8 ways DevOps facilitates security and compliance

By Anders Wallgren

Information security and compliance are critical to businesses across the globe, especially given past examples of data breaches and looming cybersecurity threats. Yet information security has long been thought of as the group that slows things down, the wet towel to your DevOps efforts, often requiring a more conservative approach as a means of mitigating risk. Traditionally, DevOps has been viewed as a risk by information security teams, with its increased velocity of software releases seen as a threat to governance, security, and regulatory controls (which, by the way, often require the separation of duties, rather than the breaking of silos).

Despite some initial pushback, enterprises that have taken the DevOps plunge have shown consistently that secure DevOps practices actually mitigate potential security problems, discover issues faster, and address threats more quickly. Here are eight reasons why.

DevOps is secure from the start

Security can be integrated from the early stages of your DevOps processes, and not as an afterthought at the very end of the software delivery pipeline. It becomes a quality requirement, similar to other tests run as part of your software delivery process. Just as CI enables “shifting left” by accelerating testing and feedback loops to discover bugs earlier in the process and improve software quality, DevOps processes can incorporate automated security testing and compliance.

It’s secure automatically

As more and more of your tests and processes are automated, you have less risk of introducing security flaws due to human error, your tests are more efficient so that you can cover more ground, and your process is more consistent and predictable. So if something does break, it’s easier to pinpoint and fix.

It’s secure throughout

By using tools shared across the different functions (especially with an end-to-end DevOps automation platform that spans development, testing, IT operations, and security), organizations gain visibility and control over the entire systems development lifecycle, making the automated pipeline a closed-loop process for testing, reporting, and resolving security concerns.

It gets everyone on the same page and pipeline

By integrating security tools and tests as part of the pipeline used by Dev and Ops to deploy their updates, information security becomes a key component of the delivery pipeline and an enabler of the entire process (rather than a pointer of fingers at the very end).

It fixes things quickly

Unfortunately, the occasional security breach or vulnerability might come up, requiring you to act quickly to resolve the issue (think Heartbleed, for example). DevOps accelerates your lead time so that you can develop, test, and deploy your patch/update more quickly.

In addition, the meticulous tracking provided by some DevOps platforms into the state of all your applications, environments, and pipeline stages greatly simplifies and accelerates your response when you need to release your update. When you know exactly which version of the application is deployed on which environment, as well as all components in the application's stack, you can quickly pinpoint the component of the application that requires the update, identify the instances that require attention, and quickly roll out your updates in a faster, more consistent, and repeatable deployment process by triggering the appropriate workflow.

It enables developers while ensuring governance

DevOps emphasizes the streamlining of processes across the pipeline to have consistent development, testing, and release practices. Your DevOps tools and automation can be configured to enable developers to be self-sufficient and get things done, while automatically ensuring access controls and compliance.

For example, as a resolution to the growing shadow IT phenomenon, I see many organizations establishing an internal DevOps service for a dev/test cloud, with shared repositories, workflows, deployment processes, and so on. This gives engineers on-demand access to infrastructure (including production), while automatically enforcing access control, security measures, approval gates, and configuration parameters, all to avoid configuration drift or inconsistent processes.

In addition, it ensures that all instances across all environments, whether in development, QA, or production, are identified, tracked, are operating within preset guidelines, and can be monitored and managed by IT.

It secures both the code and the environments

By creating manageable systems that are consistent, traceable, and repeatable, you ensure that your environment is reproducible and traceable and that you know who accessed it and when.

It enables one-click compliance reporting

Automated processes come with the extra benefits of being consistent and repeatable, with predictable outcomes for similar actions and tests. They also can be automatically logged and documented. Since DevOps spans your entire pipeline, it can provide traceability from code change to release.

If you have a DevOps system you can rely on, auditing becomes much easier. As you’re automating things, from your build, test cycles, integration cycles, deployment, and release processes, your DevOps automation platform has access to a ton of information that is automatically logged in great detail. That, in effect, becomes your audit trail, your security log, and your compliance report, all produced automatically, with no manual intervention or requirement to spend hours backtracking your processes and actions to produce the report.

Speed without risking stability and governance

Security and compliance controls should be baked in as an integral part of DevOps processes that manage the code being developed all the way through to production. By implementing DevOps processes that incorporate security practices from the start, you create an effective and viable security layer for your applications and environments that will serve as a solid foundation to ensure security and compliance in the long run, in a more streamlined, efficient, and proactive way.

Additional resources

Want to learn more on how to get security and DevOps right? In one of my recent Continuous Discussions (#c9d9) podcasts, I spoke with two industry veterans, including James DeLuccia, author of IT Compliance and Controls: Best Practices for Implementation, which explains how to bake security into your DevOps processes, and how DevOps and automation can help you pass your next audit.