If you are interested in understanding more about how DevOps evolves inside organizations and how security aligns with the evolution of DevOps maturity, Puppet’s 2018 State of DevOps Report offers some powerful insights. The report draws on survey results over multiple years from some 30,000 technical professionals across the globe, as well as insights from DevOps pioneers, including Gene Kim.
One key finding, for example, notes that automating security policy configurations is mission-critical to reaching the highest levels of DevOps evolution. This means as organizations evolve, security policy becomes part of operations, not just an afterthought when an audit looms. Organizations must break down the boundaries between ops and security teams.
The report extends beyond technology – it also probes culture, process and other factors driving IT performance. While DevOps adoption is increasing at a rapid pace, there are many paths for organizations to take for a successful DevOps journey. Unfortunately, there are even more that can lead to failure.
Some of the most successful DevOps projects come from the ground up vs. top down from a corporate directive. This potentially presents challenges for security teams with a top-down approach. If DevOps originates broadly across the organization from multiple sources, the security team may only gain visibility after the DevOps initiatives have already become established within the business. While it’s obviously much better for security to be involved early in the process to guide and establish security policies for the DevOps team to execute on, when DevOps initiatives come from the ground up it becomes significantly more difficult.
The State of DevOps report views the three pillars of DevOps as culture, automation and measurement. It also identifies and examines the characteristics of DevOps teams and approaches across five distinct stages of evolution, from Stage 0, “Build the Foundation” to Stage 5, “Provide Self-Service Capabilities.” These phases highlight the increasing role and awareness of security, and how security is becoming more widely considered and incorporated at earlier stages of the DevOps evolution.
As noted earlier, a key highlight of the report is how “Automating security policy configurations is mission-critical to reaching the highest levels of DevOps evolution.” To quote from the report summary:
“Highly evolved organizations are 24 times more likely to always automate security policy configurations compared to the least evolved organizations. As organizations evolve, security policy becomes part of operations, not just an afterthought when an audit looms. This requires first breaking down boundaries between ops and security teams (which are further from production). As we see with all the fundamental practices of DevOps, this practice evolves from resolving immediate pain to a more strategic focus — in this case, from “keep the auditors off my back” to “keep the business and our customers’ data secure.” In other words, teams automate security policy configurations initially for their own benefit, and as their understanding evolves, the automation evolves to benefit the entire organization.”
Security is also increasingly recognized at the earlier stages of DevOps evolution. For example at Stage 2, which focuses on achieving standardization and reducing variability, one of the benefits is to reduce the attack surface and security vulnerabilities. This recognition is positive news. As a result, DevOps teams should become increasingly receptive to the security team getting involved and asking how they can help.
Along with AWS, Cognizant and others, CyberArk is a co-sponsor of the 7th annual State of DevOps Report, presented by Puppet and Splunk.
Interested in learning more?
- Read the CyberArk eBook 6 Core Principles for Establishing DevOps Security at Scale.