The new face of security in the world of DevOps
I attended the “AWS Security Meetup” here in Melbourne (and streamed across Australia) today.
One of the two talks for the meet up was from Bill Shinn (Principal Security Solution Architect, Amazon Web Services) with the title “AWS Security & Security Optimism”. Bill spoke about the security culture within AWS and his vision of what security should become in this world of DevOps/DevSecOps.
Traditional IT and Security relationship
Bill spoke about the general impression that most organisations have of security in a traditional IT world. The relationship between security and rest of IT was depicted by the following image. I will let you decide who the Kangaroo is in the relationship.
The relationship clearly can be a lot better, if the gloves were taken off to start with.
Security in the world of DevOps
In the world of automation, devops, auto-scaling, auto-healing and shift-left, security must grow and produce results at the same speed as the codes being deployed into production.
On one end of the spectrum, there are organisations that are risk-averse and prefer manual intervention to deploy code into their cloud platforms. On the other end, developers write a new piece of code and push it for code peer review, once reviewed the build is approved by the manager, the code is automatically deployed into production.
“developers and auditors don’t drink beer enough together.”
There is a disconnect between security and developers vocabulary — “audit actions that access PII” vs “someone who writes in python or java”.
As a security professional, it is our responsibilty to bridge that gap and train our developers and operations colleagues on how they can understand and achieve control objectives. Security should be for everyone and not a specialised skill that only a selected few know about.
As a security professional in this brave new world of Devops we should walk with optimistic smile on our face and Why not? We are seeing a new world, where
- acquiring access to a new server does not take more than 2mins
- experimenting with a new security product is as easy using the vendor Amazon Machine Image(AMI) from AWS marketplace
I present to you the new face of security in the world of DevOps.
In summary, the key takeaways for me from the talk were :
- Security should be the optimistic face of the organisation in this new world of DevOps
- Shift the security incident response to the product team with security as the overall owner.
- AWS internally uses EC2 instance and all the services that are publicly available on AWS themselves. They face the same challenges as lot of other AWS customers trying to implement security, monitoring and log intelligence over 10000 AWS account and petabytes amount of logging data.
- Security and developers should talk more often to synchronise the security control objective to a developer vocabulary