The traditional role of the IT security professional in the past largely involved drafting and implementing policies and best practices, as well as managing security-vulnerability detection and remediation. Interaction with developers was usually relegated to the post-deployment stages of software development.
But in this new age of DevOps, security practices have evolved, especially for cloud native security. Many of the differences can be attributed to how software development underpins DevOps processes. Consequently, security team members have become more development focused and should play a role throughout the entire production pipeline (think of it as part of a shift to the left in CI/CD).
In this edition of The New Stack Makers podcast recorded live at Palo Alto Networks’ studio in Santa Clara, CA, how security practices have evolved and changed are discussed. The guests were:
- Ben Bernstein, senior vice president of product and engineering at Palo Alto Networks.
- Matt Chiodi, chief security officer of Public Cloud at Palo Alto Networks.
- Xiaobo Long, senior vice president of cloud security at Citibank.
The New Stack Publisher Alex Williams hosted this episode.
In many ways, the evolution of the role of the security professional for cloud native environments is part of the change. In that respect, security, as well as DevOps, is about culture, and thus, people.
“The DevOps movement enabled not just a digital transformation on the business side,” but digital transformation also “transformed the processes and the things that people do to deploy software and to build software. New programming languages that were previously dictated by the company are now available to everyone,” Bernstein said. “So, it’s all about the people and giving them the ability to choose the best tools for themselves and security has traditionally not been that way. And what you can see is that for us as a security company, it’s very important to empower the people to not only make the right security decision but also give them a set of wide range of capabilities to pick and choose what they think is most important.”
Another result of the DevOps movement is, as mentioned above, organizations have become more software development-centric, reflecting the common adage often touted today that “all companies today are software companies.”
“The power has shifted as we look at how things have changed over the last decade at most corporations. A lot of times that power sat with the IT teams and the security teams, but with this whole move over the last decade to DevOps, what we’ve seen is developers now have that control,” Chiodi said. “And so I think when we talk about what excellence looks like, it really is that organizations that are doing this well are organizations that really start to focus first on standards, and from a security perspective, making sure that those standards are baked in as part of development processes. The organizations that get that right, are able to scale very well.”
At Citibank, for example, cloud securities engineering involves delivering security as a service for developers on the business side who are, in turn, developing applications for consumer and investment banking, Long said. “So, it’s like working for a hotel and deliver services to our guests — there are some similarities, because like any services, excellence of service is provided…and can be accomplished by delivering the services quickly with high quality,” Long said. “The services we deliver have to be easy to request, and easy to consume as well.”
For more insight from security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to learn from the experience and expertise of developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Prisma, from Palo Alto Networks, in partnership with The New Stack, you can still virtually attend this event held Feb. 11, 2020, for a full day of discussions about cloud native security — brought to you online wherever you may be.