While DevOps is a relatively new word describing an evolving methodology for building products, Information Security is a mature discipline and is generally applicable to all enterprises. Information Security has been studied and codified into well-defined principles. These principles were developed in large measure by the US Department of Defense to protect military secrets, an effort that went alongside the military’s interest in developing the Internet itself. Major accrediting organizations with esteemed reputations (e.g. ISC2) have been certifying Information Security professionals since the mid-nineties.
The purpose of Information Security, or, specifically, Information Security programs within the enterprise, is to reduce the risk of data breaches, data corruption and loss of access. It is an ongoing process. It requires attention throughout the organization and at every stage of the software development life cycle. Information Security needs to be considered at the earliest stages of product development. Attempting to bolt Information Security onto a product at the end of the development cycle, treating it as an afterthought, is rarely an effective strategy.
Information Security is at once people, processes, and technology. While Information Security has been a concern long before DevOps, it needs to be promoted as a major tenet of DevOps. Why? Information Security is hard and historically, it has not gotten enough attention.
In order to earn and grow revenue, product companies are compelled to focus on maximizing customer benefits, and often treating Information Security as overhead. A race for an MVP (minimum viable product) encourages cutting corners on security. Even when Information Security is a concern, it typically competes poorly with market needs. It is common for development organizations to build an application, and then, just before a release, to do “Information Security.” They check a few boxes and hit the deploy button. Attempting to bolt it onto a product right before release, is one of the greatest risks when implementing Information Security. It typically does not end well.
Information Security will continue to grow as a major concern for Dev and Ops. For too long and too often, Information Security has been given a “best effort” treatment. The rapid growth in number and sophistication of attacks requires more effort to contain them--just for survival.
In order to meet these challenges, Information Security must be considered during design and planning. Applications, systems and networks must be Secure by Design. This must always be the default. Without attention to Information Security at the early stages of product development, any Information Security controls implemented later will likely contain design flaws.
Information Security must be elevated in DevOps. It must be ingrained into the other aspects of DevOps: culture, automation, monitoring, and communication. As with all of DevOps, culture is the key component. Both Dev and Ops must embrace a culture that considers Information Security a key concern.
The good news is that the ongoing process of maintaining secure systems weaves seamlessly into our aspirations for a well functioning DevOps environment. New challenges will emerge. Technology will continue to evolve. In 2024 we see the information itself being attacked with disinformation and deep fakes. DevOps has become DevSecOps and many other variations.
fork: Culture is more important than processes or technology
My principles of DevOps: culture, automation, monitoring, communication and information security will continue to shine the path forward even when DevOps is ultimately replaced by whatever comes next.
