GUEST OPINION: Keen to speed up innovation and achieve a competitive edge, increasing numbers of Australian organisations are turning to cloud-native architectures and DevOps practices. The logic is that this will allow faster development cycles and give the ability to take advantage of new opportunities as they arise.
However, the resulting increased pace of software development cycles is putting pressure on IT security. Faced with tight deadlines, developers run the risk of overlooking security or focusing on innovation at the expense of security.
Worryingly, according to a survey by Threat Stack, 52% of companies admit to cutting back on security measures to meet business objectives, potentially leaving critical systems vulnerable to exploitation. This is because maintaining security is a challenging task and can increase the workload of already busy development teams.
One factor contributing to this complexity is the growing usage of Kubernetes as a container-orchestration system. Because it offers flexibility and a consistent code-based experience, Kubernetes has quickly become the platform of choice among developers.
The role of machine identities
When it comes to managing a Kubernetes ecosystem, one key source of risk stems from the way in which organisations configure and manage machine identities. Each time a developer spins a microservice, container or virtual machine up to production, they must assign it an identity so it can communicate securely and manage that identity throughout its lifecycle.
Increasing usage of cloud-based resources is also contributing to the explosion in the number of machine identities. Without consistent security standards and appropriate tools to manage them in place, companies risk leaving themselves vulnerable to cyberattacks.
To address this issue, many companies are merging their development and security teams to form a DevSecOps capability. This makes sense in theory, however some are reporting the shift is not yet delivering the anticipated uplift in security.
According to research conducted by Threat Stack, 85% of companies confirm that employing SecOps best practices is an important goal for them, however only 35% say that SecOps is currently an established practice.
Achieving DevSecOps success
To enable a strategy of DevSecOps to be deployed successfully, there are four key principles that should be followed.
1. Constantly monitor machine identities
With the pace of digital transformation within many organisations increasing, the number of machine identities needing to be managed is on the rise. However, as many security teams are discovering, it’s almost impossible to manage large volumes of digital identities manually without creating concerning security holes.
A better approach is to make use of automation tools that can continually monitor machine identities. This will significantly reduce security incidents from cloud-native workloads while also ensuring organisations can keep up with the speed of modern development and increased usage of cloud resources.
2. Maintain a consistent approach
IT teams within many organisations make the mistake of being inconsistent when managing machine identities. The use of multiple tools and methods to initiate machine identity security can result in confusion within teams. By clearly defining and communicating straightforward execution processes, teams can ensure the way in which they initiate machine identity security is the same every time.
3. Achieve organisation-wide visibility
With many IT teams deploying multiple containers every minute during peak periods, maintaining visibility of the entire IT infrastructure becomes difficult. Issues that might be missed include misconfigurations in containers or the underlying Kubernetes infrastructure.
Through the introduction of automation, teams can scan containers at every phase to identify their single most common vulnerability and create a policy to eliminate it.
4. Use a strategy of application isolation
To ensure strong security, it is also important to make a point of isolating applications. This approach will lower the impact of any cyberattack by ensuring that a compromised application is less likely to affect other areas of an organisation’s IT infrastructure. It also helps to limit the risk of harm to a system when releasing new applications or functionality.
For the best security, IT teams should introduce container runtime scanning. Once a container is in production, put suitable mechanisms in place to ensure the container remains secure.
The power of following a DevSecOps strategy
Despite the potentially crippling impact that a cyberattack can have on an organisation, many development teams still see security as something that holds back their progress. Nothing could be further from the truth.
By combining development and security by following a DevSecOps strategy, it’s possible to embed security in the development process. This ensures required measures can be put in place from the outset without slowing down the development pipeline.
Preventing cyberattacks is critical for all organisations, and a DevSecOps strategy is a big step in the right direction.