Security is one of the process blades of Disciplined DevOps. The focus of the Security process blade is to describe how to protect your organization from both information/virtual and physical threats. This includes procedures for security governance, identity and access management, vulnerability management, security policy management, incident response, and vulnerability management. As you would expect these policies will affect your organization’s strategies around change management, disaster recovery and business continuity, solution delivery, and vendor management. For security to be effective it has to be a fundamental aspect of your organizational culture.
In this article we explore the following topics:
Why is Security Important?
Why is security important? Because security breaches can be devastating. Here are just a few examples:
- In July 2019 Capital One suffered a data breach where the records of 100 million credit card applications were stolen.
- In May 2017 Equifax had the personal identification information of 143 million people stolen from them over a three month period.
- The March 2015 security breach of Slack‘s database where 500,000 emails and other personal account information was stolen.
- The October 2015 breach of Experian/T-Mobile where the personal data of 15 million was exposed.
- From 2014-2018 the identification (including passport numbers) and credit card information of 383 million guests of hotels within the Marriott group were stolen.
- The November 2013 security breach at Target where the personal information of 70 million customers was compromised, the cost of the breach was $162 million, and the CEO was motivated to resign.
- And of course the 33,000 emails obtained by Russian hackers from Hillary Clinton’s email server.
The Disciplined Agile Security Mindset
The following strategies enable you to optimize your Security activities:
- Work collaboratively with teams. Security engineers will be invited to work with delivery teams to review their work for security concerns at the earliest feasible moment and in some cases to help them to secure critical aspects of their solutions.
- Support common security infrastructure. Security engineers will help teams to identify and adopt appropriate security tooling and frameworks. They develop and evolve security guidance for your organization.
- Transfer security skills to others. Providing people with coaching and training in security will help to build security awareness within your organization. Security training should be provided to all members of your organization, with deeper training and education provided to IT staff who are directly involved with development or operations of secure systems.
- Collaborate with other organizations. Within the security community there is constant sharing of information between organizations, including education about new security threats and new mitigation strategies.
The following process goal diagram overviews the potential activities associated with disciplined agile security. These activities are performed by, or at least supported by, your security (sometimes called an information security or infosec) team.
Figure 1. The Security process goal diagram (click to enlarge).
The process factors that you need to consider for implementing effective security are:
- Ensure security readiness. How do you ensure that your environment has been built to withstand the evolving security threats that you face?
- Enable security awareness. How do you help your staff to become knowledgeable about security threats, how to avoid attacks, and how to deal with them when they occur?
- Monitor security. How do you identify when you are under attack (for most organizations the answer is constantly) and more importantly how you’re being attacked?
- Respond to threats. When an attack occurs what will you do to address it?
- Security physical assets. How will you protect physical assets such as buildings, vehicles, and equipment? By implication, how will you ensure the security of your people?
- Secure IT perimeter. How will you secure access to your IT systems?
- Secure the network. How will you ensure the security of digital communications?
- Secure IT endpoints. How will you secure access to devices such as phones, workstations, and other I/O devices?
- Secure applications. How will you address security within the applications/systems of your organization?
- Secure data. How will you ensure the validity and privacy of the data within your organization?
- Govern security. How will you motivate, enable, and monitor security activities within your organization?