Not too long ago, workers were tied to specific locations and cumbersome technologies but the rise of cloud and trends like BYOD, freelancing and remote work has helped create a new, boundaryless businesses. As cloud adoption is at the core of most digital transformation journeys, organizations have moved workloads, apps and data outside of the centralized control of IT, creating a growing number of identity islands.
This evolution has accelerated the challenge of managing identities and revealed the increasing importance of secure authentication and access assurance. Maya Todd, Cybersecurity Engineering and Operations, Dell Technologies, likened it to being “at the bottom of the mountain and trying to get to the summit.” She goes on to explain the reason for this steep challenge (pun intended) is “there’s a proliferation of access across more domains, particularly at the cloud level.”
Governing this constant flux of identities is a daunting but necessary task. Modern applications manifest in short development cycles, requiring IAM systems that adjust at the same pace. Herein lies the difficulty. DevOps teams “push their code without any controls to restrict access,” Todd notes. The new frontier for IAM is how to securely provide and manage access in cloud environments if you don’t know what’s in your ecosystem?
A secure and successful IAM strategy in a DevOps setting, in terms of automation, repeatability, and continuous improvement, is possible through close collaboration between IAM, application, and infrastructure experts. The “biggest risk” for IAM is that DevOps “doesn’t think about security” as they develop and push their code. The blind spot results from “siloed environments” in which Dev and InfoSec do not interact.
For IAM, the challenge becomes developing frameworks for access after the code has been created and teams are using the application. The risk is not knowing who has access, what applications utilize or host sensitive data and what applications need more layers of security.
DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives. While it seems obvious, many security and compliance monitoring tools have not kept the same pace of innovation required for testing DevOps codes. This has resulted in the view that security is the biggest road block to rapid application development.
So, what advice does Maya Todd have for her peers – besides exercising patience?
- Develop your process, but also develop your policies and standards. Policies and standards are the legal binding that give you the “teeth” to get security done. If your organization has not articulated the rules then you cannot combat the “no, I don’t have to…” responses to your requests. You cannot move to secure DevOps.
- Communicate. Start with getting buy-in from leadership and then evangelize that buy-in all the way down the organization. The cultural shift will not happen overnight, but every shift of the needle in a forward direction is a win. Let each win help to build your foundation.
What you do traditionally doesn’t always fit a cloud model, but if you can get ahead of your development and IT teams with even just a few strawmen use cases, it is better than nothing. Have a preliminary structure of what roles will look like in their cloud world. Every shift of the needle in a forward direction is a win.
Read another perspective on how to integrate security into the DevOp process.