Information Security & The Age of DevOps

information-security-and-devops

We hear a lot about the folks in charge of Information Security and Compliance in large organizations being anxious about DevOps. Thinking it might be too risky, or that those fast feedback loops and fast delivery could jeopardize security controls.

Think DevOps is risky? think again!

InfoSec have long been thought as the wet-towel to your DevOps efforts. Increasingly, we see InfoSec embracing DevOps as the “security blanket” that enables – and enforces – security, compliance and auditability requirements.

Rather than looking at DevOps as a threat to InfoSec, huge enterprises taking the DevOps plunge have shown – consistently – that automation, improved visibility, collaboration, consistent release practices, and other DevOps benefits — actually mitigate potential security problems while maintaining high velocity and fast time-to-market on the side of the business.

And DevOps Enterprise Summit (DOES15) happening next month in San Francisco has the proof.

Last year’s summit found Information Security and Compliance Practices to be among the top five DevOps challenges faced by large enterprises, and so Security is a key focus area for this year’s event. We’ve asked our speakers to share their experience and best practices for how large enterprises manage security in the age of DevOps, and how to get InfoSec on board – as an equal partner – on your DevOps journey.

ed-bellisAt next month’s conference, both Ed Bellis, former CIO of Orbitz, and Bill Shinn, principal solutions architect at Amazon Web Services, will talk about how to overcome security and compliance objections, and integrate those practices into publicly traded companies, and some of the most regulated and security-stringent organizations around. (Also: see Ed’s interview for The Enterprisers Project on Security at the speed of DevOps).

Other DOES15 speakers that know a thing or two about security and compliance include:

kevinaKevina Finn-Braun, Director of Site Reliability Service Management at Salesforce, and DOES15 speaker, sees the top challenge facing enterprises today as being “balancing risk and velocity.” Kevina has spent her 18 years in the Internet Industry focused on operational excellence and risk management. At Salesforce she leads the team focused on operational process improvements in the areas of incident problem and change management. In her previous role as Director of Business Continuity at Yahoo! she led the team focused on risk management and service continuity best practices.

reed-salesforceKevina will be joined by J. Paul Reed, Director of Site Reliability Services/Principal Consultant at Salesforcean. Reed, aka The Sober Build Engineer, has over a decade of experience in the trenches as a build/release and tools engineer, working with such organizations as VMware, Mozilla, Postbox, and Symantec. In 2012, he founded Release Engineering Approaches, a consultancy incorporating a host of tools and techniques to help organizations “Simply Ship. Every time.”

As Reed puts it, their DOES15 talk – titled “The Blameless Cloud: Bringing Actionable Retrospectives to Salesforce” – is “the story of my months-long journey with Kevina and her team to identify the specifics of what made reliability retrospectives difficult to have, why actionable takeaways were often lacking, and how the feedback loops within the company’s operations organization weren’t serving Salesforce’s needs.

On one of our recent video chats, Reed offered this on “traditional” security concerns: “Security is an area most enterprises have tried to do risk analysis around, and the fact is, the complexity of their environment makes that analysis basically worthless. So there’s a much higher risk than most enterprises are aware of, and I suspect this is only going to get worse.”

Following the examples set by some of the DevOps unicorns, such as Netflix and Amazon, IT experts seem to now converge on the fact that while DevOps does bring security dilemmas to the forefront, it can also represent the solution.

While you do need to plan your SDLC and business processes for security – some of the practices that come with DevOps are fertile ground for integrating security and auditability as a built-in component of your automated processes. This makes DevOps a resource for InfoSec, rather than a threat. If you’re automating things, you have access to a ton of information, and that becomes your audit-trail, your security log, and your opportunity to enforce security controls as part of your process – with no manual intervention required.

manuel-etrade “Automation is the only way to document, everything else will rot,said Manuel Edwards, systems engineering manager at E*TRADE, who is also speaking at DOES15 on How Wall Street Does Continuous Delivery. “But with great amounts of information, comes great responsibility and you have to make sure the right people have the right access – and no more than they need.” 

No stranger to security, Manuel’s talk will describe how Finserv organizations do Configuration Management, change propagation, software engineering disciplines and Automation to enable DevOps and CD in highly regulated industries.

joshua-cormanAnother security veteran is Joshua Corman, CTO at Sonatype. Previously, Corman was a security researcher/strategist at Akamai, The 451 Group, and IBM Internet Security Systems. He co-founded Rugged DevOps and I_Am_the_Cavalry to encourage new DevOps/security approaches. His presentation with VP of Customer Enablement at StatelessNetworks, and outspoken DevOps enthusiast, John Willis, is on “Continuous Acceleration: Why Continuous Everything Needs a Software Supply Chain Approach.”


If you would like to learn more from these fascinating DevOps practitioners – as well as other real-world stories of how large enterprises are transforming their business with DevOps – we invite you to join us at the 2015 DevOps Enterprise Summit.

Don’t miss THE DevOps event of the year:

DOES_facebook_event_cover4

Use code “DOES10” to save 10% off ticket price – Get your ticket now!

Electric Cloud
Follow us

Electric Cloud

Electric Cloud is the leader in DevOps Release Automation and Continuous Delivery. We help organizations like E*TRADE, Gap, HPE, Intel and Lockheed Martin deliver better software faster by orchestrating, automating, and accelerating application releases.
Electric Cloud
Follow us

Share this:

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

Subscribe via RSS
Click here to subscribe to the Electric Cloud Blog via RSS

Subscribe to Blog via Email
Enter your email address to subscribe to this blog and receive notifications of new posts by email.

ElectricFlow Community Edition

FREE

ElectricFlow

The most advanced DevOps Release Automation solution

ElectricFlow - The most advanced DevOps Release Automation solution

Download Now

Learn more about ElectricFlow

Continuous Discussions (#c9d9) Video Podcast

c9d9 Continuous Discussion on Agile, DevOps, and Continous Delivery

Next episode:

Episode 68: Must-have’s for Application Release Automation

May 9, 2017, 10am PT