Bill Mann is the CEO of Styra, Inc., the founders of Open Policy Agent (OPA) and leaders in cloud-native authorization.
Security architects are a critical presence in your IT department. If you haven’t already done so, it’s time to give them a seat at the table and a strong voice.
Why? The cybersecurity landscape has changed dramatically over the last several years, and what worked before doesn’t work anymore. Worse, it might seem like it still works. Until it really, really doesn’t.
Let’s break it down:
Traditional cybersecurity used a perimeter-based model. Under this model, apps weren’t built with a lot of independent, integrated security features because they didn’t need to be. They could rely on the perimeter.
Today, the landscape is increasingly cloud-based. In some cases, the perimeter is still in place (think local firewalls), but because cloud-native apps are designed to run anywhere on any server — and be highly connected — perimeter security is no longer the be-all and end-all. And in a lot of cases, there’s no legitimate perimeter at all.
The mobility, agility and flexibility of modern containerized apps gives them tremendous value and makes them well suited to remote workforces. The problems arise when traditional cybersecurity rules are applied to a cloud-native landscape. And the gulf between modern cloud-native apps and traditional security is widening.
Apps are being engineered and deployed in this new landscape, and then — because the apps aren’t limited to a defined, secure perimeter — IT is expected to layer on security later. The security is an afterthought at best or a reactionary move after there has already been a problem.
But there’s a much better plan: Bring in security experts during the design phase and build an app that’s agile and flexible, meets zero-trust goals and is compliant by design.
All this is to say: DevOps needs to become DevSecOps.
Security architecture is an integral and essential element of DevOps, and it can’t be an afterthought. Security controls must be integrated into the DevOps pipeline.
Today, the speed and complexity of app development doesn’t allow for logic errors that need to be troubleshot later. While you’re retrofitting and trying to tack on security features, others who have already shifted to DevSecOps are busy moving forward.
Not only can (and should) security controls be integrated into the DevOps pipeline, but these controls can now be automated. This frees teams up to focus on minimal maintenance and maximized forward progress instead of manual checks and fixes.
Sure, this requires reframing your approach to development. It also requires a bit of a heavier lift upfront. But there’s a lot at stake if you don’t — real infrastructure risk, in real dollars.
Reactive security layers aren’t going to cut it anymore. The only way to fix it is to build apps the right way — and, critically, to give teams the leeway to do just that.
We’re at an inflection point where the importance of security architecture can’t be ignored without consequences. Here is what has led to this point:
• Privacy: After so many public breaches, privacy is more critical than ever. New regulations are attempting to improve security, and more will come as consumers demand data protection.
• New tech: The shift to the cloud started as a way to save money and increase availability. But the technology that supported that move (containers) allows code to run anywhere and allows for controls to be built in new places, including inside the app. Without perimeters, built-in security is both convenient and necessary.
• Open source: Open source is maturing, becoming better-supported and more hardened by increasingly large user communities. That means fewer corner cases, easier integrations, and rampant sharing and expanding of best practices.
• New workforce: New security-minded employees have no experience in the old, perimeter-based world and instead approach challenges with a cloud-first, code-first, software-defined-everything mentality. This new way of thinking leads to innovation in the new tools, further accelerating the shift.
• How we think of workflow and automation: To meet the speed demands of the DevOps-based world, code deployment must be as close to fully automated as possible. Security checks must move at the same pace, requiring them to be automated as well.
How do you shift to DevSecOps? The short answer: Moving forward, security architects must have a louder voice in the organization.
The longer answer:
• Establish ownership: Make it clear to your architects that they have a responsibility for security from the start, and allow them more time to get that right. Depending on the circumstances of your organization, you might need to start by acknowledging that they have long been capable of this and you are coming around.
• Listen to them: Start a dialogue with your architects. Understand the challenges and help teams identify where security can be built broadly into platforms and where it instead needs to be specific to certain services
• Don’t disregard old-school security expertise: While the way data is protected has fundamentally and wholly changed, the threats have not. Understanding how attackers work, how breaches occur and how compliance audits are conducted will inform the next generation of security architects.
Cloud-native apps are more than the wave of the future; they’re largely the way of right now. Build the app right the first time. Your security architects already know how. Listen, and empower them. Give them leeway to do it right.