Big data, mobile, the Internet of Things, cloud computing and other innovative technologies have given companies more ways to connect with their customers than ever before. Businesses looking to maintain or grow their market share have embraced the concept of a digital transformation to help them use new technology efficiently. However, digital transformation has driven an atmosphere of continuous delivery in which the time from concept to market must be kept to a minimum if the effort is to be successful. At the same time, security cannot be ignored. Unfortunately, many companies remain mired in traditional approaches to security, severely hampering their efforts to be the first to market.
How Security Can Slow Development
Traditional security measures were effective enough when developers had at least a year between major releases. It was no big deal if code reviews took several weeks or even months to identify potential vulnerabilities or if it was necessary to tweak the firewall to prevent being overwhelmed by false positives. Today, however, many digital enterprises have a weekly or monthly release, and the most active companies are pushing code to production dozens of times each day. At least, this is how things go as long as security does not force developers to throttle back.
Suppose a form on the company's website has a field is a little too short. It sounds like a minor fix, but with the traditional processes and legacy tools that are still commonly used, a patch could take weeks — even if it is an emergency fix that is required to defend against a vulnerability that has been recently discovered.
Security and Speed Are Both Possible
Although some people view DevOps as a security threat, DevOps actually offers an excellent model for the way that cybersecurity needs to perform. Security needs to be as agile as DevOps, able to respond quickly to threat intelligence and be integrated with new projects. This requires flexibility, scalability and collaboration. Silos between DevOps and security must be broken down, and DevOps needs full visibility into all security tools to identify the issues and the priorities.
Adapting to the melding of security and DevOps may require changing mindsets as well as technology. Too often, executives fail to understand why a technology that has served the organization well for years is no longer sufficient for current needs. Obsolete technologies must be replaced with new ones that allow security to be incorporated into new applications and interconnected devices from the beginning. Furthermore, considering the shortage of qualified cybersecurity professionals, companies cannot afford unwieldy security tools that require a great deal of human interaction while critical fixes are not being handled due to a lack of time.
Security cannot be ignored, but it can no longer be allowed to be a stumbling block for digital enterprises. Vendors must be carefully selected so that only those who understand both agility and effective security are providing services to the company.
In essence, the basic change is all about making security a part of agile development instead of allowing security to exist on a separate track. Instead of being disconnected from threats and business needs, security fixes are handled the same way as the code that is being continuously pushed out. By constantly pushing out security fixes, the areas of vulnerability and the attack surfaces are reduced.
When security and DevOps work together, they offer more than just the sum of their parts. DevOps ensures that products are released quickly, while security ensures that the organization's risks are not increased by the speedy releases. Together, they can help an organization complete a true digital transformation, remain agile and innovate in ways that can help the business score a major win.