The Four C's of DevSecOps - Code, Container, Cloud, and Cluster

Security in DevOps

When we talk about security, we have four main things in mind. One, it's the principles, attitudes, and skills in managing your whole digital ecosystem and not just your software. Two, it's ensuring the integrity and availability of your applications and services through least privilege access to critical systems and services. The third is about protecting your data, infrastructure, and intellectual property. Fourth, and last, it's about Risk Management and compliance.

DevSecOps is the journey of making security part of the software development life cycle, which requires more than just securing and patching. It's about making security part of your DevOps journey so that it's not an afterthought.

The DevSecOps movement is gathering steam. As is valid with any paradigm shift, it isn't a fad. Instead, it is a critical component of the modern information security professional's tools for success. Those who embrace the paradigm and take it to scale will ultimately enjoy tremendous success.

The Four C's - Code, Container, Cloud, and Cluster

Much attention has been paid to code, but most of that concern has focused on the "how" of delivering secure code in production. The C's of DevSecOps can help us distinguish between the development of the code and the delivery of the code.

DevSecOps starts with the code. The continuous delivery of secure code requires security tools, services, and platforms that move software at the speed of business. Whether external customers or internal employees use the applications, it is vital to ensure that this code is secure. The development and delivery of secure code continue throughout an application's life cycle. Some security controls to build into the new software include protection for data in transit, device management, user authentication, and access control.

What that looks like on a high level is putting security into the product development cycle as the initial project (often the simplest) and as the application is built into the portfolio. The secure integration of these "packages" into the application is essential to its ongoing use.

Next is containerization. Containers have taken the software development world by storm. The focus has shifted from delivering secure code to deploying applications more quickly. The ability to deploy these applications faster means more production usage. It also means increased risk, as the infrastructure supporting these applications must be highly available, secure, and scalable. Managing this risk is where a container security management platform comes into play. The ability to define security policies and control access to the containers provides the ability to control how applications are executed, reducing the risk of exposure while increasing agility.

Cloud computing has played a pivotal role in supporting this paradigm shift. As organizations move to the cloud, security must be a primary consideration. While the cloud has gained momentum as the preferred delivery environment for enterprise applications, it has brought some security risks. Security must be embedded in the architecture and managed in the cloud using a best-of-breed platform. The ability to orchestrate security in the cloud is essential.

The final C is Cluster -- the practice of scaling each one of these. You've heard it all before, "C and T is security, and there's no such thing as enough security." The purpose of DevOps is to enable businesses to react quickly to changes in their business environment. As business expectations change, so does the code that runs and protects the business. Being able to anticipate these and proactively patch or upgrade is crucial for running applications across clouds. At its core, DevOps is more than a tool to automate infrastructure -- it's an engineering discipline.

These use cases can be hard to separate, and in some cases, they are combined. The idea is to balance these C's with the assumption that if one thing is compromised, they will all be compromised.

The central point is that there are the Four C's of DevSecOps, they are not sufficient on their own to deliver secure software, and they are not something that can be shown in isolation. They respond to the need to provide specific software at a pace and scale that is damaging to traditional security frameworks. DevSecOps requires a new security mindset and means for securing the software in production. This paradigm shift does not happen overnight.

New Practices You Need to Adopt

Here are some of the new practices we have seen come into the practice of security and some that we believe will come to the forefront as the DevSecOps movement continues:

Everyone should understand the importance of security in the software they develop. The value of secure software is enhanced by the understanding that there will be consequences for wrong actions.

Where possible, development teams should work with the release engineering team to establish an automated process for responsible software releases. Release engineering teams will be more effective in managing secure software by evaluating each release for its security posture.

When appropriate, deployment should occur at scale. In environments where servers and devices are not managed, teams need to work with their IT and engineering counterparts to define a shared security model. There are several options to accomplish this for on-premises and cloud deployments, including the hybrid model we discussed earlier or a policy engine centrally managed by the DevOps organization.

Security is becoming part of the problem within organizations, not part of the solution. In many ways, the security functions are understaffed, underfunded, and spread out across organizations. Security tools are often not integrated with the development tools.

DevSecOps Strategy

You need to figure out your IT SecOps strategy in relation to Engineering, Operations, and Customer Security. You need to identify the security risks that can affect you and prevent them. You need to create a Platform-Based Security strategy to keep up with the evolving Security Trends. This strategy must be agnostic to the application stack your applications are built upon. It should be platform agnostic to the endpoint you are securing.

You need to prevent attackers from leaving the network to pursue attacks elsewhere, which may require tracking them with a global Threat Intelligence Network. You need to identify which parts of your infrastructure and applications they have targeted to prevent them from going after those targets again. Otherwise, they may penetrate your infrastructure and leverage their foothold to scale up their activities. 

Your infrastructure, application services, and network security need to be cloud-native, DevOps, and software-defined to improve scalability and flexibility and speed up your DevOps transformation. These elements are critical parts of your Security Strategy and Implementation. I recommend that you get involved in the DevOps Community to collaborate and share knowledge. You should also continuously drive the maturity of your DevOps and Cloud Deployment model and share your experiences across the entire development, testing, and deployment lifecycle.

You must also communicate DevSecOps, CompSecOps, CloudSecOps to your developers, operations, and security teams to ensure everyone understands the context of your strategy and your current Agile Release Management practices.

Summary

Beyond being aware of these issues, it is imperative to review all the security processes companies use. That may include reviewing and auditing existing systems or reviewing and remediating existing infrastructure.

Setting a goal for DevSecOps in your business will help accelerate these changes. As the DevSecOps movement gains traction, there will be continued progress.

Simplilearn’s DevOps Engineer Master’s Program lets you take on advanced skills in DevOps. This program prepares you to manage emerging DevOps approaches like DevSecOps.

The Post Graduate Program in Cyber Security, designed with MIT Schwartzman College of Computing and the EC-Council, provides you with the skills you need to become an expert in cyber security. This includes comprehensive approaches to protecting infrastructure, securing data and information, running risk analysis and performing mitigation, architecting cloud-based security, achieving compliance, and much more.