BLOG

No Room for Silos when it Comes to Security

Lori MacVittie Thumbnail
Lori MacVittie
Published June 24, 2019

It started with DevOps. Then there was NetOps. Now SecOps. Or is it DevSecOps? Or maybe SecDevOps?

Whatever you decide to call it, too often the end result is little more than the same old siloes with shiny new names. We've become so focused on "what do we call these folks" that we sometimes forget "what is it we're trying to accomplish".

The Great Bard first said it in his commentary about a rose - it would smell as sweet by any other name. Let's apply that today to the number of factions rising in the operations game. Changing your name does nothing if you don't change your core behaviors and practices.

Back when cloud first rose (pun intended), there were plenty of pundits who dismissed enterprise efforts to build private (on-premises) cloud. Because it didn't fit the precise definition they wanted to associate with cloud. They ignored that the outcome was the measure of success, not measuring up to someone else's pedantic definition. They sought agility and efficiency and speed by changing the way infrastructure was provisioned, configured, and managed. They changed behaviors and practices through the use of technology.

Today the terminology wars are focused on X-Ops and what we should call the latest arrival, security.

I know I've used the terms, and sometimes I use them all at the same time. But perhaps what we need is fewer distinctions. Perhaps I should just say you're either adopting "modern ops" in terms of behaviors and practices or you're remaining "traditional ops" and that's all there is to it.

Modern ops employ technology like cloud and automation to build pipelines that codify processes to speed delivery and deployment of applications.

And they do it by changing behaviors and practices. They are collaborative and communicative. They use technology to modernize and optimize decades old processes that are impeding delivery and deployment. They work together, not in siloed X-Ops teams, to achieve their goal of faster, more frequent releases that deliver value to the business and delight consumers.

Focusing on what to call "security" as they get onboard with modern ops can be detrimental to the basic premise that delivery and deployment can only succeed at speed with a collaborative approach. Slapping new labels on a new focused team just builds differenter siloes; it doesn't smash them and open up the lines of communication that are required to operate at speed and scale.

It also unintentionally gives permission to other, non-security ops to abdicate security responsibilities to the <SecDevOps | DevSecOps> team. Because it's in their name, right?

That's an increasingly bad idea given that application security is a stack and thus requires a full stack to implement the right protections.  You need network security and transport security and you definitely need application security. The attack surface for an app includes all seven layers and, increasingly, the stack comprising its operational environment. There is no room for silos when it comes to security.

The focus of IT as its moving through its digital transformation should be to modernize ops - from the technology to the teams that use it to innovate and deliver value to the business. Modern ops are not consumed by concern for titles, they are passionate about producing results. Modern ops work together, communicate freely, and collaborate across concerns to build out an efficient, adaptive delivery and deployment pipeline.

That will take network, security, infrastructure, storage, and development expertise working together.

In the network, we use labels to tag traffic and apply policies that control what devices can talk to which infrastructure and applications. In container clusters we use labels to isolate and restrict, to constrain and to disallow.

Labels in organizations can have the same affect.

So maybe it'd be better if we just said you're modern ops or traditional ops. And that some are in a transitional state between the two. Let's stop spending so many cycles on what to call each other that we miss the opportunity to create a collaborative environment in which to deliver and deploy apps faster, more frequently, and most of all, securely.