In many respects, the rise and (potential) fall of DevOps resembles that of Achilles, the mythological Greek hero of Trojan War and Iliad fame. Think back to your high school years, what do you remember about Achilles? Undoubtedly, your memory recalls the lore of his success as a warrior and the transformational impact it had on the Trojan War. You probably also remember him for his one fatal weakness – his Achilles heel. I believe DevOps, as we know it today, has the same transformational strength in enterprises of all sizes, and its own singular point of weakness, which if left unaddressed, can expose businesses to significant security, compliance, and governance issues, if not their own peril.
Why DevOps today?
Before we go any further, let’s take a step back and briefly discuss why more and more businesses are choosing the DevOps path. Anyone working in IT knows that the cloud has fundamentally changed things. Over the last decade, businesses pursuing their cloud journey have reaped the benefits including streamlined application development and deployment; increased visibility, management and optimization of cloud resources; and cost reductions. However, cloud journeys also presented a host of new challenges along the way, many of which teams were not prepared to tackle. That's because IT practices and remedies hadn't kept up and were misaligned with the new reality, which saw the traditional security perimeter vanish and an increase in both the types of threats and points of vulnerability due to further BYOD adoption. Fast forward to today, and nothing's changed. The speed of innovation and exponentially increasing complexity in the cloud have created challenges that can no longer be solved by humans alone or addressed by hardware. They now require a software solution. Enter DevOps and a host of cloud management solutions working to bring order to the chaos of the cloud.
Does DevOps have an Achilles heel?
There’s no doubt that the emergence of DevOps has been transformative for IT teams working in the many flavors of cloud, and the businesses they serve. Application development and deployments in the cloud have been streamlined to make teams more efficient than ever before, in turn enabling businesses to meet the real-time needs of the on-demand world better. A truly positive outcome all the way around, right?
If you answered “yes,” you’re likely still early in your organization’s digital transformation and focused on the critical first step of adopting a DevOps approach. If you answered “no,” then you are starting to realize a potential DevOps and cloud Achilles heel exists despite perfecting the integration and coordination of your development and operations teams – the critical security, compliance and governance gaps that still persist.
With this in mind, we’re faced with a central question: How do we improve DevOps so businesses adopting the approach can better navigate this new reality and ensure it doesn’t get hit by the metaphorical arrow in its heel? The answer is by adding a third leg to the stool by tightly integrating security, compliance, and governance practices to DevOps processes and planning, or more succinctly defined: DevSecOps.
Instituting DevSecOps guardrails with automation and analytics
The reality today is that developers deep into the cloud journey running automated CI/CD won’t put up with a bunch of artificial barriers. Rather, they will bypass brokered cloud access and continue to perpetuate shadow IT problems across the IT landscape. In response, IT leaders have debated whether to provide direct cloud access with no security or brokered access over the last few years, because better options didn’t exist. Unsurprisingly, no one has benefited from either path.
While IT practices and remedies haven't kept up and have been largely misaligned with DevOps' needs to date, the gap has closed in recent months. Most notably, advances in automation and analytics, largely delivered via a new generation of cloud management platforms, are giving IT teams the ability to establish and enforce security guardrails in the cloud, while allowing direct access to cloud resources for developers. They also address critical needs for the developer to have context for any issues that violate security or IT policy within their own toolchain (CI/CD tools, ticketing systems), while allowing security and IT teams to have visibility and push changes in an organizationally scalable way. These capabilities have made DevSecOps possible and couldn’t have come a moment too soon. The reality is that the pace of changes in the environment (both the cloud and threat landscape) means we can't wait for alerts to get people’s attention. DevSecOps must be ongoing, contextual, and proactive in order to address the persistent threats businesses face today properly.
As we look ahead, DevSecOps will be the dominant trend and transformational agent for IT teams and businesses working in the cloud. Those that don’t adopt DevSecOps will be presented with increased risk and left powerless in guarding against the threats of tomorrow. Your DevSecOps processes and cloud management solution should have tight integration with security and compliance solutions baked-in, as well as include a comprehensive rules-engine for anomaly detection, alerting, and automated remediation. Only then will you be able to realize the full power of the advanced automation and analytics available today and required to properly establish the guardrails required to close gaps in your DevSecOps practices.