In Rugged DevOps, Actual Human Interaction Really Matters
Last month, attendees of Rugged DevOps Connect at RSA packed Moscone West’s second floor to immerse themselves in security. Among the speakers at the daylong event was Forrester analyst Amy DeMartine, who provided a tutorial on how security, developers and operations folks can work together better in the new DevOps world.
In her presentation, DeMartine laid out the Seven Habits of Rugged DevOps as she sees them. Three in particular stood out to me:
#1: Increase Trust and Transparency Between Dev, Sec and Ops
It seems that technology’s goal increasingly is to automate everything, with less reliance on humans — at least, that’s what many marketers would have us believe. However, DeMartine emphasized that Security and Risk groups, if they’re going to play a key role in DevOps, need to speak to the practice’s true owners (App Dev and Infrastructure and Ops) in a language they can understand. Here, it’s not automation that matters most. It’s communication among actual human beings that’s paramount.
She highlighted a definitive disconnect between these groups, with AppDev perceived as the department of “Anything Goes,” Infrastructure and Ops thought of as the division of “No,” and Security and Risk seen as the “Persistent Nagging” sector.
Imagine for a minute, a family comprised of Mom, Dad and a highly motivated teenager. in this analogy, the teenager is fast, full of energy and always pulling the trigger, Dad is the pragmatic, disciplinarian always tugging at the teenager’s reins; and Mom is constantly frustrated that no one listens to her ‘No’ warnings. The family’s living room hosts many “heated” debates, where each side scores its share of wins but there are no common agreements that satisfy everyone’s needs. When the teenager wins, it’s because Dad doesn’t have the energy to resist any longer. When Mom wins, the teenager tunes out and puts on headphones with iTunes, withdraws and may even start searching for a new family. Mom’s or Dad’s victories are often followed by a series of door slams and the silent treatment.
Now imagine if the three sides found a common language? One that not only got each to see the others’ viewpoints but also developed a system in which the teenager was set free to operate within defined boundaries and even wore enough safety gear to keep risk to a minimum. We’d have a much more harmonious place, one where the teenager continued to grow without upsetting the family ship.
Interestingly enough, there really isn’t any technology available that addresses this very real human communication challenge. No matter how counterintuitive it may seem, an effective Rugged DevOps environment is highly dependent on human-to-human relations.
#3: Pick Incremental Improvements, Not Detailed Security Road Maps
The U.S. Office of Personnel Management (OPM), Sony, Hollywood Presbyterian, Anthem — each of these organizations experienced a security breach of massive scale. If these breaches all shared a word in common it would be PANIC. The OPM breach was the ultimate example. Almost as soon as the alarm bell rang, the government announced an elaborate plan followed by the big “Sprint.” Although it might have been wiser just to beef up phishing defenses.*
It turns out that a detailed long-term plan may not be the answer to data breaches, ransoms and system shut-downs. DeMartine said outright that a comprehensive roadmap for addressing threats should be discarded in favor of a vision for real-time measurement and incremental improvements. Below is the “circle of life in security and DevOps,” as envisioned by DeMartine:
#7: Test Preparedness with Security Games
Who doesn’t like competition? Not many. I think security folks and hackers are probably some of the most competitive people around; visit a Black Hat conference and watch as attendees intently capture flags, break out of handcuffs and hack signs.
With that in mind, it makes sense that this is one of the seven habits. There’s little doubt that simulations do more to prepare people for real-life situations — after all, practice makes perfect.
Increasing trust among Dev, Sec and Ops mandates effective and, likely, improved communication. Perhaps one of the biggest takeaways for me from DeMartine’s presentation is that, for all the technological bells and whistles the industry throws at combating cybercrime, in the end an age-old skill — communication — is at the foundation of the most effective security.
*Phishing is assumed the most likely cause of the OPM breach; it is important to disclose that one of my clients, PhishMe, is a phishing defense solutions provider.