Organizations are excited about the cloud and what it can do for their business. Cloud computing offers the promise of services at elastic speed and DevOps teams are embracing the opportunity to innovate at speed and efficiently scale. The ability to easily bring up thousands of servers within minutes, however, also introduces security and compliance issues. Security and compliance issues are often neglected or avoided because of the perception that adding security will dramatically slow the pace of development.
DevOps and security teams may seem to have opposing interests at times. Development teams who deploy apps in the cloud are used to moving fast and having the freedom to deploy whatever resources they need to accomplish their goals. They are not security and compliance experts and may consider reviewing all inbound network ports as unnecessary red tape that complicates developing and deploying applications.
On the other hand, Chief Information Security Officers (CISOs) and auditors are wrestling with understanding a new world of cloud technologies and how to apply security and compliance concepts to them. If you can bring up thousands of systems at a time and then take them down when they’re no longer needed, you can’t apply the same thinking about patch management and vulnerability scanning. The same thought process applies for serverless functions where there is no direct access to the operating system or application configuration. It’s not clear what you are supposed to scan.
In a world of continuous integration and deployment where production software can be updated hundreds or thousands of times per day, you no longer have a discrete certification and accreditation phase for new releases. This means that means any kind of security assessment process must also be continuous. There is definitely a gap in mindset and technical understanding between security and cloud ops development teams.
Bridging these gaps requires education and frequent communication between the teams. For example, some organizations are forming dedicated “DevSecOps” teams that know how to apply secure practices to DevOps such as statically analyzing code for vulnerabilities or enforcing access control on developers for committing code. Other organizations are educating their security teams about cloud concepts so they can communicate with DevOps teams with a shared language. There are also solutions that can integrate security controls in every phase of your pipeline for continuous integration and deployment.