What DevOps Can Teach Us About Cybersecurity
DevOps and cybersecurity are both top priorities for many enterprises, as well as areas that have experienced considerable innovation recently. And even though these are two very different sides of IT, there are lessons to be learned between the two. Both areas are in the midst of major transitions. For application development the shift is from slow, monolithic releases to fast and responsive development cycles. For cybersecurity the shift is from the old perimeter block/allow enforcement model to more adaptive security that continuously looks for threats across the enterprise.
While both of these areas are often cast as technology issues, they also force organizations to reassess the bigger picture. Teams that were previously siloed may need to work toward a common goal. Rigid processes give way to responsive feedback and adaptability. These more strategic and organizational changes are often just as important to the overall success as is the technology itself. And it is an area where DevOps can provide an example for cybersecurity teams. In order to become more nimble and adaptive with their applications, organizations needed more than just new technology – they had to break down old organizational barriers that kept interdependent team separated.
DevOps: Making the Jump From Philosophy to Action
While DevOps and CI/CD have become all the rage, it is important to remember that the key concepts are not particularly new. Organizations had been moving to Agile development strategies long before DevOps ever hit the mainstream. Organizations knew they knew they needed to be more responsive to customers, and Agile provided a model based on faster, iterative releases that let them be more nimble. It was the answer to the high-level problem facing the organization.
However, knowing what to do wasn’t enough – organizations also had to learn how to do it. Just because a team decided they wanted to be Agile, didn’t mean that they were organized to work that way. Development and Ops were still in separate silos, and testing came after development in a separate phase. In order to deliver on the bigger business goal, the organization itself had to adapt. Dev and Ops needed to come together. Development and testing started being treated as an integrated continuous process. And once that was done, the development process was free to do the same. The breakthrough that ultimately delivered on the promise of Agile development was as much about people and process as technology.
Cybersecurity and Conditional Access
IT security is in a similar era of transition. For more than a decade, the industry has known the high-level issues that need to change. Security needs to look at modern approaches to authentication and go beyond the perimeter to look for threats inside the network and in the cloud. Threat detection and prevention needs to be continuous and adaptive instead of a single yes/no decision at the perimeter. The business needs to be able to withstand an infection without losing data, and without getting in the way of their actual employees.
And organizations have invested incredible amounts of time and money into solving the problem. And while the results have been positive, in most cases organizations are falling short of their goal. Threats still get through, staff are overwhelmed with alerts, and teams still mostly only block based on signatures.
And like DevOps before it, it’s quite likely that the roadblock is as much organizational as it is technical. Conditional Access is a modern approach that provides a potential solution. In many organizations the roles of Identity and Access is separated from Security and Threat Prevention with different teams, tools, and processes. However, risks and threats don’t need to respect these boundaries. As soon as an attacker gains a foothold in an environment, they attempt to use the compromised user’s identity to dig deeper into the network, find assets, and compromise additional users and devices. Likewise, sensible access management decisions require real-time insight into the risk, behavior, and threat context of a user or account. Like DevOps, Identity and Access and Threat Prevention remain different functions, but functions that need to work together in a continuous process.
A conditional access approach – recognizing the diverse ways users access and manage data across devices, geographies and environments – brings these two groups together in a way that makes sense for the larger goals of the organization. Identity, risk, behavior, and threat detection come together in a unified context. By bringing threat prevention closer to the authentication infrastructure, the enterprise also gains new flexibility in enforcement. Enforcement can be triggered in real time before an asset is accessed to prevent a breach. Likewise, enforcement can become more nuanced than simply block or allow. With a sees something suspicious, it can challenge the user with a multi-factor authentication challenge. Threats are stopped while valid users pass through. Just as importantly, this coordination opens up a new realm of access and security policies are real-time, adaptive and have a complete picture of enterprise behavior and risk.
This is truly the tip of the iceberg, but it requires not only a shift in technology, but in some cases a shift in organization. However, as we’ve seen with DevOps, a little wall-breaking can go a long way.
Posted by Ajit Sancheti on March 22, 2019 10:53 AM