Winston Churchill, Security, and DevOps
July 2, 2015 | DevOps | Josh Bregman
At Conjur, we love Winston Churchill — not just for his seemingly inexhaustible supply of relevant quotations, but also because he was such a fan of afternoon naps. Mr. Churchill, of course, led Britain through World War II – holding the nation together with limited resources, amidst a very threatening landscape.
Many security leaders can relate to this, with their organizations facing tangible external threats, ever-stricter compliance requirements, and incessant demand from the line-of-business for faster delivery of applications. It’s this last requirement that has driven many organizations to adopt DevOps – also known as continuous deployment – to accelerate application delivery and business value through collaboration, communication and automation between development, the business, and IT.
From a security perspective, DevOps is often perceived as, to misquote our friend Mr. Churchill – “a riddle, wrapped in a mystery, inside an enigma.” Why is this the case? Don’t security teams generally have a good grasp of their organization’s production environment? Aren’t security architects typically involved in application design and development processes?
Not having good visibility into the security of the DevOps tool chain and infrastructure is unacceptable to the security team, as it introduces tremendous compliance and security risk. At the same time, for most organizations that adopt it, DevOps brings tremendous business and technology benefits. The right answer, of course, is for Security to embrace DevOps, and help the organization safely and securely execute it.
DevOps, at its heart, requires intense collaboration and communication between development, IT, and the business. InfoSec needs to be part of this collaboration, to influence and define the tools, processes, and policies that are expressed by a DevOps initiative. This is a worthwhile and interesting initiative – but it’s not always an easy one. In support of this, we’ve created a simple blueprint here, “Security At Scale”
Organized into 6 actionable steps, this guide provides concrete recommendations for how your security team can properly engage with and support your organization’s DevOps initiative.
Winston Churchill did not work in technology, but he clearly understood the need for security, and knew how to lead. Your team can lead the way toward a more secure and robust DevOps initiative – and the six steps in this blueprint are a great way to begin.