This is the first in a blog series that will focus on all phases of security delivery: design, dev/build, test, deploy, operate and learn. 

Many organizations are facing new cybersecurity concerns as they look to accelerate their digital transformations for themselves and their customers. At the same time, information technology (IT) and operations are being challenged to unite and innovate to meet their enterprise’s digital objectives.

Often, the company’s desire to accelerate, and the security team’s need to protect the organization cause friction that slows progress. The way many enterprises deliver cybersecurity in the form of processes, decision-making and experiences is not occurring at the rate, pace and speed of their own transformation.

The CISO Dilemma

Chief information security officers (CISOs) have a responsibility to protect their enterprise. Typically, they do so by establishing battle-tested policies, standards and services that become governance models. This results in an operating model that attempts to balance the tendency of prioritizing speed to market with risk and security. Cybersecurity teams want to become enablers of innovation instead of being seen as an obstacle or barrier. However, to facilitate transformation, they themselves must transform in addition to helping others adopt a security-aware culture.

Secure Software Delivery in the Cloud

The legacy apps of yesteryear look different than their modern cloud-native counterparts. Bare metal or virtual machines managed by a hypervisor, organized into three-tier applications (web server, web application and database), have been the norm for decades. We still see this pattern with clients today, but that stronghold is giving way to cloud-native applications.

Cloud-native apps are the result of the steady march of commoditization and open-source racing up the solution stack — operating systems (Linux), cloud computing, software-defined networks and, most recently, containers. Even interface approaches have become commoditized (think application programming interfaces). The very definition of the word “application” is evolving. The monolith of the past is now broken down into a collection of microservices that are containerized and managed by Kubernetes (k8s).

With fundamental changes in the architecture and the current structuring of applications, security concerns are also evolving:

  • Deterrent, preventative, detective and corrective controls are applied differently in the cloud-native model.
  • Attack surfaces are different (images, namespaces and service accounts don’t exist in the heritage compute models of the past).
  • Attack surfaces are larger in number (Microservices inherently have more inter-service communication than their monolithic counterparts.).
  • Attack surfaces are ephemeral (Scale-to-zero and dynamic-scaling capabilities can expose vulnerabilities that may be gone before detected by periodic scans and audits.).

Extend DevOps to Include Security

Before the prevalence of DevOps, security teams were typically engaged for reviews late in a project, offering guidance just before applications were pushed into production. Security was considered only toward the end of the development process, causing delays if issues were identified. This resulted in more substantial costs to remediate. 

The original intent of DevOps was to bring together two disparate delivery stakeholders early in the lifecycle: development and operations. Why stop there?

Including IT security early as a third key stakeholder can not only prevent production delays but also change the perception that the security team is “the team of no.” It can transform the relationship with security into a powerful ally. 

Clearly, when it comes to security, inclusiveness has a positive impact. This has given rise to trendsetting terms like DevSecOps, which place a focus on addressing security in the delivery process. With this approach, security is not just a trend, it is a bedrock of responsible enterprise delivery.

Security as the Fabric of Software Delivery

A Framework for Secure DevOps

The Modern DevOps Manifesto by Andrea C. Crawford and the IBM Garage, lists some key concepts to apply to end-to-end secure software delivery. The first theme, “everything is code,” opens opportunities to ingrain security and secure practices deeper into the enterprise — images, k8s cluster configurations, application configurations and even pipelines themselves. 

Coded assets will need to be established as “trusted” resources. Good candidates are those constructs that are shared across the enterprise. An example is treating container images, application templates, role-based access control policies and cluster configurations as “trusted” resources that warrant their own governance and pipeline, as well as clearly defined personas that manage those resources. Larger enterprises might consider badging and internal certifications for new roles like image engineers, cluster engineers, pipeline engineers and so on. 

Organizations can amp up the separation of duties with Zero Trust and the principle of least privilege. As new roles and personas are defined, they should receive just enough access to trusted resources to get their jobs done, thereby mitigating risk and limiting exposure. Depending on the industry and regional compliance environment, this could mean different access and responsibilities for one role. Highly-regulated enterprises might not allow a developer of an application to also be an image engineer due to the risk of having too much influence on an app stack. 

The next entry in this series will explore how security should be infused early into the application design and delivery process.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read