DevSecOps locks down container and cloud security
Business drove Cloud Infrastructure and Container adoption
Why this is inevitable movement? Business agility brought the need for more agile solutions and agile development. According to Gartner more than 76% of enterprises are today using hybrid cloud infrastructures. The IaaS and PaaS market is estimated at $7B in 2016 and with a CAGR of 50% according to Synergy Research. And if we include private cloud it is around $9B. Cloud security spotlight report shows that “24% of surveyed companies are using Hybrid Cloud” The adoption of technologies, such as Cloud Infrastructures, IaaS and Containers brought a new model for security: the shared responsibility model. In this model, the security guys are responsible for the infrastructure operational security and the DevOps are responsible for Workload Security. Nevertheless, DevOps are not security experts and it is not their primary motivation, something the security team do not understand. On the other hand, automation is key for DevOps and all the manual tweaking and analysis done by security teams seems so old-school.
Extending traditional tools and processes to cloud security
Therefore, the security team seems slow to react and not aligned with the business. The security team is often overwhelmed and need time to address the new challenges brought by new technologies. Instead of playing catch up with business agility, due to complexity and lack of expertise and resources the security team is further dragged down by heavy traditional tools and processes. Business leaders weigh outsourcing to MSSPs as a more efficient alternative. But MSSPs will face the same challenges in order to integrate and increase efficiency in the existing security processes.
An opportunity for a new security approach: Security + DevOps = DevSecOps
In order to achieve higher efficiency, automation is the answer. As shown by the DevOps movement, with continuous integration and delivery, agility and faster results are possible. At SecludIT, we strongly believe that security teams need to embrace the DevSecOps movement and are building new tools for making it possible. For instance for Docker we’ve shown how to start and to improve docker security the DevOps way. The deployment of new security tools can be fully automated, using SaaS solutions or Marketplace solutions make it easier to test, evaluate and get quick results. Finally, DevSecOps ’ ability to show the efficiency gains and risk trade offs is paramount to get C-level adoption and budget. Tools that automatically calculate leading indicators and show progress do not overload security teams with heavy reporting.
Plan to tackle Cyber Security with DevSecOps
Now that you are convinced about DevSecOps , we need a roadmap, here goes our high level take: - Establish requirements and risk appetite for organisations - Handle integration with legacy systems - Evaluate MSSP cost and benefits - Integrate Sec security in DevOps processes - Automate, Automate, Automate til the edge Easier said than done. You may go deeper with our Elastic Workload Protector solution or stay tuned with our blog and newsletter.