DevOps orchestration tools represent a new risk to the enterprise

Editor's note: After publishing CSO's original story, we asked the two main sources to write first-person accounts of the standing of DevOps in security. You can find the counterpoint here.

What was once a new, exciting, seldom-used methodology is now picking up steam across all industries. DevOps is becoming a preferred software development technique, and automated orchestration tools have become the lifeblood of this mindset. While this shift undoubtedly brings countless perks, it also provides a whole new set of concerns.

Orchestration tools help manage configuration and application deployment. They track and control code base changes and store file versions in a central configuration management database, allowing different developers to work on the same code base without worrying about version control. They also automate releases, enabling DevOps teams to achieve one of their core goals: continuous delivery.

Essentially, these tools control and automate everything about the delivery pipeline in software development. Automated processes reduce governance and compliance risks while allowing for a regular cadence and predictability around all DevOps tools.

The numbers regarding the use of DevOps and continuous delivery show promise. In fact, a recent survey found that companies that embraced a DevOps methodology increased their speed to market by 20 percent, leading to a 22 percent boost in customers and a 19 percent increase in revenue. Another survey revealed that 52 percent of companies that adopt DevOps methods increased their customer satisfaction and conversion rate, and 38 percent increased their sales.

The cultural aspect of a DevOps team -- a team that's busting down siloes, working together, being flexible, and striving to improve -- is an added bonus. So why hasn't every enterprise adopted this DevOps mindset? The answer: security risks and fear of the unknown.

The risks of trusting DevOps orchestration tools

DevOps methodologies completely disrupt traditional team setups, and implementing automated orchestration tools is sometimes seen as too far of a departure from traditional deployment techniques.

But companies that do embrace these orchestration tools often put too much trust in them. You could become a target for hackers when you rely on them as centralized tools that enforce policies across your whole enterprise. Once hackers get into your system, they hold the keys to the kingdom. They can modify any configurations they want -- like altering firewalls, adding accounts, granting remote access to production systems, extracting data, changing prices, and installing known vulnerable software.

Keep in mind that the tools themselves -- like Chef, Puppet, and Ansible -- are not the threat. The real threat is the lack of identifying the risk and making plans to reduce it, so DevOps adoption simply needs to be accompanied by a thorough risk analysis.

How to safely implement these tools

A DevOps attitude primarily focuses on benefits without focusing on information security risks. Security is mostly looked at as a simple speed bump while the main focus remains on getting products out the door. But overlooking security isn't the best plan.

While orchestration tools are huge business enablers, it's crucial to devise a security strategy and designate a team to oversee that practice.

Here are four key topics to cover when coming up with your security plan:

A DevOps mindset paired with automated orchestration tools is a double-edged sword. While this methodology is widely viewed and implemented as a way to simplify deployment and reduce traditional security risks, it also brings a whole new set of risks with it. Although this methodology can greatly help enterprises thrive, it should never be adopted without conducting a proper risk analysis.

Andrew Storms is the vice president of security services at  New Context, a systems architecture firm founded to optimize, secure, and scale enterprises. Andrew has been leading IT, security, and compliance teams for the past two decades. Previously, he was the senior director of DevOps for CloudPassage and the director of security operations for nCircle (acquired by Tripwire).

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsorchestraDevopssoftwareCSOdata protection

More about CSOnCircleTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andrew Storms

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place