Security and DevOps – Why Do Anything.
There are two truths in infosec: (a) nobody wants the security folks in their office, and (b) the security team knows it.
For a long time, security software and the budget and staffing it commanded were seen as costs of doing business; nobody really wanted to pay, and it was frequently getting in the way.
Over the past couple of years, however, the thinking around infosec has begun to change direction.
Done well, security is a business enabler, driving down cost and making it possible to adopt and use technologies faster and more safely than would be possible if done on their own.
Tony Bradley published a great article on the cost of cybercrime last week that underscores why budgeting for security is a vital indicator of innovation, .
Especially for organizations that are embracing DevOps
Three specific points that he made stood out: The cost of cybercrime in 2014 is “nearly 10 percent higher than the average cost in 2013.” In fact.
According to the latest version of the Ponemon report
the cost of a breach for a US company is just over $12 million.
“The average time it takes to detect a malicious cyber crime attack is 170 days.” Regarding the latest statistics, “many organizations view a report like this as interesting data, but still don’t believe it can happen to them.” One of the conversations we often hear is that while development and operations tools and the infrastructure that they control may be evolving, but that their security approach is “good enough”.
If Tony’s article could be distilled to a single point
it would be that this claim is indefensible.
We are in the midst of a significant evolution in the tools, technologies, and threat surface.
It’s the responsibility of information security professionals to simultaneously adapt to those changes and to do so without getting in their way.
The move towards configuration management.
The near ubiquity of Agile development practices
and the growth in automation technologies means that mistakes are more costly than ever — a point strongly reinforced by the Ponemon study that Tony cites.
Security and DevOps: Data Worth Protecting As the article linked to points out
“It’s imperative for organizations to implement the tools, and take the steps necessary to provide better protection, earlier detection, and quicker recovery from cyber crime attacks.” The protection/detection/response model, which we looked at in detail in our three-part series on the evolving DevOps landscape, is very likely to be the foundation upon which any robust security program will be built moving forwards.
To not do so, especially as the development and operations teams are taking crown-jewel level information such as code, product, and customer data.
DevOps is too important to not protect
The relationship between the security and DevOps team should be healthy and close
and focused on how to make sure that the tools being used can be monitored and protected without impeding efforts towards improving the design, development, release, and management of product.