DevOps a natural fit for cloud security

Close collaboration between development and operations teams can lead to more resilient and secure cloud applications. The challenge is culture, not technology.
Written by Stilgherrian , Contributor

DevOps is pretty much the work of the devil. Why on earth would you let developers -- people who tinker and fiddle and crash things as they struggle to get complex software to work properly -- anywhere near productions systems that need to maintain a bunch of nines of reliability? This fad must die.

At least, that was the core of my thinking, as someone influenced by old-school notions of reliable systems and network administration, until a recent conversation with Dr Nataraj (Raj) Nagaratnam, chief technology officer for IBM's Security Solutions division.

"You're right, I don't think you want developers near your stuff, because they don't know how to operate it, but it is the exchange of knowledge that is critical," Nagaratnam told ZDNet.

"We're used to building stuff and sending it over the wall for the operations team to run it. But in cloud, what is happening is that it becomes a more continuous delivery model, and the linkage between the application development and operations teams is becoming much more integrated," he said.

"As a developer, I don't know what I don't know in operations, and I'm learning [by] working with system administrators. And our operations guys are learning much more about the reason for our business applications, and what we are delivering... If the production system goes down, they know what part of the business it affects and what the criticality is."

It's more of a collaborative model, Nagaratnam said, and the main difficulty they've run into while implementing this model at IBM is not technology, but rather culture.

Developers also need to think about designing layered resilience into every aspect of an application. Applications must be designed to expect failure, and degrade gracefully when it happens.

"I think that mentality is also changing, and needs to change."

Designing a database, say, is now more than just designing its schema. If an application runs a query that returns 1 million records, but only half get delivered before being interrupted by a network glitch, what happens?

"Instead of reloading everything, can the design account for that? That's a development mentality," Nagaratnam said.

"If there is a new feature to be done in the holiday season, they can't wait for the overall process to go through for four weeks. They just don't have the time. [It's] the ability to say, 'Can I incrementally deliver that particular feature in that particular virtual machine, or web front end, or mobile front end? How can I do that, as opposed to thinking the entire IT is a black box?"

On the operations side, operators need to know enough about the internal architecture of an application to know how its moving parts interact to deliver the customer interaction.

If there's a spike in mobile access, say, resulting in a spike in encryption and user authentication load, then the operators need to know enough about the application's business logic to respond.

"They don't need to know all the details -- but the fact that in order to have the quality of service, with the resiliency and security in mind, what is it that they need to do?" Nagaratnam said.

Glen Gooding, director of IBM's Institute of Advanced Security, said that the closer collaboration and layered resilience of this model can lead to better security.

"If the underlying security infrastructure is there, you've got more assurance that your applications will be less prone to any sort of external attack," Gooding told ZDNet.

Finally, this layered approach in the technology stack leads to a layered approach in the way risk is handled -- which also leads to better security.

"CISOs used to need to make the risk call, and what controls need to be put in place for everything, but that's completely changing," he said.

Nagaratnam said CISOs are now telling the business units that they're the ones who understand the data, the application, and the risk appetite, and CISOs are effectively saying: "You tell me what the risk is, I'll tell you what the policies and controls are."

"The line of business has skin in the game... They start to understand the pain of a CISO, and start to figure out how to address security in a better fashion."

"The CISO is no longer the one that is accountable. It starts to be more collaborative... You can either call it decentralised governance, or you can call it more collaborative governance, depending on how we view it."

Collaboration and communication can improve security? Who knew? Maybe DevOps isn't so bad, after all.

Editorial standards