How security can add value to DevOps
Gene Kim, award-winning entrepreneur, researcher and founder of security firm Tripwire, walks us through his vision.
March 06, 2012 — CSO — While cloud computing and agile development and management processes are shaking the very foundations of the traditional IT department, it's important that organizations embrace these disciplines securely. With that in mind, we recently sat down with Gene Kim, award-winning entrepreneur, researcher and founder-former CTO of security firm Tripwire. Kim is also co-author of the books "Visible Ops" and "Visible Ops Security" -- which codify how organizations make their IT transformation from "good to great." In this interview we focus on the benefits of adding Rugged development principles to the DevOps IT organization.
CSOonline: What do you mean by "Rugged" DevOps?
Kim: There's a movement afoot that's called DevOps, it started in 2009 at the Velocity Conference where the VPs at Flickr came on stage and said "We are routinely doing 10 deploys a day." The status quo at the time was nine-month cycles or an annual cycle -- or maybe a monthly cycle -- and these guys basically said, "We've been doing deploys that rate 1,000 times faster than ever considered before by breaking down the silos in the IT organization into DevOps." Think of the business value when you can deploy features 10 times a day, and your competitors can only deploy once a month or even once a year. You have an enormous, inherent competitive advantage.
So, the world's gotten a lot faster since then. In fact, Amazon has gone on record saying they are now doing 1,000 deploys a day. So it's just breathtaking what's going on with DevOps and with cloud. That was a holy crap moment for me. Cloud isn't just outsourcing, it is something profoundly different that enables what you can do without. They're just shutting down data centers. It's just a profoundly different shape of IT.
CSOonline: What does this mean for the IT security practitioner?
Kim: The problem for the security person who is used to turning around security reviews in a month or two weeks is they're just being shoved out of the game. There's no way with how infosec is currently configured that they can keep up with that. So, infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done.
We have evangelized at the 2012 RSA conference something called Rugged DevOps. But lets' step back a moment. I've been working on a book called "The DevOps Cookbook" about how you do these types of transformations. And what we're suggesting here is -- not only are we codifying what Dev and Ops do together to get these incredible results -- but what is infosec's role in this? Where are they adding value to Dev, to Ops, to QA, to project management, to product management? Where are they helping secure code and an environment that can be relied upon to be stable, securable, durable, and scalable? So we're just turning security into one of the qualities that Dev and Ops should be working on together. This is really changing how work is done so radically for Dev and Operations that one of the biggest beneficiaries is security because, now, if we can figure out how to automate the tests we can actually integrate all the testing into the development process; we can help operations harden environments for the code to deploy into -- not only Dev -- and not have to wait for security to take a month to review the code.