ITIL4 is the newly revamped IT Service Management Framework to accommodate the Industry 4.0 Revolution. Based on the new set of Manuals, ITIL4: High-Velocity IT is the manual which is covering the aspects of DevSecOps, DevOps, SRE.
“Digital Technology is increasingly important. Its economic, societal, and political impacts are unprecedented. At the same time, it is increasingly challenging for digital practitioners to design, develop, run, and support the systems and services that fulfill this demand. ITIL4 High-velocity IT focuses on digital products and services, including digital customer experiences, covering good organizational practices and mental models, all from a practitioner’s perspective.” – From the HVIT manual from Axelos.
Every organization is a technology company and there is a huge increase in the use of devices, apps, and IoT, etc. Cybersecurity risk is increasing at the same rate or even more. Information is available at the speed of your connection and data breaches are expensive.
We also see that the vulnerabilities that we see are the ones that we are seeing for quite some time. The OWASP top 10 has vulnerabilities at the top for the last 7 years. Gartner predicts that, through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Security has become very important and as per DevSecOps, “Security is everyone’s responsibility”. Security needs to be brought into the lifecycle from the time of requirements itself.
DevOps and DevSecOps connect through a system of strong values. The diagram below shows the values of DevOps and DevSecOps.
What is DevSecOps?
It is not about the name but about the concept. Security must be completely integrated with Development and Operations. This is the time to reinvent Security. We need to Leverage Automation, Redefine the roles and practices of Security Engineering, Security Management and Governance, Risk Management, and Compliance (GRC). We need to start implementing “Security as a Code” and Security Policies as Code. GRC and Security SMEs need to come as a trusted advisor to the team. Remember the Project to Product Approach where it is one team looking after all the needs of a set of applications from new changes to maintaining it without the need to go out of the Squad for anything related to capability, skills, and decision making.
DevSecOps is getting Security embedded in DevOps. The security team operates in DevOps Manner. Shifting of Security left with Dev and Ops empowering Security.
The New Way
DevSecOps is redefining the way of running a DevOps initiative. We need to focus on the following:
The Advice Process
Resilience Resilience is about how fast we can get back to normal after an incident or attack. There is nothing called 100% Secure. We need to get back with normal business at the earliest even with a security attack.
We need the following to enable that among others:
Fail Fast, Learn Fast, Recover Fast
The best way to avoid failure is by failing regularly (Netflix) – Choose where to fail
Security is important for Reliability and hence for Resilience
Continuous Experimentation and Learning is important for Security aspects too
We need to be following Lean principles:
Minimize Overhead and Waste
Automate as much as possible – People makes mistakes, scripts do not
Emphasize on measurable results and the outcome effectiveness
Do not make Rules for the sake of making Rules
Come as a Trusted Advisor and not as a Road-blocker
It is important to understand the Context and have a holistic view. The following are important points to keep in mind:
Context is everything
Understanding of the business (Domain) is important
Take a holistic approach
Level of Tolerance in various service areas (Do not spend 200$ for saving a 5$ Asset)
Understanding of the entire System (System Design
How much of Security is enough? Security SMEs should come to a co-operative partner and not as an adversary. We need to strike a balance between Real Vs. Perceived Threats. Threat Modelling is one of the most important and mandatory techniques to follow throughout the lifecycle from the time of Designing. Evaluate Asset Vs Threats Vs Vulnerabilities. Pick your battle.
Here is an example of the STRIDE model for Threat Modelling. There are others available too.
Risk Management with High Velocity IT In this current high-speed world, we have less time for in-depth analysis. Follow Laloux’s “Advice Process”. Develop methods for rapid analysis. Understand all the architectures. Design is a very important aspect and Security has to be designed into the system. Understanding of the holistic IT landscape is important. System Design approach will help.
Basic Security Hygiene
There needs to have basic security hygiene for everyone in the Squad. These can be:
Vulnerability and Patch Management
Automate Scanning and Report Processing
Automate Patch Management
Backups, Replication, and Redundancy – Production like data must have Production like Security
Monitoring Size and Utilization
Basic Network Security
IDS/IPS (Intrusion Detection System/Intrusion Prevention System
Logging and Monitoring
Logging and Monitoring for Security is also a very critical aspect. We need to look at the following 3 areas:
The following are some of the activities related to the above 3:
Setting Up Log Management
Queries/Reporting/Alert – One Alert for One Service
Opportunities for Automation
Incident Response and Forensics
Upskill – Cloud Skills
Live Information and Response
Leverage Automation Opportunities
Enrichment activities after Alert
Automate workflow for Forensic Analysis
Have Contingency Plan – (Nothing is 100%)
Call for help
Pre-define Incident Response Plan
Chaos Engineering and Fire Drills
Threat Intel and Information Sharing
ITIL4 – High-Velocity IT Now that we understand Security, let us see what ITIL4 has got us related to Security and DevSecOps. The following is the IT Value Stack (From ITIL4: High-Velocity IT Manuscript by Axelos):
Objectives of HVIT:
Key Characteristics of HVIT are:
HVIT is talking about Resilience a lot. Security comes under this. A system cannot be Reliable if it is not Secure. The following are the different practices and processes helping to incorporate Resilience:
“Approaches with resilient characteristics are focused on maintaining workable availability and performance, and minimizing the effect of Incidents”. – From Axelos HVIT Manual
SRE and DevSecOps focuses on reliability and a system cannot be Reliable without being Secure
As per ITIL4 – HVIT, “Security Officer’s role shifts from specifying requirements and monitoring performance, to enabling practitioners to address security concerns.”
The practice relevant to Security is Information Security Management and helps in Resilient Operations and Assured Conformance
The following are the various practices and processes related to Security:
Infrastructure as Code – Designing and Enforcing Security Policies in Virtual Infrastructure components
Loosely Coupled Architecture – Design and manage Information Security Policies for loosely coupled services and service components
Blameless Postmortem – Obtaining more information about the circumstances related to security breaches and security incidents.
Ci/CD – Ensuring compliance with information security policies by reducing manual work. Increasing the scale and scope of automation by leveraging CI/CD tools may help to ensure compliance with information security policies by reducing manual work (TOIL) and improving traceability of changes.
Continuous Testing (CT) – Here 2 practices are involved. First, Service Validation and Testing – Unit and integration testing are conducted on an ongoing basis throughout the development lifecycle This includes application unit testing, infrastructure services testing, functional/non-functional testing, canary releases, blue/green testing, and infrastructure security testing. The next practice is Information Security Management – Ensuring compliance with InfoSec policies by reducing manual work. Leveraging automated testing tools may help to ensure compliance with information security policies by reducing manual work and improving the traceability of changes.
Technical Debt – Design, implementation, and improvement of information security controls are influenced by existing technical debt. Information Security controls can also result in the creation of a technical debt, which needs to be acknowledged and communicated to all relevant stakeholders.
Use of Tools like Security Monkey
Non-functional criteria should specify the quality needed by the people who will operate, maintain, and enhance the system, and by those who will ensure security and regulatory compliance.
Definition of Done – Security Tests such as Vulnerability, Penetration, or policy compliance should be considered in the definition of done for resilient products and services
Version Control – Addressing or closing information security risks by flagging vulnerable versions of service components
Security can contribute significantly to relationship management due to better service management
Assured conformance can be measured by or lack of security breaches, fines by regulators, bad publicity, actions required by internal and external auditors, and the cost of measures to ensure conformance with GRC issues
Audit Defense Toolkit – Information Security Management – Designing and implementing controls in the product lifecycle to provide extensive traceability and joint accountability. Service Configuration Management – Standard configurations to support security and audit requirements
Specific section is provided on explaining DevSecOps (Sec 4.5.2)
Processes supporting Information Security Management:
Security Incident Management Process
Risk Management Process
Control Review and Audit Process
Identity and Access Management Process
Procedures for Penetration Testing, Vulnerability Scanning, etc
Procedures for managing security-related changes, such as firewall configuration changes
The integrated way of approaching security contributes to assured conformance
Continual Improvement – Improvements to security controls and policies can be part of the learning and feedback incorporated by development and operations
Information Security Management – Designing and implementing controls in a development lifecycle to provide extensive traceability and joint accountability. Integrating Information security duties into the daily work of practitioners. Information Security Management and Risk Management should be an integral part of the daily work of practitioners
Monitoring and Event Management – Configuring monitoring tools to continually scan for threats and vulnerabilities
Change Enablement – Implementing a preventative control that automatically requires pre-authorization from security management before developers can make certain types of production data edits
Deployment Management – Security Management provides guidance on key credential management, CD pipeline security checks, container security, automated pen-testing, and data and performance management.
Knowledge Management – Access to Security Policies
Risk Management – Security is about Risk
Service Validation and Testing – Test data management is a key element that helps to ensure continued stability, reliability, availability, and security
Strategy Management – Integrating duties to balance regulatory requirements with a speed of execution
Workforce and Talent Management – Training and Coaching staff and other relevant stakeholders in how to build security into development and operations work
Business Analysis – Understanding the security policies, standards, risks, potential threats and vulnerabilities in internal and external environments and translating them into requirements for development and operations team and including security requirements into the product backlog
Infrastructure and Platform Management – Security Management can enhance infrastructure and platform management with guidance on security standards and training, privacy reviews, threat modeling, credential management, and data security, especially with Infrastructure as code
Software Development and Management – Enhancing software development with guidance on secure coding standards and training, privacy reviews, threat modeling, code analysis, source code, and credential management and data security
Finally, I would also like to mention the point from the recent Google SRE book – Build Secure and Reliable Systems where there is a lot of focus on Designing for Security. The following are some of the key points:
As per Google, Security and Privacy are closely related concepts.
In designing for reliability and security, you must consider different risks. Primary reliability risks are non-malicious in nature like a bad software update or a physical device failure. Security risks come from adversaries who are actively trying to exploit system vulnerabilities.
Reliability and Security Tradeoff – Redundancy
Reliability and Security Tradeoff – Incident Management – Special small team with skills to handle security-related incidents
Security and Reliability is about Confidentiality, Integrity, and Availability
Intersection of Reliability and Security – Effects of Insiders
Design of Security and Reliability
Design for least privilege
Design for understandability
Design for resilience
Design for recovery
Mitigating Denial of Service (DOS) attacks
We should also touch upon the need for Secure Automation as there is a lot of automation done everywhere, both in Dev and Ops Side including SRE. Automation protects from a chance of human error or willful sabotage and provides secure opportunities. The following points are important:
Automated steps in the pipeline can be secure but manual steps cannot be secure
Artifacts used in the pipeline can be validated and checked for compliance through digitally versioning and signing
DevSecOps has introduced security into the build-test-deploy lifecycle
SRE places extra emphasis on Security in Production
Application, Infrastructure, and Configuration changes through code analysis tools and check for security issues
Digitally signed artifacts to avoid “fake” code
Secure coding practices to share with everyone
Secure code repositories with proper access control
Open source product with feedback from the community
For Infrastructure change in an “immutable” test environments creation guarantees compliance with code repository
Deploy artifacts on test environment securely
Test Data and Test scenarios are built for security
Staging environments are immutable
Same artifact deployed in all environments
Production like data in any environment needs production like security
Dedicated Security Scanning
Proxy Security Requirements to be considered
Immutable Production Environment
Same artifact in the Production environment
Regulatory Compliance needs to be evidenced and best done with automation and observability
Failure Testing helps audit compliance
There is a great amount of involvement of both Development and Operations in providing a Reliable and Secure System. Security needs to be looked at seriously and everyone should take the Shared Accountability.
SRE Foundation, DevSecOps Courses from DevOps Institute will give more details of each.
Businesses have been focusing on delivering value. The projects must be aligned with the strategic objectives of the organization. Without alignment, no value is created for the business.
Several changes are happening in the IT ...
Maintaining your data safe and secure on the internet is indeed a major cybersecurity challenge in recent times, as it approaches in different forms like malware attacks, ransomware, phishing attacks to your products. A ...
DevOps India Summit is Asia’s biggest DevOps Conference that has been making landmarks every year. With the ongoing pandemic not intending to end anytime soon, the DOIS21 Conference is all set to be conducted ...