DevOps teams are under enormous pressure to accelerate development cycles and improve quality assurance. We live in a world where IT consumerization is a fact of life and speed to market is not just an enormous competitive differentiator but an absolute necessity. This is why DevOps teams are embracing modern initiatives such as agile development, containers and microservices.
Demands for speed and accuracy—along with the potential for cost savings—are also driving DevOps’ growing reliance on cloud services: DevOps adoption of cloud services increased to 74% in 2016, compared with 66% in 2015, according to the “RightScale 2016 State of the Cloud Report.”1
Accelerated development cycles have an upside, of course, but they also have a downside, particularly when it comes to security and compliance. Because of time and resource pressures, it is often the case that DevOps teams don’t pay proper attention to security when using cloud resources.
This is an important problem that must be addressed—and quickly. Today’s reality is that most DevOps teams don’t go through normal IT channels when deploying public cloud services. Enterprises are typically adopting DevOps from the bottom up: 29% at the project or team level and 31% at the business unit or division level. Only 21% have a companywide DevOps initiative, according to the RightScale report.2
In the long run, any lack of coordination between DevOps teams and security teams is counterproductive. If there is a breach or compliance violation, the entire business suffers, not just in lost revenue, but also in damage to reputation and customer goodwill. In addition, if a security or compliance risk comes up late in the development cycle, it can cause software bugs and serious delays in availability.
The joy of automation, continuous security and compliance
At the same time, however, DevOps teams know all too well that today’s development cycles leave no time to stop for security evaluations before they deliver new products and features to the business. The answer: Deploy a modern approach to cloud security built on a foundation of automation.
With automation, DevOps teams can ensure that best practices in security are deployed and enforced without any impact on the speed, accuracy or quality of their work. Automation enables continuous security and compliance to support continuous development.
This continuous security and compliance model not only helps developers avoid bugs and delays, but also alleviates some of the stress and conflict inherent in the relationship between DevOps and security teams. In fact, everyone benefits from this continuous security and compliance model:
- Developers can deliver quality products with less concern about security bugs. By leveraging the monitoring capabilities of the security platform, they can catch unexpected risks or errors much earlier in the development cycle. In addition, they can use the platform as a learning tool so they can deliver better code. As they spin up new infrastructures for new projects, they can rely on built-in security protections that are already preapproved by the organization, thus accelerating their development cycles.
- Security teams can leverage the continuous security and compliance platform to get out of reactive mode and take more control over DevOps and other shadow IT initiatives. For years, we’ve seen DevOps outpace security, to the point where security teams now struggle to even understand what kinds of infrastructure services have been deployed by the DevOps team. With some organizations pushing hundreds or thousands of code changes into production each day, security needs a new means to monitor what’s happening. Continuous security and compliance through automation represent that new means.
- The overall organization is perhaps the biggest beneficiary of this modern approach to cloud security and compliance. Development cycles are accelerated and quality assurance is improved; security and compliance are simpler to manage and less risky; and DevOps and security teams, often at each other’s throats in the past, can now live in relative peace and harmony, at least for a while.
Conclusion Public cloud has been a godsend to DevOps teams. It has enabled them to quickly spin up infrastructure to accelerate development and improve quality assurance. But public cloud has also been a challenge. Without proper attention to security and compliance in the public cloud, the overall organization can take on much larger and hidden risks. By using a modern cloud-native approach to security and compliance, leveraging automation and the API-centric architecture of the cloud, DevOps teams can enjoy accelerated development cycles while reducing the risk of breaches or delays. This is not only a winning formula for DevOps, but it will also ease the stress among security teams, IT leaders, compliance officers and corporate management.
1 “RightScale Releases New DevOps and Docker Trends in Follow-up to State of the Cloud Report,” RightScale, May 11, 2016