Application Security / DevOps / Programming Languages

The DevOpsification of Security

4 Nov 2016 11:48am, by

Lenny Pruss
Lenny Pruss is a Principal with Redpoint Ventures where he focuses on investments in cloud infrastructure, developer tooling and security. He writes about the business of developers at Memory Leak.

In December 2009, Google was the target of a series of highly coordinated, sophisticated advanced persistent threat (APT) attacks in which state-sponsored hackers from China stole intellectual property and sought to access and potentially modify Google source code — the company’s crown jewels. Dubbed Operation Aurora, the attack proved to be a referendum at Google on the layered, perimeter-based security model.

Five years later, in 2014, Google published a paper titled  “BeyondCorp: A New Approach to Enterprise Security,” which detailed the company’s radical security overhaul, transitioning to a trustless model where all applications live on the public Internet. Google wrote:

“Virtually every company today uses firewalls to enforce perimeter security. However, this security model is problematic because, when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. Google is taking a different approach…We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet.”

Yet while much of the world is in the throes of adopting the open, on-demand IT paradigm characterized by agility and elasticity that Google helped define, security has yet to be reimagined in the image of cloud and DevOps, much less Google.

Cloud architectures and DevOps principles necessitate systems that are lightweight, loosely-coupled and extensible, but security remains siloed, implemented outside the development lifecycle and most often delivered via proprietary, “black-box” products.

This is to say that security is still stuck in the dark ages of enterprise IT. The analogy being that security treats IT like a medieval castle: a fortress with thick walls, surrounded by a moat, with a heavily guarded single point of entry and exit. Anything located outside the wall is considered dangerous, while anything located inside the wall is trusted.

This model worked fine in the days of single-server, monolithic applications and well-defined corporate LANs; drop anti-virus on the host and throw up a firewall around the network, and you’re safe! But in the world of cloud, DevOps and mobile where applications are decentralized, deploys are done on the minute and the corporate perimeter has been busted, these legacy approaches are at best ineffective and at worst lead to a full breakdown in security operations.

The reality is that security, like DevOps, cannot be something you simply buy, it must be something you do, encompassing a collection of principles, practices and products.

It holds, then, that today’s security paradigm must be application-centric, developer-driven and built from the inside-out.

Application-centric: Applications are now the lifeblood of businesses, yet application security has traditionally been implemented in pre-production via code analysis and then treated as an extension of endpoint and/or network-based approaches in production. The logic went: if I secure the host, then the app is safe. But in a world of distributed apps that are dynamically scheduled on ephemeral compute building blocks, you likely don’t even know where your app is running, so how can you secure it? Security and policy must be baked into the application. It’s no longer sufficient to secure the network and the endpoint, rather it’s the workload itself that must be secured.

Developer-driven: If security is to be application-centric it must be 1) integrated into the application lifecycle and 2) implemented and managed like programmable infrastructure, which implies that security must scale with your application and your cloud and be open and extensible. Tools like Hashicorp’s Vault offer a glimpse of the future.

Built inside-out, not outside-in: Enterprise security is depicted as having a hard, crunchy shell, with a gooey interior, implying that once the perimeter is breached, the attackers have free reign. Building security inside-out necessitates prioritizing a new operational toolchain that enables continuous monitoring and testing, policy-driven controls and fine-grained authorization and access management. Most importantly, it requires a cognitive shift away from prevention and towards control and response.

Correspondingly, based on these design and implementation principles, we’re seeing the emergence of a new breed of products and companies that deliver DevOps-like capabilities — visibility, automation and collaboration — to security operations.

The reality is that security, like DevOps, cannot be something you simply buy, it must be something you do, encompassing a collection of principles, practices and products.

Visibility

For security analysts “you cannot protect what you do not see,” so visibility tools provide a view of your organization’s assets, users and data flow between them in addition to the logical view of all inter-process communication. Through visualization and contextualization of threats across the entire system, the goal is to detect and stop anomalous behavior with higher fidelity. Companies like Illumio, Guardicore, CloudPassage, vArmour and ThreatStack do this for your data center and/or cloud. ProtectWise, DarkTrace and Niara take a network-centric approach, while Prevoty, Contrast Security, tCell and Stackrox are app-centric. Ultimately all are vying to become the Datadog or New Relic of the cyber world.

Automation

Talk to any CISO and they’ll tell you that hiring and retaining qualified security personnel is their greatest challenge. Couple that with the fact that the average large enterprise has deployed anywhere from 50 to 70 disparate security products. The result is that understaffed teams simply cannot keep up with today’s high velocity, rapidly evolving threat landscape. The only solution becomes to replace humans with machines — to automate and orchestrate systems to understand and respond to alerts themselves. Platforms like Phantom, Evident.io, Demisto and Hexadite help with this. Additionally, new category around testing production environments for weaknesses in highly automated manner is emerging with companies like SafeBreach, Verodin and AttackIQ leading the way.

Collaboration

Organizations are waking up to the fact that security can no longer operate in isolation. To effectively thwart, or at very least mitigate, sophisticated attacks, security analysts, devs and ops must work together and be given a unified data platform to help prioritize and investigate alerts, proactively hunt new threats and provide analytics, audit and reporting capabilities. Companies like JASK, Siemplify, Skybox and stealthy Awake Networks are helping define this new category dubbed SOAR (Security Operations, Analytics and Reporting), by Gartner.

DevOps ultimately helped align engineering with operations to enable organizations of all sizes to develop better software and thereby bring innovation to market faster. Now, we’re seeing similar practices and tools invade cyber security with the hope of reducing the amount of, or at very least minimizing the blast radius of, breaches. What this all implies is we’re at the outset of a new era in security where companies and products that win will be defined by openness, flexibility, UX and the power of their workflows, not solely detection algorithms.

DataDog and New Relic are sponsors of The New Stack.

Feature image via Pixabay.


A digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.