Cybersecurity professionals are learning—sometimes the hard way—that Development-Security-Operations (DevSecOps) collaboration is vital to their efforts. Having personnel from each department fully involved in all aspects of a project enhances security-controls integration, reduces scheduling delays, and prevents issues from an after-the-fact implementation of security processes.
SEE: DevOps: The smart person’s guide (TechRepublic)
There is, however, some concern when automating the configuration and security of assets in the cloud. In his research paper The DevSecOps Approach to Securing Your Code and Your Cloud, Dave Shackleford, owner and principal consultant of Voodoo Security, as well as an analyst, senior instructor, and course author for SANS, writes, “Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning… whether the model is Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS).”
Regarding Shackleford’s comment on requiring additional planning, he is referring to the implementation of the following:
- Threat modeling: A threat-modeling exercise can help security teams better understand the type and nature of the assets they are protecting, how those assets will be managed/monitored in the cloud, and likely threat vectors.
- Risk assessment: Analyzing risk affords security teams more insight as to what controls are currently in place and which controls need modifying to successfully operate in the cloud.
As to why threat modeling and risk assessment of cloud-based assets are important, Shackleford writes: “It is almost a guarantee that some security controls won’t operate the way they did in-house or won’t be available in a cloud-service provider’s environment.”
SEE: Ebook—IT leader’s guide to making DevOps work (Tech Pro Research)
Collaboration is key
Shackleford believes those managing newly-created DevSecOps teams need to emphasize collaboration among team members. Put simply, individuals responsible for a project’s security, development, and quality assurance must coalesce into a unified group.
Specific to security, Shackleford states, “Within their arena, security teams have to determine which of their existing tools can integrate into a DevSecOps environment and identify procedures or controls that have to be updated or adapted before they will work well in a continuous integration and development environment.”
SEE: DevOps a natural fit for cloud security (ZDNet)
How to make it all work
Once DevSecOps teams are fully functioning, Shackleford suggests the teams implement the following (Figure A).
Inventory management: Develop a discovery process using network and system scanners to meld files and infrastructure assets into an inventory database. To keep the database current and ensure security, Shackleford also suggests having a process in place to locate new assets or changes in assets.
Compliance with company and industry standards: In order to comply with a myriad of regulations and standards, Shackleford believes using an agent-based and/or agentless technology, organizations can apply configuration standards to systems and then assess the new configuration for changes or deviations from policy.
Control of accounts and privileges: It is vital to control accounts and privileges assigned to resources. “All users, groups, roles, and privileges should be carefully discussed and designated to resources on a need-to-know basis,” explains Shackleford. “The practice of assigning the least-privilege model of access should also be applied whenever possible.”
Ensure processes have scheduled threat and vulnerability updates: Shackleford feels in-house vulnerability scanning is routine in most organizations, but less likely to occur with assets in the cloud, as cloud-service providers often do not provide tools or the access customers require. However, there are options. “Some traditional vulnerability scanning vendors have adapted their products to work within cloud-provider environments, often relying on APIs to avoid manual requests to perform more intrusive scans on a scheduled or ad hoc basis,” writes Shackleford. “Another option is to rely on host-based agents that can scan their respective virtual machines continuously or as needed.”
Automate logging and data collection: Data gleaned from monitoring systems, services, applications, and operating systems within cloud instances needs to be automatically collected and sent to a central collection platform. “The entire DevSecOps group should commit to a culture of continuous monitoring, both in development within the organization as well as in assets promoted to the cloud,” stresses Shackleford. “Once continuous monitoring of events is truly in place, events can initiate ‘triggered’ responses that can automatically roll controls back to a known good state.”
SEE: Cloud security market to be worth $12 billion by 2022, here’s why (TechRepublic)
Security is a cost center and a challenge for companies looking to keep investment and operational costs under control. SECurity-as-a-Service (SECaaS) may be a way for organizations to do just that. “Many SECaaS providers offer lightweight embedded agents and service options—tightly integrated with leading cloud provider APIs—that can lower cost and complexity for several control areas,” writes Shackleford. “SECaaS options are also ideally suited for automation and continuous development and deployment strategies, making them attractive to DevSecOps teams.”
DevSecOps, quite simply, is about continual collaboration between information security, application development, and IT operations teams. And if done correctly, it will reduce the cost of security and the likelihood of experiencing a cybersecurity incident.