Enterprises are increasingly using hybrid environments, but this move can come with risks and challenges especially for organizations adopting DevOps. How can hybrid cloud security fit naturally into development processes?
Enterprises are harnessing hybrid cloud technologies toward digital transformation: the integration of flexibility, agility, and unique cultural shifts into business processes to enrich customer and stakeholder experience. In fact, it’s projected that by 2020, 90 percent of organizations will be adopting or using hybrid cloud infrastructures and services. Indeed, the hybrid cloud enables businesses to portably manage workload requirements by using public cloud platforms to run applications while using the resources of private cloud infrastructures to manage the data needed to run the applications.
Hybrid cloud security accordingly has unique requirements. And given how the hybrid cloud enables workloads to be run on different platforms and environments — from on-premises to private and public infrastructures — traditional and defined security will fall short. Also, with the adoption of containers and microservices, securing workloads can be seemingly complicated.
For enterprises adopting DevOps, it can be especially challenging to incorporate security into an approach that focuses on rapid development and delivery. While it helps meet tight timetables, DevOps can also run the risk of overlooking security.
What are the barriers that enterprises need to overcome when implementing security in the DevOps pipeline? What challenges do security teams contend with in using the hybrid cloud, and how can they be addressed?
Today’s threat landscape can be a challenge for enterprises.
In the first half of 2018 alone, 47 new cryptocurrency-mining malware families and 118 new ransomware families were already seen. Threats are also diversifying into infrastructures that are critical to enterprises, from web servers and application development platforms to mobile devices. In 2017, for instance, the Erebus Linux ransomware hit a South Korean web development company and affected 153 Linux servers and more than 3,400 businesses. The impact: over US$1 million in losses as well as damaged reputation and a costly remediation process.
Indeed, workloads require a security strategy that can navigate today’s evolving and ever-increasing threats. For security teams, exposure to vulnerabilities and threats translates to adverse impact to their organizations’ bottom lines. The impact is exacerbated when stacked up with stringent compliance requirements, such as the implementation of privacy by design as mandated by the European Union (EU) General Data Protection and Regulation (GDPR).
For enterprises already adopting DevOps, an unsecure or vulnerable application or software can mean wasted resources, as they have to constantly rework and rebuild them to meet security and compliance requirements. Integrating security early into the development life cycle significantly reduces disruptions while helping IT and DevOps teams address security gaps or misconfigurations faster.
Defense-in-depth security capabilities that have visibility across the application or software’s life cycle — from predeployment to runtime. For example, security mechanisms such as intrusion detection and prevention systems (IDS/IPS) and firewalls help thwart network-based threats and exploits, while application control deters anomalous executables and scripts from running. In fact, it’s projected that by 2022, application control will be employed in 60 percent of server workloads. For DevOps teams, baking in security into the development life cycle means security as code. This can be achieved through scalable application programming interfaces (APIs) and scripts designed with security from the first build in order to minimize superfluous work.
Siloed security can create unnecessary complexities and bottlenecks.
It's projected that by 2020, more than 90 percent of enterprises will be employing a multi-cloud strategy (i.e., using multiple cloud services) for their workloads. And despite the increasing popularity of containers (e.g., Docker) in application development, organizations still use other virtualization technologies and computing platforms, like on-premises or physical software and servers, virtual machines, and even serverless infrastructures. Many enterprises actually still use a combination of traditional and cloud-based services for their operations — from networking and storage and data centers to software. Surveyed organizations in 2018, for instance, used an average of 16 software-as-a-service (SaaS) applications in the workplace. Developers, too, take into account the various environments where the applications they create are deployed. The hybrid cloud itself exemplifies the best of both worlds: using and orchestrating private and public cloud environments to host or run workloads.
Indeed, a challenge for many organizations is incorporating security across these multiple computing platforms. IT teams have to juggle different and incompatible security tools, which unnecessarily create convolution in their management. This unwanted complexity can also mean higher overhead in that it can slow down incident response, as siloed and disparate platforms will drive security teams to manually monitor each of them. This, in turn, creates bottlenecks in incident and compliance reporting. From a DevOps perspective, siloed teams (and tools) create blind spots, as security may tend to be neglected (such as overlooking vulnerabilities in the code) as they rush to deploy applications faster.
An effective security strategy ensures visibility into the applications and their underlying infrastructures, consistency in their security, and adaptability across various environments. Visibility across multiple cloud environments is a major concern for enterprises: It gives organizations governance over the underlying infrastructures or platforms that they use to host, run, and manage their workloads. In turn, security teams can streamline the processes for audits, compliance reporting, and risk management. Security tools should be easily integrated across various computing environments but must be also purpose-built for the platform on which DevOps teams create and deploy their applications.
Security is seen as a roadblock and causes friction with the need for agility.
Automation is not just a buzzword: It’s become a necessity for many organizations as they further streamline their workload processes to keep pace with a constantly changing technology landscape. A more tangible example of this is how hybrid cloud environments, through containers and other microservices, empower enterprises with the scalability needed to deploy and monitor servers or applications. And when thousands of these servers or applications need to be concurrently run or configured, automation becomes vital. In DevOps, automation means ensuring consistency through optimized and iterative processes, enabling companies to deploy applications faster.
However, as organizations focus on deploying applications as fast as possible, particularly those adopting DevOps, security is being misconstrued as something that can slow down the development life cycle. A perceived lack of adoption of security can be ascribed to how it is sometimes misconceived as a roadblock. The lack of automation-enabling tools and how security could disrupt business operations could also be driving factors for not implementing automation in security. As businesses try to meet time-to-market deadlines, security becomes an afterthought (or may even be circumvented). A case in point is the notorious Equifax data breach, which was caused by a vulnerability in the company’s web application software that reportedly took Equifax two months (from when the vulnerability was first disclosed) to fix.
Automated security tools enable organizations to integrate security into the DevOps process and toolchain (orchestration, monitoring, continuous delivery, and IT service management). This helps ensure that security is adopted throughout the development life cycle without causing unnecessary friction between development and operations teams. For DevOps teams, automated security helps accelerate life cycles while also alleviating the burden of manually testing the application for vulnerabilities or threats. It’s thus unsurprising that 59 percent of surveyed organizations are automating security into their DevOps processes.
Addressing security in hybrid cloud environments
The hybrid cloud provides organizations with agility and efficiency while also reducing costs. But leaving them exposed to threats can have adverse ramifications to an organization’s bottom line, which is why securing them is of great importance. Fortunately, organizations are increasingly realizing this: It is projected that by 2019, 70 percent of enterprise DevOps initiatives will integrate automated security as well as vulnerability and configuration scanning for application packages.
While incorporating security and implementing best practices into workload processes and development life cycles can be a daunting challenge, it can empower enterprises to be more resilient against threats while keeping pace with the need to innovate.
Some of the Trend Micro Hybrid Cloud Security solution’s protection capabilities at work
These solutions enable organizations to focus on security and compliance while still moving in the agile and adaptable world of DevOps. They also reduce the number of security tools needed with multiple security capabilities and a single dashboard to give you full visibility into leading environments like Amazon Web Services, Docker, Microsoft Azure, and VMware. The Trend Micro Deep Security solution lowers the cost and complexity of securing workloads across multiple environments, including automated deployment, extensive API integration, and security capabilities that can virtually shield servers from the latest advanced threats.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).