CI Tools and Best Practices in the Cloud

Continuous Integration

Subscribe to Continuous Integration: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Continuous Integration: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Continuous Integration Authors: Stackify Blog, Aruna Ravichandran, Plutora Blog, Dalibor Siroky, PagerDuty Blog

Related Topics: Agile Digital Transformation, Continuous Integration

Blog Feed Post

SecDevOps and the Software-Defined Enterprise

Among all the changes that fall under the digital transformation umbrella, perhaps one of the most fundamental is the shift to the software-defined enterprise.

The idea is simple: instead of manually setting up and configuring the operational production environment, reduce all aspects of its configuration and deployment to one form of metadata or another: scripts or recipes or other configurations. Now, to make any kind of change in production, simply adjust the script, push a button, and let automation take over.

Expecting an entire enterprise production IT environment to be fully software-driven is still largely in the future, but there are two areas that large organizations are finding to be important starting points on the road to the software-defined enterprise: software-defined networking and DevOps.

securitykey 768w, 1024w, 231w, 50w, 600w" sizes="(max-width: 300px) 100vw, 300px" />The rapid maturation of public cloud computing has driven the software-defined networking industry, as cloud providers require fully automated network configuration capabilities.

Such demand has been driving innovation at network equipment providers, who now offer increasingly mature software-defined networking capabilities to a diverse enterprise market.

In contrast, the need to deploy better software more quickly has been driving DevOps, first at web scale companies, but now across most large enterprises as well.

DevOps requires a rethink of the traditional, siloed organizational model for IT, instead leveraging automation to better facilitate the cooperation and eventual merging of development, operations, and quality assurance teams.

While organizational and concurrent cultural transformations are at the heart of the DevOps movement, automation is an essential enabler, as one of the important goals of DevOps automation is for deployment and configuration scripts or recipes to control every aspect of the production environment – in other words, software-defined infrastructure.

From DevOps to SecDevOps

This race to the software-defined enterprise is not without issues, however. As organizations move forward with either software-defined networking or DevOps, they soon run into a challenge: security.

Security, of course, should be a top priority for any software deployment – but DevOps’ emphasis on continuous delivery can push security to the back burner. Treating security as an afterthought, however, throws a wrench into the vision of software-defined infrastructure.

The importance of security to any software development effort seems obvious. So why do so many DevOps teams give it short shrift? Governance efforts in general, including security and compliance activities, are hot-button issues for DevOps teams, as traditional governance approaches introduce bottlenecks, slowing down the development lifecycle.

The result is often conflict between the DevOps people and the security and compliance teams, as the former call for moving quickly and the latter rightly call for adequate controls. For many organizations moving to DevOps, therefore, this friction impedes their ability to achieve their desired deployment velocity.

The solution to such conflicts is to leverage automation-driven, next-generation security as part of the accelerated software lifecycle – in other words, software-defined security.

Today, protecting sensitive enterprise data in environments that are largely out of the enterprise’s control – such as the public cloud – has largely driven innovation in software-defined security. With the rise of DevOps, however, software-defined security must become an integral part of the approach – leading to the notion of SecDevOps, as some people are now calling this combination of priorities.

In fact, automating security and compliance controls must be an integral part of all DevOps activities. The recipes for deploying the infrastructure should include all security and compliance configurations, so that every deployment is properly secured, yet still software-defined.

DevOps personnel must include security and compliance activities early in the software lifecycle just as they include testing – and in fact, they should incorporate security and compliance tests into the automated test regimen.

SecDevOps thus shifts security considerations ‘to the left’ (that is, toward the beginning of relevant iterations), and furthermore, seeks to automate policy enforcement following the continuous integration/continuous delivery models that DevOps teams are becoming accustomed to following.

Application-Level Control

The software-defined enterprise requires software-defined networking and software-defined security as well as SecDevOps – but just how different are these priorities?

The network is in fact part of the production infrastructure, and thus separating how network teams secure the network from how application security teams deal with application-level security is a false dichotomy – and in the security world, false dichotomies lead to vulnerabilities.

The better way to think about the role security plays in the software-defined enterprise is as a unified, holistic approach for managing, configuring, and testing security across the entire infrastructure – from the application layer all the way down to the network. After all, security must be comprehensive to be effective, as attackers are only too happy to probe for the gaps.

The crypto-segmentation from Certes Networks is an example of how to bring the agility and speed of software-defined security to networking, as an integral part of SecDevOps.

While segmentation at the network level affords a measure of security, defining such segmentation with software-based controls instead affords an additional measure of flexibility and control. To this end, Certes Networks brings segmentation up to the application layer.

As a result, crypto-segmentation policies and controls are now a part of the same comprehensive, automated security regime as the rest of SecDevOps.

The Intellyx Take

Traditional IT security has always depended on hardware – firewalls and other network devices in particular – to protect the organization. However, making changes to hardware is always slow and cumbersome.

Furthermore, as enterprises become software-defined, digital organizations, traditional hardware-centric security becomes a less effective and thus less important part of the overall security profile.

As a result, software-defined enterprises must rethink security, just as they must rethink networking, software development, and operations. Security cannot become a boat anchor, slowing down the organization – and even more importantly, today’s businesses cannot afford to shortchange their investments in effective, comprehensive security.

Embracing software-defined security to evolve network security and make it agile enough for SecDevOps is now a must-have. Crypto-segmentation is an essential element of this new vision for comprehensive IT security.

Copyright © Intellyx LLC. Certes Networks is an Intellyx client. Intellyx retains full editorial control over the content of this article. Image credit: GotCredit.

Read the original blog entry...

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).