CI Tools and Best Practices in the Cloud

Continuous Integration

Subscribe to Continuous Integration: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Continuous Integration: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Continuous Integration Authors: Yeshim Deniz, Elizabeth White, Pat Romanski, Liz McMillan, Mehdi Daoudi

Related Topics: Agile Digital Transformation, Continuous Integration

Blog Feed Post

SecDevOps and the Software-Defined Enterprise

Among all the changes that fall under the digital transformation umbrella, perhaps one of the most fundamental is the shift to the software-defined enterprise.

The idea is simple: instead of manually setting up and configuring the operational production environment, reduce all aspects of its configuration and deployment to one form of metadata or another: scripts or recipes or other configurations. Now, to make any kind of change in production, simply adjust the script, push a button, and let automation take over.

Expecting an entire enterprise production IT environment to be fully software-driven is still largely in the future, but there are two areas that large organizations are finding to be important starting points on the road to the software-defined enterprise: software-defined networking and DevOps.

securitykey 768w, 1024w, 231w, 50w, 600w" sizes="(max-width: 300px) 100vw, 300px" />The rapid maturation of public cloud computing has driven the software-defined networking industry, as cloud providers require fully automated network configuration capabilities.

Such demand has been driving innovation at network equipment providers, who now offer increasingly mature software-defined networking capabilities to a diverse enterprise market.

In contrast, the need to deploy better software more quickly has been driving DevOps, first at web scale companies, but now across most large enterprises as well.

DevOps requires a rethink of the traditional, siloed organizational model for IT, instead leveraging automation to better facilitate the cooperation and eventual merging of development, operations, and quality assurance teams.

While organizational and concurrent cultural transformations are at the heart of the DevOps movement, automation is an essential enabler, as one of the important goals of DevOps automation is for deployment and configuration scripts or recipes to control every aspect of the production environment – in other words, software-defined infrastructure.

From DevOps to SecDevOps

This race to the software-defined enterprise is not without issues, however. As organizations move forward with either software-defined networking or DevOps, they soon run into a challenge: security.

Security, of course, should be a top priority for any software deployment – but DevOps’ emphasis on continuous delivery can push security to the back burner. Treating security as an afterthought, however, throws a wrench into the vision of software-defined infrastructure.

The importance of security to any software development effort seems obvious. So why do so many DevOps teams give it short shrift? Governance efforts in general, including security and compliance activities, are hot-button issues for DevOps teams, as traditional governance approaches introduce bottlenecks, slowing down the development lifecycle.

The result is often conflict between the DevOps people and the security and compliance teams, as the former call for moving quickly and the latter rightly call for adequate controls. For many organizations moving to DevOps, therefore, this friction impedes their ability to achieve their desired deployment velocity.

The solution to such conflicts is to leverage automation-driven, next-generation security as part of the accelerated software lifecycle – in other words, software-defined security.

Today, protecting sensitive enterprise data in environments that are largely out of the enterprise’s control – such as the public cloud – has largely driven innovation in software-defined security. With the rise of DevOps, however, software-defined security must become an integral part of the approach – leading to the notion of SecDevOps, as some people are now calling this combination of priorities.

In fact, automating security and compliance controls must be an integral part of all DevOps activities. The recipes for deploying the infrastructure should include all security and compliance configurations, so that every deployment is properly secured, yet still software-defined.

DevOps personnel must include security and compliance activities early in the software lifecycle just as they include testing – and in fact, they should incorporate security and compliance tests into the automated test regimen.

SecDevOps thus shifts security considerations ‘to the left’ (that is, toward the beginning of relevant iterations), and furthermore, seeks to automate policy enforcement following the continuous integration/continuous delivery models that DevOps teams are becoming accustomed to following.

Application-Level Control

The software-defined enterprise requires software-defined networking and software-defined security as well as SecDevOps – but just how different are these priorities?

The network is in fact part of the production infrastructure, and thus separating how network teams secure the network from how application security teams deal with application-level security is a false dichotomy – and in the security world, false dichotomies lead to vulnerabilities.

The better way to think about the role security plays in the software-defined enterprise is as a unified, holistic approach for managing, configuring, and testing security across the entire infrastructure – from the application layer all the way down to the network. After all, security must be comprehensive to be effective, as attackers are only too happy to probe for the gaps.

The crypto-segmentation from Certes Networks is an example of how to bring the agility and speed of software-defined security to networking, as an integral part of SecDevOps.

While segmentation at the network level affords a measure of security, defining such segmentation with software-based controls instead affords an additional measure of flexibility and control. To this end, Certes Networks brings segmentation up to the application layer.

As a result, crypto-segmentation policies and controls are now a part of the same comprehensive, automated security regime as the rest of SecDevOps.

The Intellyx Take

Traditional IT security has always depended on hardware – firewalls and other network devices in particular – to protect the organization. However, making changes to hardware is always slow and cumbersome.

Furthermore, as enterprises become software-defined, digital organizations, traditional hardware-centric security becomes a less effective and thus less important part of the overall security profile.

As a result, software-defined enterprises must rethink security, just as they must rethink networking, software development, and operations. Security cannot become a boat anchor, slowing down the organization – and even more importantly, today’s businesses cannot afford to shortchange their investments in effective, comprehensive security.

Embracing software-defined security to evolve network security and make it agile enough for SecDevOps is now a must-have. Crypto-segmentation is an essential element of this new vision for comprehensive IT security.

Copyright © Intellyx LLC. Certes Networks is an Intellyx client. Intellyx retains full editorial control over the content of this article. Image credit: GotCredit.

Read the original blog entry...

More Stories By Jason Bloomberg

Jason Bloomberg is a leading IT industry analyst, Forbes contributor, keynote speaker, and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation. He is ranked #5 on Onalytica’s list of top Digital Transformation influencers for 2018 and #15 on Jax’s list of top DevOps influencers for 2017, the only person to appear on both lists.

As founder and president of Agile Digital Transformation analyst firm Intellyx, he advises, writes, and speaks on a diverse set of topics, including digital transformation, artificial intelligence, cloud computing, devops, big data/analytics, cybersecurity, blockchain/bitcoin/cryptocurrency, no-code/low-code platforms and tools, organizational transformation, internet of things, enterprise architecture, SD-WAN/SDX, mainframes, hybrid IT, and legacy transformation, among other topics.

Mr. Bloomberg’s articles in Forbes are often viewed by more than 100,000 readers. During his career, he has published over 1,200 articles (over 200 for Forbes alone), spoken at over 400 conferences and webinars, and he has been quoted in the press and blogosphere over 2,000 times.

Mr. Bloomberg is the author or coauthor of four books: The Agile Architecture Revolution (Wiley, 2013), Service Orient or Be Doomed! How Service Orientation Will Change Your Business (Wiley, 2006), XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996). His next book, Agile Digital Transformation, is due within the next year.

At SOA-focused industry analyst firm ZapThink from 2001 to 2013, Mr. Bloomberg created and delivered the Licensed ZapThink Architect (LZA) Service-Oriented Architecture (SOA) course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, which was acquired by Dovel Technologies in 2011.

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting), and several software and web development positions.