We spend a lot of time defining DevOps and outlining what it means to developers, operations, and organizations as a whole. But there's one aspect of DevOps that doesn't get the attention that it deserves: its role in helping to maintain a good security posture for all organizations, particularly federal government agencies.
This is an important topic that a panel of experts recently spoke at length about at Red Hat's Defense in Depth conference (listen to the recording here). During that session, representatives from Red Hat and elsewhere laid the groundwork by explaining what DevOps is – essentially, a methodology and outgrowth of agile application development that involves developers and operations managers coming together to continuously innovate and update new and existing apps at a very rapid pace.
This is something that is very unfamiliar to many government organizations. Over the years, these groups have become accustomed to long-term vendor contracts that offered the promise of periodic software updates over months or, in some cases, years.
Today's threat environment is far too accelerated for that type of approach. Agencies are at a point where security vulnerabilities are coming at them hard and fast, and threat vectors change on a regular basis; today's Shellshock could easily lead to tomorrow's who-knows-what.
Agency IT personnel need to be able to react in real time. Therefore, they need a system that allows for continuous software development that will help them keep pace with current and potential threats.
DevOps can be that system because it offers a blueprint to which federal IT managers can map their ongoing vigilance. Through continuous integration and delivery, and by updating software every few days (rather than months or years), they can quickly respond to potential threats while helping to keep hackers on their heels. In this sense, one could say that DevOps is a great way to significantly cut down the time it takes to address the timeless problem of maintaining an effective security posture.
However, like many new approaches, adopting a DevOps approach can be a challenge, particularly in the federal space, which has a culture that is very steeped in traditional roles and responsibilities. A committed DevOps approach requires that these roles and responsibilities must change; people must take on new assignments and workloads, learn to work with different teams, and more. Therefore, it's incumbent upon everyone in the organization to adhere to that old security adage "trust, but verify." Everyone needs to be accountable for their team members and make sure they are all doing their respective jobs. Not doing so can cause cracks to appear in a DevOps methodology – and, as a result, the security posture it's helping to solidify.
Adopting DevOps is important, not just to federal administrators, but also to the defense of government IT as a whole. Technology can only do so much, and the technology that allows governments to secure their information and networks is already fully in place. Now, it needs to be complemented by processes and policies that match its capabilities.
Adopting a DevOps methodology can help federal IT administrators match a suitable process to the fantastic technology they have at their disposal. In the process, it can help both them and the warfighters they support by greatly assisting in their age-old effort to maintain rock-solid security.