Over the past 15+ years, I have been working at the intersection of DevOps, Security and IT. During that time, my focus has been on defending everything from laptops and desktops to networking equipment to servers in local data centers and most recently focused on securing and deploying cloud native solutions and applications. I’ve worked in securing one of the largest consumer sites in the world, and a financial services cloud platform managing over $1.5 trillion in assets. I am extremely excited to be joining the Cyral team early on in helping cloud native companies monitor and secure their data layer.
Throughout my career I have focused on the idea of InfraOps which I first publicly presented at DerbyCon in 2015. InfraOps is an extension to DevSecOps to include IT as well. The focus of this though is to break down the silos of operational teams that are already your first line of defense. To truly enable core security, it should be built into the foundation and promoted from the ground up. Security will never be effective as an outside force that constantly says no. Security must be a shared responsibility across all of your teams.
Whether we talk about InfraOps, DevSecOps or even DevOps, the real goals of these ideas is collaboration and realigning across common goals and a common language. I can guarantee you that there is not one DevOps engineer that wants to spend part of their day rebuilding a portion of production or working on taking it down for forensics because a service was taken over. Similarly, I very much doubt anyone in tech support really wants to spend their weekend rebuilding an entire fleet of endpoints because of ransomware. Once we are able to speak to our Ops teams, not in terms of security, but through the lens of their day to day job, we are able to empower them as members of the Security team.
Infrastructure as Code
Through all of these iterations, the biggest game changer for increased collaboration has been the implementation of infrastructure as code. Our common language is now our code that we are all collaborating on. Long gone are the days of the Wizard of Oz like magic employed by SysAdmins to create custom or bespoke servers. Today’s systems are built with immutability, scalability and repeatability to handle the speed and scale of cloud native applications.
Infrastructure as code is the key driver of actually converting your engineering teams into DevOps focused teams. When we embrace infrastructure as code, we are embracing security as code at the same time. Security reviews can now just be baked in the pull request workflow. Entire ecosystems can now be versioned and stood up repeatedly. Auditing can be automatic and not something that is scheduled yearly.
Security as Code
Security as code takes many different forms throughout the engineering lifecycle. It begins by being tightly integrated in your CI / CD pipeline. Functional and unit tests can now be extended to include your homegrown security tests and guard against future recurrences of your pentest results. Static and dynamic analysis now can uncover security bad practices. Container and image creation keep your baseline up to date and secure. Cloud configurations match your baseline standards and can be easily audited. Infrastructure elastically scales up and down in secure environments. Testing in production now not only verifies response times but security constraints as well.
One of the reasons I am so excited to join Cyral, is that this notion is built into the product from the ground up with decisions like incorporating Open Policy Agent (OPA) into the architecture early on. At Cyral, we’re excited to give back to the community that has already supported us by releasing brewOPA, an extensible open-source framework that enables developers to easily brew OPA policies by writing them in the human-friendly YAML. YAML will allow your DevSecOps teams to use the language they’re already using and not require the whole team to learn yet another language. With brewOPA, we’re again all using a common language and enabling faster teams.
Data Security As Code
The key reason I’m so excited about Cyral is that we’re now giving InfraOps, DevOps and DevSecOps teams the ability to secure their data layer. Cyral provides unique visibility into the data layer and enables security practices to be implemented as code allowing security and compliance rules to be visible to the engineering, security and compliance teams.
Cyral is already working with a number of cloud native teams to help them secure their data layer using the tools that these teams are already using. Cyral’s product is lightweight, doesn’t require any changes to applications and can be quickly deployed and utilized without sacrificing the productivity of engineering teams. We have worked in close concert with a number of key companies to make sure that Cyral will scale with you. We can help monitor and prevent exfiltration, account takeover, SQL injection and more.
Yesterday, I presented at BSides San Francisco with a former coworker, Paul Karayan, on how we actually put into practice many of the above core principles. We presented From Cockroaches to Marble Floors: What happens when you turn on the lights? Our talk covered how we expanded the informal security team and helped ensure that our fintech cloud native application was secure enough for our clients to entrust $1.5 trillion+ of assets under management on the platform. You can check out the slides below and keep an eye out for how we’ll be implementing many of these practices (and more) at Cyral.
Source: Image by John Hurley via the OpenIDEO Cybersecurity Visuals Challenge under a Creative Commons Attribution 4.0 International License