How can we ensure the security of our services under the new era of DEVOPS requirements?

"Editor's note" Nowadays, the traditional security strategy obviously can't support the agile requirements of the DEVOPS environment. So how do you achieve DevOps speed and security for a decision maker? This article was translated from an op-dzone article titled "security Breaks Devops–here's How to Fix it", compiled by OneAPM engineers.

Concepts such as communications, collaboration, abstraction, automation, and processes are now the foundation for fast DevOps operations. At the same time, with the impact of virtual infrastructure and IaaS (infrastructure as a service), manual configuration and management is no longer viable-it takes a lot of time and resources. With this demand, the new era of devops methodologies and tools has emerged that will enable devops to be more agile and efficient, thus enabling faster response to business.

In this big trend, the security team and the DevOps team encounter the same problem, manual configuration and security operations in the IaaS is also no longer feasible, because human intervention has been completely unable to cope with the changing situation. Now the best solution in the market is to use application performance management tools, such as the Newrelic, AppDynamics, OneAPM and other top APM vendors at home and abroad, can help operators achieve a highly automated operation and maintenance management.

Security policies based on static parameters and manual configuration of security policies will take a significant amount of time before they are put into production, affecting the quality of the service's release, increasing the risk of errors, and slowing down the DevOps cycle. However, if you rashly choose a DevOps process tool to provide security policy, given the lack of core control of these tools and the inability to integrate with other security infrastructures, this poses a significant risk to your business.

To address this challenge, IT and security teams should adopt platforms and process tools that match DevOps agility requirements. Therefore, in the selection process, the decision-maker should keep the following points in mind:

built-in automation. Security automation means that all operations can be deployed and managed in situations where human intervention is avoided, including firewall policies, vulnerability scanning configuration, intrusion detection, multifactor authentication, and more. Among them, the most popular is undoubtedly the entire life cycle of automation, where the decision-making in a specific environment only needs to be set once, and then in all life cycles (from deployment to decommissioning) fully automated. The automated collection of audits and operational data is also critical during the period, especially on infrastructure components with short running cycles. Even if it is ephemeral, these instantaneous resources also need to be within the scope of the audit, even if it does not run at all at the time of the audit. Well-implemented automation allows secure organizations to use dynamic infrastructure models to match changes in size and speed. At the same time, tools need to automatically develop accurate and effective security policies that completely eliminate human error.

Security Dispatch. a platform with secure scheduling requires centralized management of composition, deployment, and the centralization of independent control component management into a complex, service-oriented security system. By consolidating multiple independent controls into a large system, security scheduling can be considered a higher-level function. In many implementations, scheduling also addresses other security resource consumption issues such as licensing, metrics, fallback, which are important in service-oriented cloud computing and software-defined infrastructure environments.

The immediate visibility and continuous execution characteristics of the service runtime. There is no natural boundary and network segmentation in the public cloud, which makes the user server vulnerable to exposure. In the private cloud, the malicious east-west traffic in the network cannot be discovered through the boundary detection tool, which can also pose a significant threat. Therefore, you need to choose a platform to extend the network security of your workloads. At the same time, solutions should be on-demand and easy to deploy. Many of these platforms use a proxy-based approach, so it is important to make sure that the proxy is very lightweight, so that it does not drag down the virtual server, and it does not affect the workload and is easily integrated with the DEVOPS continuous deployment model. The agent can also be deployed using a process tool either programmatically or manually. Finally, in the case of higher agility, the agent needs to be thermally deployed.

flexible policy definition: In addition to the static network parameter configuration in the new security platform, the security policy needs to be defined by the logic application, which can automatically protect the newly deployed application and overcome the natural limitations of traditional network security tools.

* * Focus on security in each phase: **devops has a number of different phases, many of which are performed on different cloud services and different virtual architectures, thus leaving an opportunity for attackers. In this scenario, you need to polish the security policies at each stage to eliminate the security risks. Equally important, the development team needs to be aware of the importance of security to the application, so it is important to consider security decisions early on.

using tiered approaches: the platform needs to provide layered security policies in the DEVOPS model, not just a firewall. From a process perspective, there are great challenges in integrating different functions from multiple vendors. Therefore, make sure that similar file integrity monitoring, security configuration monitoring, strong access control, and vulnerability management are integrated into one platform and cover all systems in the lifecycle.

seamless integration with process tools: Ensure that the chosen security platform can be seamlessly integrated with the process tools already in use, as switching between the various tools clearly reduces efficiency, creates error risks, and lowers overall system security.

Therefore, choose Process tools and security solutions carefully to create an efficient, collaborative DevOps environment. OneAPM is the first company in the world to provide performance management products at the same time from the system service layer, application layer, user experience layer, business transaction layer, with real user experience management and code level application performance as the core, can assist OPS personnel to detect early, and solve the application system performances and usability problems as soon as possible.

OneAPM can help IT operations personnel to achieve fault warning and positioning, help them reduce business system maintenance workload, but also can grasp the full range of real-time application performance, ensure business continuity, and ultimately by providing traceable performance data, quantify IT operations business value.

Original address: Security Breaks Devops–here's how to Fix It

OneAPM is an emerging leader in application performance management, enabling enterprise users and developers to easily implement slow program code and real-time crawling of SQL statements. To read more technical articles, please visit the OneAPM official blog.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

What can we do to ensure the security of our services under the new era of DEVOPS requirements?