Click to learn more about author Yaniv Yehuda.
A common fear that I hear from organizations in the process of adopting DevOps is that they are putting their IT security at risk. Many fear that continuous processes, automated testing, and rapid releases compromise code security. DevOps and security personnel have seemingly opposite objectives, DevOps wants to rapidly develop and deploy software, while security personnel want to mitigate and manage risk by thoroughly checking for any potential breachable point in the software. How these teams will work together is a question that has been at the forefront of the DevOps conversation since its inception.
I believe that contrary to this stigma, DevOps has the potential to significantly help IT security, but only if the database is integrated into the DevOps tool chain.
The Relationship Between DevOps and Security
I understand that for those who are still on fence about DevOps, what concerns them the most is the transition itself. If not done right, it could expose several vulnerabilities along the tool chain. But there have already been a significant number of organizations, of all different sizes, who have successfully made the transition. Industry experts have also embraced the idea.
“There’s a perception that with DevOps, speed is achieved by cutting corners and skipping important steps, that it’s uncontrolled,” Forrester analyst Kurt Bittner told CIO.com. “The exact opposite is true; it’s a very controlled, very structured environment. Doing DevOps right gives you higher quality, better visibility and speed, as opposed to achieving speed by cutting corners.”
DevOps not only allows development and business operations teams to come together at an earlier point in the development process, but it also gives security a chance to get involved earlier in development than it would with a waterfall processes. The alignment of these three teams allows for organizations to consistently release quality, glitch free applications.
Why DevOps Needs to Include the Database
The earlier the IT security team can identify a bug or vulnerability in the code, the better. There is no better place to do that than the database. When done correctly, code is much more likely to be error free when it reaches the final stages of production. For example, with database source control, changes to database objects at both the account level and domain group level allow to easily define a database change policy. This prevents undocumented database changes, controls who can do what, and records what they did, when they did it, and why they did it.
While DevOps is defined as a “culture of collaboration,” it is not complete without the inclusion of the DBA and the database. DevOps for the database provides a more secure workflow, from development through operations. Managing source code, tasks, configurations, and deployments are incomplete if the database is the weak link. Using specialized database tools such as enforced database source control, database build automation tools, and database verification processes will help ensure the database is a stable and secure resource in the DevOps chain.
Implementing database source control allows for quick, error free application release, which satisfies the DevOps teams, and gives the security team an in-depth understanding of how the database code was modified. Security is exposed to who made (or attempted to make) changes to the database, what specific changes were made, when changes took place, and why these changes were made. With DevOps for the database, the administrator has the ability to grant very granular access settings, a dream scenario for IT security teams. Users, based on their role and responsibilities, can be granted permission to change only certain parts of each database or schema, regardless of what login credentials they were using to connect to that database. preserving the security of the database within DevOps.
“Security within DevOps needs to be systemic and a part of each automated step as we move from development to testing and finally into operations.” wrote David Linthicum, SVP at Cloud Technology Partners “We have to keep security in mind at each step as we build and operate the applications, and not just at production — continuous security.”
Linthicum suggests that organizations adopt DevOps for the database in order to centralize security and make components in DevOps and production easily trackable using the same database repository.
The argument that DevOps limits security because developers enjoy their freedom to quickly build and deploy software is erroneous. While DevOps allows for different team’s input early in the development process, companies still don’t grasp how automation allows for greater code security. As I’ve suggested, that is exactly what DevOps provides, but only when development, operations, and security teams come together at the most vulnerable, the earliest stage in the development process in order to implement secure DevOps.