By Greg Keller Posted August 30, 2016
The IT world has been buzzing about DevOps for some time now. Not since the inception of the cloud has a methodology been so embraced so quickly. DevOps continued growth has also created a security specific version called SecOps, and now many security pros are asking whether this will be sustained or if it is just another temporary trend.
Read on to learn more about SecOps and how you can avoid getting completely swept up in the hype, but still implement it for better security practices.
A Quick Refresher on DevOps
At its core, DevOps’ mission is to produce a product that more closely connects with what customers desire. It is because of this that DevOps aligns itself closely with those who push an organization’s product or service into market.
Sales and marketing need to be tightly integrated with DevOps, so that they can provide input on designs and features to better the product. This allows the development team to move quickly on necessary changes.
With DevOps, the methodology stresses that you build process to move fast. By creating a wide array of small functions for customers to test, an organization receives the right feedback to perfect the overall product.
Meshing Security with DevOps
Within any product or service, there is one critical component: the security infrastructure from which it is conveyed. We are speaking specifically about those components that are customer oriented, not those situated internally.
Internal organization systems such as solution delivery, solution billing, or customer data management are critical to a product. These systems should be secured and integrated in conjunction with DevOps.
From the get-go, security can be meshed with DevOps directly through your CICD or config management solution. In doing so, operating systems can be updated, configs set correctly, and monitoring can be implemented.
Overall, meshing security with your product development is the right action to take, and ultimately this is where the term SecOps is derived.
Where Does SecOps Fit?
Product or service delivery and all the systems, apps, networks, and data that encompass this are now lumped into your DevOps/SecOps chain. This accounts for a hefty chunk of your overall infrastructure, but what about the rest?
Do your on-premises WiFi network, your desktops, laptops, phones, tablets, your SaaS apps, and the rest of your IT resources belong with SecOps?
This is where the whole idea of “avoiding the bandwagon” comes into play, as we disagree with many analysts and security pros when they say SecOps is the next-generation of security. SecOps is a part of the next generation of security, but it isn’t everything that security pros need to do.
Where Doesn’t SecOps Fit?
The DevOps paths for internal IT infrastructure and product delivery should remain separate in order to maintain overall efficiency. The path your product takes is already very involved and comes with a high level of stress.
Potential SecOps practices like patching your desktops into the product delivery solution just lead to unnecessary complications. An extra step like this one may be important, but it belongs in a separate conversation.
Internally, for IT security the mission is to control user access, lockdown endpoint machines, and control the organization’s network. If you used SecOps to try and integrate these practices with product dev tasks the situation would become far too convoluted.
In short, including normal IT security into the SecOps chain isn’t helpful, but IT security still needs to be done.
Conclusions Regarding SecOps
The DevOps movement is still wildly popular, and its success has given way to new paths such as SecOps. But instead of jumping into this new field, it is important to take a step back and analyze what aspects of SecOps will benefit IT security and your organization as a whole.
It is important to connect security with your DevOps chain only where it makes sense, otherwise you will burden your team with unnecessary practices.