When the term DevOps was first seen on the horizon of enterprise IT in 2009, it was largely questioned how enterprise IT security teams could keep up with such environments. With DevOps, application development doesn’t stop and infrastructure is treated as code. In such organizations, how would all of the security processes and controls that had been so carefully developed over the years possibly be incorporated into the highly agile and rapidly moving DevOps environment?
The pushback from information security professionals was to be expected. Most people fear change. And security professionals are more risk adverse than most, and rapid change is certainly risky.
Yet, several years into enterprise DevOps deployments, what we are actually learning is that unifying development and operations teams through DevOps efforts does not create the wild west environments feared. And there is no reason for security to “lose control” as is often lamented. Although that sense of control, especially when it came to application development, was largely illusionary: just look at the current state of enterprise and application security.
Well, six years into the movement, it turns out that DevOps actually has enhanced security processes and, more importantly, improved security outcomes.
First, with DevOps environments, developers can test their code more often, and in more automated fashions. When I interviewed Gene Kim last year, co-author of The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win, he detailed three aspects of what he calls enterprise “high performers.”
These are truly amazing. These highly agile, largely DevOps driven organizations considerably outperform their peers. According to Kim, these high performers are able to conduct thirty times more frequent code deployments, they are able to complete their deployments from code committed to running in production a mind-blowing 8,000 times more quickly.
Put another way, they are measuring deployments in minutes or hours. While the less agile, legacy enterprises are measuring deployments in weeks, months, or quarters. Interestingly, moving more quickly improved outcomes: They enjoyed twice the change success rate and outages were fixed 12 times more quickly.
Complexity in applications and infrastructure is the enemy of security. DevOps helps enterprises to develop code and systems in short sprints. And these deployments are less complex and easier to test and remedy and secure.
Think about it. The smaller batch sizes associated with DevOps means not only is the risk of any given deployment causing trouble lowered, but it also means that responding to anything that goes bad or breaks is likely to be remedied more quickly. It is incredibly easier to remedy a mistake in 50 lines of code than it is 50,000 lines of code.
Reducing that code bloat from legacy environments goes a long way to reducing both technical and security debt. This is another great benefit of DevOps. And this is actually true both on the application side of the enterprise as well as the operations side. Essentially, enterprises end up with continuous deployment and configuration management systems that that provide them two powerful change management databases. On the operations side, for example, the configuration management system becomes the Change Management Database CMDB.
While most of the security related results from DevOps have been fairly sparse, except for a few studies, that’s changing at the RSA Conference this year. There is a lot of information sharing and DevOps security related sessions underway throughout the week.
There’s also the DevOps Connect SecOps Edition all day Monday, which will focus on agile and DevOps teams can enhance security and automate many enterprise security processes.
If there is a common thread across all of this is that DevOps and security work together as ways to enable business objectives and increase enterprise resiliency. Because when incorporating security with DevOps, enterprise performance improves and everyone including operations, developers, security can focus on their core competencies, allow the company to take educated risks. At the end of the day, increase revenue and speed time to market. But readers of this blog have been aware of this for a while now. The rest of the world is finally catching up.