//
you're reading...
Information Security, IT & TECHNOLOGY

Adjusting to the DevOps Mindset


ISACA-Logo

There is no question about it, DevOps is coming to the forefront in enterprise. A 2014 survey from Rackspace found that 79 percent of those they surveyed plan to implement DevOps practices or approaches by the end of 2015. Meaning, most shops now are DevOps shops. For ISACA members, this can have a significant impact—security, assurance, risk, and governance impacts aplenty.

Security pros will need to understand how DevOps can impact existing security controls; some controls (automated static or dynamic application security testing controls—or even manual code reviews) may need to be adjusted in light of faster release cycles and new tools. There might also be hidden security advantages as the transition takes place. As tools like Puppet, Chef, Salt, and others allow them to better meet historical challenges: for example, by leveraging those tools to perform security hygiene tasks (e.g. patching, automated configuration validation, etc.).

Assurance pros likewise will need to understand the impacts of DevOps as it directly impacts them as well. In many DevOps shops, developers can affect changes to the production environment through the use of automated tools. To understand whether this undermines important goals like segregation of duties, assessors will need to understand the deployment model. Is segmentation of duties undermined? Or, is it improved by virtue of automated (and thereby non-repudiable) recordkeeping? The answer will depend on implementation, which is why it is important that practitioners know what questions to ask.

Risk professionals will need to understand how their organization’s overall risk equation is impacted by the move too: there might be new technical risks that arise and other existing ones that are mitigated. There are business risks to consider as well, like what the potential impact on competitiveness our organization should not adopt while the competitors do.

Lastly, there is an impact on governance. Folks who are responsible for overseeing the IT governance program for their organization will need to consider how existing governance structures will extend into DevOps processes and tools. How will DevOps impact those structures and what artifacts (like organizational policy) might need to change as a result?

The point is there are quite a few potential changes on the horizon that will impact all of the disciplines and professional areas that ISACA members inhabit. In order to help those practitioners navigate these potentially-complicated waters, ISACA has released a new whitepaper: DevOps Practitioner Considerations. This guide examines the impacts that DevOps can have on different practitioner communities and explores what those practitioners might choose to do in response.

As organizations start to more frequently move to DevOps, it becomes increasingly important that the “DevOps way” be understood by those with a stake in ensuring trust and value in information systems. Those who do not keep pace might find themselves unequipped to ensure the mission of their organization is protected. Those that adapt may find themselves able to use DevOps concepts to do their jobs even better.

Ed Moyle
Director of Emerging Business and Technology at ISACA

[ISACA]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 121,320 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,358 other followers

Twitter Updates

Archives

August 2015
M T W T F S S
« Jul   Sep »
 12
3456789
10111213141516
17181920212223
24252627282930
31  
%d bloggers like this: