This is the fourth segment of the DevOps State of the Union event in Boston Recap.
Perhaps the liveliest discussion of the night at our DevOps State of the Union event involved security. This really wasn’t a surprise given the fact that safety is an ongoing battle for most companies, so everyone we talk to seems to have an opinion on the topic.
Many of us at JumpCloud® have a long history within the security industry. Our Directory-as-a-Service® platform is heavy into it as well, so it is always interesting to see how quickly a discussion on the topic can become animated. Our friends at Firemon led the discussion and kicked it off by making an assertion that security should fit right into the mix with development and operations within the DevOps methodology. It was a bold assertion that the collective group would put to the test and dissect throughout the night.
For example, I asked all of the practitioners in the room how they embedded safety features into their solutions. The respondents were very open. I’m not sure that would have been the case a year ago. Companies ranged from a very small startup recently acquired by a giant tech company to several larger technology companies that had helped to broaden adoption within their respective companies. Either way, each case was fascinating, and security was largely the responsibility of the developer group at each company. As the companies increased in size and had more resources, they were able to afford tools, technology, and time to build better processes around security before they released code into production; however, it was still largely the developer’s responsibility.
Also, the group in attendance definitely had the view that tools and technology today just couldn’t catch enough security issues, so it needed to start at the beginning with better, more security-savvy developers. It was interesting that in virtually all of the companies, while security was important, it didn’t seem as though it would trump getting functionality out the door.
One larger organization talked about how their lead security guru was actually viewed as the “head coach” in their organization: directing, educating and enabling the entire organization to bake security “in” right from the beginning.
Leading Security & Risk industry analyst Andras Cser from Forrester asked a number of great questions about how the DevOps practitioners were handling different issues, including if they cared about separation of duties and where they were looking at reviewing code for flaws. The separation of duties question sparked some chuckles from various technical folks in the audience. They pointed out that a developer could easily give an operations person a piece of code to push to production that would effectively be the same as giving the developer root access! What was the difference in their mind?
Alan Shimel, Managing Editor of DevOps.com and longtime security blogger, chimed in with some thoughts from his experience at RSA this year where the conference was abuzz about DevOps. His contention is that security as an industry has failed and that DevOps represents its last, great hope to have a seat at the IT table. There didn’t appear to be too much pushback to Alan’s viewpoint. It seems like there was a lot of agreement with his ideas.
Centralized User Management Increases Security
I pointed out our hypothesis at JumpCloud: by embedding high quality into core IT functions, the overall operations would become more secure. For example, we wrap our centralized user management functionality with logging all user access and access attempts. By making managing users more secure, you still are able to accomplish your goals quickly and easily (provision / deprovision users) while increasing your security (knowing that the people that should be logging in are really those people and knowing that what they are doing is proper). There was a lot of agreement to this viewpoint from the group.
Security and DevOps is going to be an ongoing conversation and one that should be very interesting to follow. The folks at Firemon made a strong pitch for giving security a seat at the table, but we will see whether organizations invest and execute in that viewpoint.