Security automation should help topple the IT silos

Security measures should not be a tail-end afterthought in development

Over the years, IT departments' development, operations and security teams grew so far apart that it was easy to forget they were all working towards a common goal – to make sure IT delivered what the business needed as quickly, efficiently and securely as possible.

Each of these three critical IT areas knuckled down to its own challenges without much heed to what the other two were up to. Developers thought little about infrastructure beyond how it affected their ability to roll out applications. Meanwhile, operations staff thought of little else – but too often without considering the impact of infrastructure provisioning processes on development teams' agility.

Security and compliance measures were generally only considered at the tail-end of the development process, by which point risky practices could have already been baked into the architecture.

This typically resulted in the need for after-the-fact fixes and controls which only cemented security teams' reputation as "the people who always say no". The result was yet further entrenchment of the silos, with developers reluctant to share information with security and operations teams which to their mind only served to slow them down.

DevOps emerges

But in the last five years an increasing number of IT organisations have embraced a movement known as DevOps, which aims to foster collaboration among development and operations teams, break down the old silos and make use of automation to increase agility, efficiency and security hand in hand.

Rather than viewing their roles as isolated technical disciplines, DevOps advocates shared strategic business goals as their starting points – and collaboration from the outset – in order to reach them in the most efficient way possible. As Steve Hall noted in this blog post in January 2014: "Business people completely understand 'release my product faster', 'time to market' and 'make more money', which are some of the outcomes that DevOps pontificates on."

In other words, the movement brings to the fore the common aims of the different technical areas to improve business outcomes and boost revenues.

Major benefits

The benefits of such an approach can be startling, as illustrated by this 2009 talk from Flickr's John Allspaw and Paul Hammond, where co-operation between dev and ops teams enabled the company to boost agility significantly, allowing it to complete ten or more deployments every day.

That was in the early days of DevOps. Now, the movement is marching towards critical mass. The increased agility, greater efficiency and substantial security improvements it can deliver are being talked, written and tweeted about with increasing frequency and in ever greater detail.

Security teams, too, need to embrace DevOps - indeed they can be a major catalyst for their success. Specifically, the use of security automation tools can ensure that security is woven into dev and ops processes from the outset, doing away with the need to bolt on controls later.

As Steve Hall writes: "If you're an infosec leader, a good bet is to align yourself to the DevOps initiative (or spearhead it yourself for that matter) and help the business understand the value of security in a way that doesn't measure things by number of incidents, time lapse from vulnerability to patch, or compliance score."

Speed of delivery

Why is this so important? Because, in an increasing number of sectors, the speed with which IT can deliver new applications and services is becoming ever more critical to organisations' continued success.

Manual, piecemeal implementation of security and compliance controls not only significantly slows down development and increases the risk of error, but also means security teams are forever stuck in reactive mode – there's simply no time or resources to step back and think about how the different teams can better work together to meet the needs of the business in what is an ever-more competitive landscape.

By automating, you simultaneously reduce the risk of errors creeping in, free up resources to focus on more value-adding activities, and improve the agility of the business. At the same time, you visibly demonstrate the benefits of bringing the former silos closer together, and of not being afraid to do things differently.

Cultural shift

But technology is only part of the answer. Breaking down silos requires cultural shifts that don't happen overnight. This does not mean security teams need to become experts in agile development, or that developers need to become network security experts. In fact, even a basic understanding of the business impact of the different areas should create the common ground needed to move towards a more collaborative model.

Perhaps the best way to get started is to make sure dev, ops, and security people start talking to one another – literally – every week, no matter what. Based on our customers' experience, a few quick wins is all that's needed to get the ball rolling. Once people experience the upside for themselves, the silos will start to crumble.

  • Reuven Harrison is CTO and co-founder of network security company Tufin. He has more than 20 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS.