Tuesday, 14 June 2022 11:22

Why combining DevOps and security is critical in a cloud-native world

0
Shares
By Steve Judd, senior solutions architect, Jetstack
Steve Judd, senior solutions architect, Jetstack

GUEST OPINION: Keen to speed up innovation and achieve a competitive edge, increasing numbers of Australian organisations are turning to cloud-native architectures and DevOps practices. The logic is that this will allow faster development cycles and give the ability to take advantage of new opportunities as they arise.

However, the resulting increased pace of software development cycles is putting pressure on IT security. Faced with tight deadlines, developers run the risk of overlooking security or focusing on innovation at the expense of security.

Worryingly, according to a survey by Threat Stack, 52% of companies admit to cutting back on security measures to meet business objectives, potentially leaving critical systems vulnerable to exploitation. This is because maintaining security is a challenging task and can increase the workload of already busy development teams.

One factor contributing to this complexity is the growing usage of Kubernetes as a container-orchestration system. Because it offers flexibility and a consistent code-based experience, Kubernetes has quickly become the platform of choice among developers.

The role of machine identities

When it comes to managing a Kubernetes ecosystem, one key source of risk stems from the way in which organisations configure and manage machine identities. Each time a developer spins a microservice, container or virtual machine up to production, they must assign it an identity so it can communicate securely and manage that identity throughout its lifecycle.

Increasing usage of cloud-based resources is also contributing to the explosion in the number of machine identities. Without consistent security standards and appropriate tools to manage them in place, companies risk leaving themselves vulnerable to cyberattacks.

To address this issue, many companies are merging their development and security teams to form a DevSecOps capability. This makes sense in theory, however some are reporting the shift is not yet delivering the anticipated uplift in security.

According to research conducted by Threat Stack, 85% of companies confirm that employing SecOps best practices is an important goal for them, however only 35% say that SecOps is currently an established practice. 

Achieving DevSecOps success

To enable a strategy of DevSecOps to be deployed successfully, there are four key principles that should be followed.

1. Constantly monitor machine identities

With the pace of digital transformation within many organisations increasing, the number of machine identities needing to be managed is on the rise. However, as many security teams are discovering, it’s almost impossible to manage large volumes of digital identities manually without creating concerning security holes.

A better approach is to make use of automation tools that can continually monitor machine identities. This will significantly reduce security incidents from cloud-native workloads while also ensuring organisations can keep up with the speed of modern development and increased usage of cloud resources.

2. Maintain a consistent approach

IT teams within many organisations make the mistake of being inconsistent when managing machine identities. The use of multiple tools and methods to initiate machine identity security can result in confusion within teams. By clearly defining and communicating straightforward execution processes, teams can ensure the way in which they initiate machine identity security is the same every time.

3. Achieve organisation-wide visibility

With many IT teams deploying multiple containers every minute during peak periods, maintaining visibility of the entire IT infrastructure becomes difficult. Issues that might be missed include misconfigurations in containers or the underlying Kubernetes infrastructure.

Through the introduction of automation, teams can scan containers at every phase to identify their single most common vulnerability and create a policy to eliminate it.

4. Use a strategy of application isolation

To ensure strong security, it is also important to make a point of isolating applications. This approach will lower the impact of any cyberattack by ensuring that a compromised application is less likely to affect other areas of an organisation’s IT infrastructure. It also helps to limit the risk of harm to a system when releasing new applications or functionality.

For the best security, IT teams should introduce container runtime scanning. Once a container is in production, put suitable mechanisms in place to ensure the container remains secure.

The power of following a DevSecOps strategy

Despite the potentially crippling impact that a cyberattack can have on an organisation, many development teams still see security as something that holds back their progress. Nothing could be further from the truth.

By combining development and security by following a DevSecOps strategy, it’s possible to embed security in the development process. This ensures required measures can be put in place from the outset without slowing down the development pipeline.

Preventing cyberattacks is critical for all organisations, and a DevSecOps strategy is a big step in the right direction.

Read 51 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Guest Opinion
Tagged under

Related items

Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top