Adding Security To Your DevOps Process

By Rajat Bhargava Posted August 23, 2016

Product development and delivery processes have been greatly influenced by the DevOps movement. Solutions are improved, customer involvement is greater, and products are created faster and more efficiently.

All of this makes the DevOps methodology the bell of the ball in the world of IT. Dramatic results have been seen where DevOps is implemented, both inside and outside of the tech world. From Amazon to Nationwide, the impact is evident, organizations are moving faster than ever.

Benefits of DevOps

icon-rest-api-4646ae3eb7bb51cd344dd2d025a2239f

Customers receiving smaller versions of code at faster intervals is a direct result of the DevOps process. Through something like CICD (Continuous Integration and Continuous Development) organizations, both large and small, can ultimately push new product features to customers at a heightened pace.

With these faster processes there is always room for further opportunity. One area that organizations have swept under the rug is joining security with the DevOps pipeline. This process can be rather tricky, but it is extremely important in the long run.

We do understand that not all aspects of security will perfectly mesh with the DevOps pipeline. However, many components can and do fit perfectly.

Ways You Can Join Security with Your DevOps Pipeline:

Using Automation Tools to Join Security with the DevOps Process

Most DevOps programs have this in common: they can leverage automated code deployment processes from testing through to production.

The process usually includes ensuring that the most up to date security patches are applied to every product OS. Furthermore, the process checks to see if ports are closed, certificates and keys are being utilized properly for access, and finally that tests are in place for these situations.

When you code these standards, you are integrating security into the DevOps process. With a new push of the application, IT will know that the central stack has already been updated with fresh code.

Security code analysis tools can become an integral part of your Continuous Integration protocol and alert you on builds that do not meet security standards. Confidence will also be cemented with IT, because they will know the systems are properly incorporated in the infrastructure and all weak surface areas have been wiped.

Security Monitoring Integrated with Operational Monitoring

icon-event-logging-api-0a10bf3180a133183e0520ddc6d9e77b

The day-to-day operations of DevOps often includes the extensive use of monitoring solutions. This monitoring has been historically focused on the performance of systems, applications, and/or databases.

This begs the question of why security issues can’t be monitored in this same exact manner.

Alerts should always be present regarding changes to the firewall or security groups. Moreover, the inclusion of new routes and machines should be flagged as important. Alterations to the configurations on machines that stray from the norm should also be monitored, and – hopefully – these deviations have already been scripted within the config automation solution and will be righted quickly.

More alerts should be created surrounding changes to system files, configuration files, library files, and product files.

Where it is possible, the monitoring of outbound connections on machines that shouldn’t be completing too many outbound connections is also well worth your time.

Considering you are already monitoring performance, why can’t you reach for the next level and integrate security into those monitoring functions?

Centralize Control Access

feature-2-d8958ae857272e56cbc9177e5d4cd6f3

Credentials are the prized possession for a hacker. With a set of credentials someone can easily access even the most sturdy infrastructures.

This is why it is important to centrally manage and control all credentials. That way you can know exactly who has access to your machines and why.

The end goal is to give a user minimal programmatic access (just enough for them to complete their responsibilities) so that you can maintain centralized control.

Does your Dev Team need access to production systems? If so, why?

Do all of your ops staff need control over every single device? Should they have the same access levels?

Overall, it is important that your DevOps chain is securely integrated with user management. This is true whether you control access through a dedicated Directory-as-a-Service® platform, your configuration automation solution, or scripts.

Even going as far as adding login event monitoring can be beneficial, because after all, security threats like the ones we have talked about are the number one enemy your organization faces.

DevOps Should Help Boost Your Security Presence

When you join security, DevOps, and your iterations cadence, you are covering all the bases. There is more to securing your organization, but the three steps above certainly will get the ball rolling in the right direction.

If you would like to learn more about how JumpCloud can help you develop a world class security infrastructure drop us a note.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts