CSO Online Feature: Managing DevOps with Dynamic Authorization
Security technologies, like Dynamic Authorization, are an integral part of the devops methodology and should be managed in the same manner as the application itself.
by Gerry Gebel
In today’s on-demand and fast-changing global economy, consumers expect companies to deliver and update products and services rapidly. Many organizations have turned to a devops methodology to meet these demands, which cannot be met with legacy development approaches. I remember from my days in financial services, where changes to the system were frowned upon – the operations team was incentivized on uptime and availability. With devops, organizations strive to be more flexible and agile, with frequent changes to the environment so they can bring services to market faster, react more quickly to consumer preference changes, and stay ahead of the competition/market disrupters.
Devops is about merging development, testing, and operations (as well as other) functions, so they are no longer disconnected, siloed processes and teams within an organization. The goal is to eliminate the friction inherent in traditional software development and deployment practices, thereby greatly shortening the time necessary to get software changes into production. How frequently this process happens will be different across industry verticals as well as by the tolerance of the devops team to manage change. That said, we have all read articles about how many times per week or per day that some companies are implementing software changes – your mileage will vary but it is fair to say you are likely implementing software changes at a pace that would be unheard of in the not too distant past.
Breaking down barriers and realizing the benefits of devops
A siloed approach does not encourage communication among teams and can bog down software development and delivery time. When teams are no longer “siloed” under the devops model, the barriers between the development, operations, security and quality assurance teams are broken down and they are all brought together in one cohesive unit. When barriers are broken down, team members must develop a broader skillset that enables them to optimize productivity of developers, the reliability of operations as well as the security and quality of applications.
Delivering applications at such rapid speeds sounds like a major security risk, but since security and quality assurance are integrated with development and operations, security controls can be embedded directly in a development cycle to proactively and consistently address security posture.
Integrating security into devops
As noted above, security controls are an integral part of the devops process, which is a very significant change from legacy approaches – further indication that devops is a game changer that hits so many parts of your organization. This has implications for both processes and technology. On the process side, security best practices must be optimized to work in the continuously changing world of a devops organization. Information Security has a seat at this table to ensure that security objectives are incorporated early in the development lifecycle and core tasks like code analysis and penetration testing are part of the automation process. No longer is Information Security a standalone and isolated function.
On the technology side, security systems themselves also need to conform to a devops approach. That is, they must fit into a model that is streamlined via automation to be deployed and managed in a manner that is like the new-age application (read: microservices architecture) that is so prevalent today. If the security or identity management technologies deployed are not in tune with a continuous deployment/integration flow, then the full promise of devops will be limited. The technologies we are thinking of here are authentication, access control, directory services, audit logging, etc.
A great example to consider is the implementation of next generation access control, like Dynamic Authorization. This type of security service authorizes users to access data and resources based on Attribute Based Access Control (ABAC). Authorization is determined dynamically at runtime by evaluating centrally managed rules and policies. Also, the authorization service itself can be considered a microservice, so the lifecycle of re-deploying the application and security components can follow the same automation steps. Similarly, changes to policies/rules can also be part of the automation process. Such an approach greatly relieves developers from hard-coding these security rules into the APIs or microservices of the application.
Many benefits can be realized when applications and security services are managed/deployed in the same manner.
- Developers are freed from writing security rules in their code, something they are likely not best suited for anyway.
- Application development and maintenance cycles can be shortened, because security rules are handled in an external service.
- Access rules are enforced consistently across APIs and data resources, reducing the risk of overexposure or breaches.
- Data owners, auditors and Information Security gain more visibility of security controls because they can be easily audited and reported on from the centrally managed authorization service.
Devops allows organizations to better serve their customers and compete more effectively in the market by enabling much faster application deployment, which is a must in today’s IT environment. Security technologies, like Dynamic Authorization, are an integral part of the devops methodology and should be managed in the same manner as the application itself. When the “siloed” approach is abandoned, and barriers are broken down, organizations can operate and evolve applications quickly, reliably, securely and more cost effectively.
(This article originally appeared in CSO Online. Read Full Article.)
Senior Director, Strategic Communications