Combine the "It's not my job" belief that many IT administrators have about security tasks with the relentless...
pressure to release more applications and updates on a public cloud, and you have a recipe for security disaster. And in organizations where DevOps teams lead the charge, securing the public cloud becomes even trickier.
But development and operations teams rarely speak the same language, so is it possible to add security to the mix? It had better be.
"There've been a lot of painful Monday morning meetings about how security has failed in a DevOps environment," said Jay Lyman, research manager for cloud platforms at 451 Research. "Security now has to be a big driver of DevOps."
It's not a question of when -- but how -- DevOps can make public cloud platforms like Amazon Web Services (AWS) more secure. DevOps is generally easier to carry out in the cloud, so all-cloud shops have an advantage, Lyman said. Following are a few best practices for DevOps teams to make AWS security a priority.
1. Build in security upfront
IT teams often treat security like quality assurance, or QA, used to be treated -- at the end of the process when time was running out and it was almost too late to fix anything, warned Michelle Drolet, a founder of data security services provider Towerwall in a recent blog post. Her advice: Make security a routine part of the DevOps process from the start.
Jay Lymanresearch manager for cloud platforms, 451 Research
A major advantage of AWS is how easy it is to make things repeatable, said Rich Morrow, a self-described DevOps evangelist. "Combine the holistic system of DevOps with the features of AWS, and that is going to make it easy to do things the right way from the beginning," Morrow explained. "You can automate backups and make everything reliable and repeatable."
Plus, a public cloud like AWS has an inherent security advantage, said Ernest Mueller, a DevOps consultant and founder of the Agile Admin blog.
"From a DevOps perspective, it is a pure best practice to outsource," Mueller said. "And in this case, outsource to AWS and you get lots of built-in security, like biometric access and background checks on systems administrators. Every single server on AWS has an easy-to-configure firewall and you can't turn it off even if you want to. Companies would have to spend lots of money to get security like that at their own facilities."
2. Use the power of automation and encryption
Automation also plays very nicely with security in a public cloud. "You're just going to need to put security checks into the continuous integration pipeline and let AWS make that a simple thing to do," Mueller added. And don't forget automated backups.
Another key point to consider while setting up repeatable best practices is to encrypt any data -- even potentially compromising data -- that's headed to the AWS or any other public cloud.
"Be selective, because too much encryption can slow down performance," Morrow said, "But make sure names, addresses, Social security numbers and emails, for example, are encrypted." That also goes for transferring data to and from AWS. Companies should always use a secure socket layer (SSL).
3. Implement fast, integrated, automated security testing
Testing is critical. But don't rely on old security testing methods that take weeks. Use fast, integrated and, hopefully, automated testing.
"Enterprises just need to test the hell out of their products," 451 Research's Lyman advised. "They need to task people with moving security testing through the organization and up into the cloud, and they'll find they can go faster with no sacrifices if they build it in," he said. Combine testing with realistic, pragmatic enterprise thinking.
Security should be a first-class citizen in the software delivery process. Obviously that's going to require a change in mind-set, and perhaps tooling, DevOps evangelist Morrow said.
"In a [continuous integration] environment, you can't rely on a quarterly scan because you might be making 10 changes a day. But it's easy and fast to spin up all your tests at one time in AWS."
Testing for security has to become part of the everyday DevOps routine across the board, he warned.
4. Make security part of the entire process
When the security officer at a company tells the CIO, CTO or even the CEO what needs to be done to better secure the IT infrastructure or improve AWS security, often his directives go unheard.
"The security consultant was not really educated in the product development process and because of that, his 'to dos' were often not put in," Morrow explained. "Security was, as they used to say, 'priority zero.'"
To change this thinking, some companies have embedded a security person within the DevOps team. No longer an outlier, the security person is part of the entire process.
"By creating a security buddy, instead of an outsider, companies were able to change the rate at which security flaws got fixed," Morrow said. "If you can get actual collaboration, it will make a huge difference."
Read more about the CIA's investment in the AWS cloud
AWS cloud security gets a boost with Netflix Security Monkey
Encryption key management adds to AWS security