We hear a lot about the folks in charge of Information Security and Compliance in large organizations being anxious about DevOps. Thinking it might be too risky, or that those fast feedback loops and fast delivery could jeopardize security controls.
Think DevOps is risky? think again!
InfoSec have long been thought as the wet-towel to your DevOps efforts. Increasingly, we see InfoSec embracing DevOps as the “security blanket” that enables – and enforces – security, compliance and auditability requirements.
Rather than looking at DevOps as a threat to InfoSec, huge enterprises taking the DevOps plunge have shown – consistently – that automation, improved visibility, collaboration, consistent release practices, and other DevOps benefits — actually mitigate potential security problems while maintaining high velocity and fast time-to-market on the side of the business.
And DevOps Enterprise Summit (DOES15) happening next month in San Francisco has the proof.
Last year’s summit found Information Security and Compliance Practices to be among the top five DevOps challenges faced by large enterprises, and so Security is a key focus area for this year’s event. We’ve asked our speakers to share their experience and best practices for how large enterprises manage security in the age of DevOps, and how to get InfoSec on board – as an equal partner – on your DevOps journey.
At next month’s conference, both Ed Bellis, former CIO of Orbitz, and Bill Shinn, principal solutions architect at Amazon Web Services, will talk about how to overcome security and compliance objections, and integrate those practices into publicly traded companies, and some of the most regulated and security-stringent organizations around. (Also: see Ed’s interview for The Enterprisers Project on Security at the speed of DevOps).
Other DOES15 speakers that know a thing or two about security and compliance include:
Kevina Finn-Braun, Director of Site Reliability Service Management at Salesforce, and DOES15 speaker, sees the top challenge facing enterprises today as being “balancing risk and velocity.” Kevina has spent her 18 years in the Internet Industry focused on operational excellence and risk management. At Salesforce she leads the team focused on operational process improvements in the areas of incident problem and change management. In her previous role as Director of Business Continuity at Yahoo! she led the team focused on risk management and service continuity best practices.
Kevina will be joined by J. Paul Reed, Director of Site Reliability Services/Principal Consultant at Salesforcean. Reed, aka The Sober Build Engineer, has over a decade of experience in the trenches as a build/release and tools engineer, working with such organizations as VMware, Mozilla, Postbox, and Symantec. In 2012, he founded Release Engineering Approaches, a consultancy incorporating a host of tools and techniques to help organizations “Simply Ship. Every time.”
As Reed puts it, their DOES15 talk – titled “The Blameless Cloud: Bringing Actionable Retrospectives to Salesforce” – is “the story of my months-long journey with Kevina and her team to identify the specifics of what made reliability retrospectives difficult to have, why actionable takeaways were often lacking, and how the feedback loops within the company’s operations organization weren’t serving Salesforce’s needs.”
On one of our recent video chats, Reed offered this on “traditional” security concerns: “Security is an area most enterprises have tried to do risk analysis around, and the fact is, the complexity of their environment makes that analysis basically worthless. So there’s a much higher risk than most enterprises are aware of, and I suspect this is only going to get worse.”
Following the examples set by some of the DevOps unicorns, such as Netflix and Amazon, IT experts seem to now converge on the fact that while DevOps does bring security dilemmas to the forefront, it can also represent the solution.
While you do need to plan your SDLC and business processes for security – some of the practices that come with DevOps are fertile ground for integrating security and auditability as a built-in component of your automated processes. This makes DevOps a resource for InfoSec, rather than a threat. If you’re automating things, you have access to a ton of information, and that becomes your audit-trail, your security log, and your opportunity to enforce security controls as part of your process – with no manual intervention required.
“Automation is the only way to document, everything else will rot,” said Manuel Edwards, systems engineering manager at E*TRADE, who is also speaking at DOES15 on How Wall Street Does Continuous Delivery. “But with great amounts of information, comes great responsibility and you have to make sure the right people have the right access – and no more than they need.”
No stranger to security, Manuel’s talk will describe how Finserv organizations do Configuration Management, change propagation, software engineering disciplines and Automation to enable DevOps and CD in highly regulated industries.
Another security veteran is Joshua Corman, CTO at Sonatype. Previously, Corman was a security researcher/strategist at Akamai, The 451 Group, and IBM Internet Security Systems. He co-founded Rugged DevOps and I_Am_the_Cavalry to encourage new DevOps/security approaches. His presentation with VP of Customer Enablement at StatelessNetworks, and outspoken DevOps enthusiast, John Willis, is on “Continuous Acceleration: Why Continuous Everything Needs a Software Supply Chain Approach.”
If you would like to learn more from these fascinating DevOps practitioners – as well as other real-world stories of how large enterprises are transforming their business with DevOps – we invite you to join us at the 2015 DevOps Enterprise Summit.