Iain Chidgey, vice president and general manager for EMEA at Delphix, explores the importance of building security into the DevOps movement.
Achieving speed, agility and continuous delivery are big priorities within the enterprise world right now and DevOps is being hailed as the answer. By enabling development and infrastructure to work more closely together (rather than against each other) organisations have a path towards faster and more frequent releases.
However, increasingly those responsible for driving the development of software are goaled on delivery, not security. As a result, the risk of hastily developed business applications that risk leaving organisations and consumers exposed to data leakage is growing. As organisations race towards embracing the principles of DevOps and continuous delivery by automating routine tasks and making key functionality available through self-service, who is thinking about security?
Chasing data
Companies spend a lot of money securing their production data, but when it comes to non-production it’s often a different story. Even with the existence of regulations like PCI compliance, Solvency II and the Data Protection Act, it’s quite common to find Personally Identifiable Data (PID) in development and test environments.
A huge blind spot is emerging. The stringent security controls and protocols that are relied upon to mask sensitive data are not being applied to the non-production databases that developers are using to create new features or applications. This means non-production environments are quickly emerging as the least secure point of entry for savvy cyber criminals. Whether it’s from outside hackers or malicious insiders, those that want to steal or leak data will always target the weakest point within IT systems.
Yet, that’s not to say there isn’t technology that can help. Data masking, the process of obfuscating or scrambling the data exists, but it’s a costly and timely exercise. In the need for speed, waiting an extra week to mask your data each time you need a refresh can mean slipping behind the competition. As a workaround, some companies end up using synthetic data. This solves the data privacy issue, but with production and development or test data not matching, it’s a fast route to more bugs entering the development process. And bugs mean delays!
Secure Data as a Service
The answer to embedding data security into everyday practices, is to insert a new layer into architecture that can automate masking and make it part of data delivery. This technology is called data virtualisation, which is where instead of taking weekly or monthly snapshots of production data and then manually applying masks, virtual environments are created on-demand with masking built in. Developers, testers and analysts can provision, refresh or reset their own data in minutes, and they only ever see the masked data.
But who sets the policy, who holds the keys to the safe? With secure data being delivered as a service, IT now has centralised control over all non-production data. They can set the data masking policy, data retention rules and set who has access to the data. More importantly, instead of relying on synthetic data or duplicates of non-masked copies then organisations can readily extend masked data to any application project environment. This approach allows a centralised view of the organisations’ data, and safeguards information for whoever needs it and for whatever project. Whether on premise, off shore or in the cloud, all data is secured before it even reaches developers, QA engineers, analysts or other privileged users.
DevOpsSec
With powerful processes in place, organisations can also facilitate a shift in company culture that brings security teams into the DevOps movement. By helping provide on-demand access to secure data from any point in time, security can enable the speed of innovation that companies require whilst still remaining compliant.
In turn, this helps organisations realise the premise of breaking down the barriers to deploying fast, failing fast, learning fast and improving fast. Instead of being perceived as a barrier to DevOps, security needs to be seen as an enabler. As developers are pushed to move ever faster, then fostering the connection between security, developers and infrastructure teams will be critical to mitigating risk and balancing the risk of continuous innovation with its rewards. Developers and operations have already been brought closer together but now it’s time for security to be brought into the fold.