This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
If cloud is a new operational model (spoiler, it totally is), DevOps is the operational framework to fit it. Automation and standardization is awesome, but do you want an R2 working for you or a Battle Droid that's as likely to blast your Separatist envoy as the clone troopers in front of it?
DevOps has been around for five years now and in the last year or so has really started to gain traction in the security space. On the show floor this year, you'll hear terms like as DevOpsSec, DevSecOps, SecDevOps, and even Rugged DevOps (for the socially divergent). But before buying yet more software and yet more blinky boxes, you have to ask yourself: "Are these the droids I'm looking for?" Be wary, a lot of what you'll see won't actually be anything new, but rather just clones of an older generation from the old guard of the traditional security empire (I mean enterprise) players.
As regular readers of the blog know, we're big fans of both DevOps and security here at Securosis and strongly believe that DevOps is the new republic for technology. But the technology around DevOps is still in its infancy and suffers from all of the same security problems that any other set of technology does, especially those in the early stages. So when talking, take what you hear with a grain of salt, especially when it comes to API security and as always, IAM and like any technology that allows you to centralize control, be extra careful with understanding your attack surface. Don't let your new technology become the exhaust port for your organization.
DevOps isn't even a single set of technologies. It's as much a philosophy and operating framework as anything else (which means we probably should have gone with a Force reference instead for this bit, but anyway). It's a combination of culture, philosophy, techniques, and tools that has some standard tenants, but definitely no single way of doing things. R2D2, Chopper, and BB-8 all have unique strengths, weaknesses, and personalities, and they all get the job done in their own way.
It's good to be skeptical, but these techniques are far from science fiction. Many of your peer organizations, be it large or small, are using DevOps today to good effect. Heck, the odds are high you already have projects leveraging DevOps, even if you don't know about it. And DevOps is a massive boon for security, bringing a level of standardization and audit trails we've only dreamed about. Plus, we can leverage the same philosophy, tools, and techniques to improve our own security operations.
Once you are on the RSA show floor, the FUD will be strong! Vendors trying to link all the wonderful things DevOps can deliver with their (not necessarily) so wonderful products. Some tools and products fit really well, while others will disrupt the DevOps process, slow down those deployment pipelines, and just drive your teams to find yet another friggen exhaust port. Look for products that support automation through REST APIs, Jenkins plugins, and SDKs. Look for sessions with technical meat on integrating with DevOps initiatives, not ones that hype up the risk.
— David Mortman, Adrian Lane, and Rich Mogull
Check out the complete series: Introduction
Theme posts: Threat Intelligence & Bothan Spies, R2DevOps, Escape from Cloud City, The Beginning of the End(point) for the Empire, Training Security Jedi, Attack of the (Analytics) Clones
Deep Dives: All Threats, All the Time..., Data Security Deep Dive, Cloud Security Deep Dive