DevOps : A real balancing act for CIOs between business benefits and security

Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now

Source – cio.economictimes.indiatimes.com

Bangalore: Adoption of DevOps is on a rise among enterprises and organisations. The new DevOps approach combines the two key aspects – software development and operations across business functions within the organisation.

It helps organisation to bring the softwaredevelopment and business operationscloser, allowing them to collaborate and function in a more coordinated and efficient way. This enables continuous and faster software delivery cycles.

Business benefits 

“It certainly does offer benefits in terms of time to market. In this day and age, IT is part of doing business and it has to deliver at the speed matching the need of business,” says Sumit Singh, CIO Wockhardt Hospitals Ltd.

Wockhardt’s CIO Singh says that DevOps is one of the newer mythologies that is being tried out and there is a quite a buzz on some of the successes shared publicly.

In fact, Wockhardt Hospitals have a small dedicated team that closely collaborates with the business unit. This team recently had adopted a methodology similar to DevOps techniques for a GST project, informs Singh.

“DevOps will reduce risk and improve quality of IT delivery,” says Satyanarayana Kasturi, GM & CIO – Projects Business, Essar Projects (India) Limited.

“This is not risky and no worry, mainly because we are using DevOps as copy of productions (simulated environment), and in fact this is very much required for the future to address statutory changes like GST,” adds Kasturi.

Agility is a key factor in the popularizing DevOps among organisations today and henceforth it is being leveraged increasingly.

“DevOps is driven by the need to continuously innovate and deliver, to reach the market before the ever-shrinking window of opportunity shuts down,” says Arsalaan Kashif, Happiest Minds Technologies’ Associate Director – Product Engineering Services.

Compliance and security risks

However, Kashif says that even with the best of intentions in place, the rush to deliver on tight deadlines can cause DevOps teams to cut corners and be out of compliance with their company’s security policies.

“As security teams are left in the dark, there could be a lapse in judgement about what potentially is leaked to the internet, exposing the organization to unnecessary risk,” cautions Kashif.

And that’s where the dark side of DevOps comes to the fore, making this new approach not fully safe unless it is continuously integrated with the enterprise security and monitored constantly.

If not, then, it certainly remains highly vulnerable to security threats and cyber risks.

“DevOps is an area which again is a bit of a challenge in terms of cybersecurity because the developers would typically want to access everything and anything that means agility for software development,” says Rohan Vaidya, CyberArk’s Regional Director – Sales India.

CyberArk is an Israel based enterprise security firm that offers DevOps security solutions globally. It had acquired a DevOps security firm Conjur for $42 million early this year to expand its defense capabilities.

“The DevOps team would download a lot of freeware and experiment with it, as they would want to test all possible conditions because they want to have agility, but don’t want laws around it,” points out Vaidya.

This is where DevOps turns into a new security challenge for CIOs and enterprise IT.
Hence CIOs would require a more balanced and broader approach while dealing with DevOps with their respective organisations.

Approach with security

“The key ingredient of DevOps is the automation of infrastructure, testing and delivery. In my opinion to make it safe, DevOps needs to become DevSecOps, which means security and risk assessment need to become continuous and adaptive,” says Meerah Rajavel, CIO – Forcepoint, a security software vendor formerly called Websense and Raytheon|Websense.

“Like Continuous Integration and Continuous Delivery (CICD), security needs to become continuous as well. In many organizations the code will be shipped to a security team to assess vulnerabilities, which can take days to weeks. In DevSecOps, this process needs to be automated as part of the CD (Continuous Delivery) framework,” explains Rajavel.

Henceforth, CIOs will have to conduct penetrating and other tests round the year continuously as a process. The adaptive approach in Rajavel’s view should be a continuous learning approach with the ability for “normal” to “shift” based on the context and be more dynamic.

With cloud and digital, Rajavel states that there are more shades of gray and so the emphasis should be on monitoring and management in this adaptive approach.

“Yes, security is an issue as often it is an afterthought and requires a different mind-set to develop a project with defensive strategies inbuilt from the scratch. Generally, it comes in later, then it proves difficult and expensive or both. For us, in our scope and scale, thus far, it was not a major concern,” comments Wockhardt CIO Singh.

Organisational culture 

Although, the adaptive approach and dynamic shift to security is highly recommended for CIOs, they may find it hard to implement it in their respective companies depending on the organisational culture and environment.

“A ‘generative’ culture where information and ideas are exchanged freely is critical for DevOps to succeed. When the core driving principle is ‘failing fast’ and learning from it, it is important to foster an environment where failures aren’t brushed under the carpet,” says Kashif of Happiest Minds.

Further, “Collaboration is another key factor that cannot be overstated. Apart from the development and operations teams coming together, there is also a need to collaborate for instance with the security group to ensure compliance and high quality releases that aren’t just timely but secure,” emphasizes Kashif.

Despite the challenge around diverse cultures and environments across companiesand organisations, one thing that is certain for CIOs — DevOps is here to stay till a new methodology replaces it.

Embrace DevSecOps

So going ahead, perhaps CIOs are advised and recommended to re-look the DevOps concept more from security perspective as ‘DevSecOps’– which not only addresses software development, business operations but security as well.

In fact, Gartner has introduced a new anagram CARTA (Continuous Adaptive Risk and Trust Assessment), which is a must for any business who is embarking on digital transformation which typically leverages DevOps and Agile as tools.

It ensures that CIOs are able to drive business objectives along with faster delivery cycles but most importantly not at the cost of enterprise security.

“Absolutely, I advocate CIOs to actively embrace DevSecOps,” asserts ForcepointCIO Rajavel. Citing the analogy of flying, she says that objective of business is to fly high and fast as it has significant benefits but involves a high degree of risk too. And that’s where the she points at the CIO job.

“The CIO job should be to design a solid security and risk framework, which will enable the business to fly safe, not hold them back saying flying is dangerous,” says Rajavel.

Further, she urges CIOs to clearly communicate to the business on the degree of risk and educate business on how IT is addressing the risk, where possible design the solutions in collaboration with the business.

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x