SolarWinds: Looking beyond DevOps to fix cybersecurity
Article by SolarWinds security content architect Destiny Bertucci
Recent data breaches in Singapore signify weak spots in cybersecurity and data protection efforts, despite its large spending on cybersecurity.
A report by consulting firm AT Kearney in 2018 found that Singapore spent about 0.22% of its gross domestic product on cybersecurity, almost twice the global average.
Despite this, Singapore still remains susceptible to evolving cyber threats.
Last year, hackers stole the data of 1.5 million Singhealth patients, including those of the Prime Minister, in what was the city’s worst cyber-attack.
In light of this, the Government is stepping up measures to combat security breaches, and are looking to further increase spending on defense, security and diplomacy in 2019, according to the recent Budget statement by Finance Minister Heng Swee Keat.
The Singapore cyber security agency David Koh CEO acknowledged that the government itself cannot deal with the nation’s needs for cybersecurity.
He mentions that cybersecurity is a team sport, where organisations need to complement the government’s efforts and take proactive measures to protect their systems.
Such collaborative measures are necessary for an increasing number of organisations and startups who are incorporating the DevOps methodology into their business.
Focused on the integration of coding, testing and automation teams, the role of DevOps in security has seen increasing popularity due to its sound philosophy around productivity and adaptability.
With talk of DevOps rife among IT professionals, it is important to look at the advantages of DevOps as well as opportunities for where it could be improved.
Ultimately, while DevOps increases speed and efficiency by blending agile methodologies for development and automation for IT operations, is it not the be all and end all to addressing cybersecurity issues within an organisation.
DevOps still has its limitations
DevOps has the potential to improve security by discovering security flaws early in the development process.
This would allow IT teams to implement security features alongside a host of security algorithms and protocols, prior to the setup system infrastructure, which should lead to fewer security issues down the road.
Furthermore, it can deal with the aftermath of an attack through incorporation of self-healing characteristics into a system.
DevOps can also bring greater agility of design as well as greater buy-in and collaboration across varied skill sets that would otherwise compete with each other.
However, against a backdrop of constantly evolving cyber threats, DevOps is not enough in mitigating, addressing and combating such security issues.
While its methodology would allow for faster responses and adaptability, a cohesive, coordinated response to security threats should take precedence.
This is especially so as DevOps teams do not have the technical depth of specialised cybersecurity professionals.
While it can be argued that security professionals can be brought into DevOps processes to help developers navigate security issues they may face over time, these operations are still disparate.
One way to further boost security processes is through DevSecOps, a process of integrating and streamlining security practices much earlier within the DevOps process.
In this instance, the traditional process of working in silos will be replaced by increased communication and shared responsibility for security processes throughout the various phases of application and software development.
However, this may jeopardize informational security as well across the organisational surface.
A more holistic approach
Another approach that bears more efficacy is by establishing a central team responsible for incorporating measures into the development process from start to end.
Alongside DevOps infrastructure and applications, this team can monitor, manage, troubleshoot and optimize instruments from its infrastructure to the end-user experience.
A team of experts will also allow for a diversified skill set that would offer more comprehensive support to handle evolving threats.
Cybersecurity teams should also interact with DevOps in a way that establishes its authority in enforcing good governance and sanitisation, as well as the capacity of assurance in vetting and reviewing DevOps code, data, and workflows to ensure they meet enterprise-wide security protocols.
When cybersecurity skills and measures are employed, it is important that they are not diluted alongside other DevOps functions, so it is able to achieve its intended purpose with as much backing as possible. The cybersecurity function should also continue to operate with autonomy when maintaining the products of the DevOps cycle.
Most organisations are already adopting this model — maintaining centralised cybersecurity functions within the business whilst adopting a different mindset in its deployment.
In this regard, organisational projects and processes should be run by the expertise of cybersecurity teams, even prior to execution, therefore avoiding the need to undo or rework certain areas.