The Right and Left Brain of DevOps and Security: How to Gain a Meeting of the Minds Instead of a Battle of Wills

Page 1 of 3 next >>

Considering the importance that applications play in operating and/or driving commerce in many organizations, it is no wonder that DevOps is the crucible for these businesses’ long-term health and realization of their roadmap.s In some enterprises—such as Amazon, Airbnb, Netflix, and Uber—the application set is the business. In others, there is more to the business than just the app—but the app plays a critical role to an initiative or process. The monumental significance of apps in either case has required the DevOps team to work with ingenuity, clarity, speed, and deep pragmatism in turning thoughts, ideas, and intended experiences into reality.

DevOps teams serve the needs of the business—typically a business owner or group funding the effort. They set the requirements of what it must do—focusing on capabilities, performance, time-to-deployment, analytics, and other concrete must haves. Making it easy to use and quick to deploy typically requires masking large amounts of complexity and a myriad of backend operations necessary to provide the highest levels of functionality and ease of use. These lofty goals in addition to the high impact of the work have led to the no-holds-barred, unconstrained, and inventive working style. These needs have fostered traits in the DevOps developers akin to a kind of right-brain orientation. Software development becomes a bit of a creative art form that produces innovative approaches that are tried and iterated—discarded if they miss or evolved if they don’t—through a set of releases leading to a production candidate.

For more articles like this, check out the Cyber Security Sourcebook here.

This streamlined approach is elegant, yet potent. The operations side of the house provides the infrastructure on which the applications run and thus the data needed for testing and deployment. It oversees and maintains the applications, the inputs into them, and the security of the data. The operations side is more left-brained—grounded in a focus to enable the application to be deployable, scalable, and maintain stable performance for a variety of foreseen deployment condition scenarios. Both teams report to the business owner, are tied to a funded project, and ultimately aligned in their end goals to produce a working product.

Then there is security. Security is not natively oriented in the flow of the business or customer engagement. Typically, it is a separate corporate IT and/or networking function. The staff is analytical and driven by processes to minimize risk and offer protection from bad actors inside and outside the organization. Additionally, security teams focus on finding the holes that may expose data to possible theft and identify policy violations. Security is very left-brained and sometimes considered the “anti-DevOps” team because its goals are not aligned with those of the business owners funding a particular DevOps project.

To further elaborate on the conflicts, while DevOps embraces creativity, security embraces repeatable, consistent processes. DevOps is driven by speed and progressive accomplishment; security is driven by reduction in risk. Even on the operational side, DevOps wants fast, responsive apps with ease of access, while security favors locking down data and applications, applying layers of mechanisms that slow deployment and possibly performance in order to protect the application and the data it accesses.

Security is the team most likely to address compliance issues and requirements, working with auditors to assure compliance with rules and regulations. Compliance needs to “think global and work local” by considering international markets with regional requirements. Generally, this has as much or more to do with data accessed or generated than the actual coded application. These people read and shudder at the Equifax case study: How their lack of proper InfoSec had allowed a flawed application to access a flawed internal set of processes which led to the complete compromise of all their critical data. The fall-out has been severe, with many losing their jobs, including the CEO and many of the senior staff from its security team. Thus, security is adopting the following mantra: I am the guardian of the keys to our kingdom—or there we go.

Page 1 of 3 next >>