about making security principles integral to the DevOps process. According to Sean Duca, Palo Alto Networks VP and regional chief security officer for Asia Pacific, DevSecOps provides opportunity for organisations that are migrating to the cloud.

“Developers are writing new code anyway; they should completely rethink and modernise their approach. Developers should no longer be deploying code and installing fixes the way they did when the internet was young,” Duca says.

“They need a new approach that seamlessly integrates developers, the operational team, and the security team. It’s not just about building an app in the cloud, it’s about building security in from the very beginning.”

Organistions that include information security as part of their existing DevOps ideology may be able to build more sustainable and effective security teams – all team members could even be viewed as site reliability engineers (SREs).

“To maximise the efficiency, effectiveness, and security of the organisation’s overall operations, businesses need to eliminate separate teams for development, operations, and information security. Instead, they need tighter integration among all these teams, often held together by the SRE,” Duca explains.

“The SRE combines the skills of developers responsible for writing applications with the skills operations engineers use to deploy those applications. SREs help scale operations through automation. Organisations that embrace this role and the DevSecOps model will outperform their competitors that don’t.”

Palo Alto believes this approach is important while businesses transfer workloads to the cloud. Organisations that understand they are responsible for their own data in the cloud will be more likely to drive adoption of the DevSecOps model.

This is because they will move through three stages of cloud security: click (adding security when servers are added); command (scripting); and committing to changes as part of codes. 

“Security should natively work within the code. Businesses should understand the risks they face and the ways their network could be brought down, then integrate security into every single application,” Duca says.

“DevSecOps is the best approach to give organisations the five key requirements for success: visibility and control; segmented applications; threat prevention; process automation; and central management.”

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.