By Andrej Kovacevic
There’s no doubt that DevSecOps is on the rise, as the need for fast but highly secure application delivery increases.
A report by Emergen Research shows that the DevSecOps market is set to reach a $23.42 billion value in 2028 with a CAGR of 32.2 percent over the forecast period 2020-2028.
Notably, this growth does not only address the growing importance of security in rapid application development and delivery. It also has a significant positive impact on cloud security.
As organizations see increased use of cloud computing and SaaS applications, the adoption of DevSecOps is also becoming more appealing.
The Current Cloud Security Situation
A survey on the state of cloud data security in 2022 conducted in partnership with Gartner shows that an overwhelming majority of organizations (over 90 percent) say they struggle with the enforcement of security policies around their data. This is because of various reasons, which add to cloud security difficulties.
Conventional solutions no longer cut it, and cloud security needs to level up to match the different challenges brought about by growing cloud adoption and the complexities that come with it.
These challenges include the following:
Visibility and tracking inadequacies
As organizations embrace Software-as-a-Service (SaaS) apps and the Infrastructure-as-a-Service (IaaS) model, they face the challenge of protecting data and assets that are usually beyond their control.
Typically, cloud service providers do not provide customers full control over the infrastructure layer. This produces a lack of visibility and control in the context of security.
Broader attack surfaces
Threat actors are particularly attracted to organizations that use the public cloud environment. It is relatively easy to attack with zero-day, malware, account takeover, and other attacks in the absence of reliable security solutions.
Workload changes
The dynamic nature of cloud asset provisioning and decommissioning makes it difficult to protect them, especially when scaling and agility are involved.
Complex environments
Hybrid and multi-cloud environments appear to be preferred by many organizations at present because of various advantages. But this results in security management complexities and the need for security tools and solutions that seamlessly work with each other.
The need for granular privilege and key management
Because of the number of users that access cloud assets, it is not uncommon for access or privileges to be granted loosely. Extensive privileges are usually provided to avoid having to implement specific configurations for different users or user groups.
This can be problematic for security. With the use of SaaS apps, for example, when keys and privileges are given carelessly, sessions can be exposed to various security risks.
Weakening of cloud standards compliance benefits
The top cloud service providers notably advertise their compliance with various security accreditations or standards such as the NIST 800-53, PCI 3.2, and GDPR. But the benefits of compliance are diluted or almost entirely eroded because workload and data process management is usually relegated to customers (organizations).
Since most organizations have visibility and tracking difficulties, poor attack surface management capabilities, and the lack of granular privilege management, the security compliance of cloud providers do not necessarily benefit their customers.
The rise of DevOps
Many organizations have shifted to DevOps as they seek to shorten the lifecycle of systems development and promote rapid and continuous app delivery.
This can impact cloud security, though, especially when there are security-related changes implemented post workload deployment.
How DevSecOps Can Help
As I explained above, it is not only the expansion of attack surfaces and security management complexities that come with cloud adoption that make cloud security more challenging. The increased adoption of DevOps practices also adds to the problem. This is where DevSecOps comes into play.
DevSecOps adds the crucial security component to DevOps and guides developers to embrace “security by design.”
It is a step-up from the previous shift-and-adopt strategy used in incremental cloud re-platforming. It involves an integrated team of multi-skilled specialists in the field of cloud and cybersecurity working together under a common operating paradigm.
Teams can establish a center of excellence (usually helmed by the organization's digital transformation point person) to take charge of the coordination of the cloud and cybersecurity specialists working together in the new development operating model.
DevSecOps ensures that flexible and agile practices do not disregard security, allowing development processes to proceed at the same pace an organization wants its business to move.
Teams can achieve this with an emphasis on shared responsibilities. Organizations nurture collaboration, cross-skilling, and cross-teaming to attain better outcomes.
Diana Kearns-Manolatos, Senior Manager in Deloitte’s Center for Integrated Research, characterizes DevSecOps as “more than moving existing security processes earlier into the development process.”
DevSecOps entails the rethinking and rearchitecting of the way app design processes work. "It is about elevating, embedding, and evolving (your) organization’s risk response," Kearns-Manolatos adds.
To answer the question "What is DevSecOps’ role in cloud security?", teams need to incorporate security into the efficiency, rapidness, and continuousness thrust of DevOps.
Simply put, it is about quickly rolling out apps or software products that are already secure to help better manage the expansion of cyber attack surfaces.
Instead of having another team (the security team) undertake rigorous app security review, the apps can be deployed immediately. Tweaks and patching will still be needed eventually, but they will no longer be as exhausting as compared to deploying apps developed conventionally.
DevSecOps in Practice – Not Easy but Very Doable
Embracing DevSecOps to achieve the quick, secure, and efficient rollout of applications or software products is not going to be a walk in the park. But it is not overly tricky to be restrictively achievable.
Organizations will face the need for process innovation and they'll need to rethink their cloud security and development operations.
One crucial factor in successfully adopting DevSecOps practices to improve development outcomes (especially in terms of security) is communication.
Teams need to properly communicate with each other to ascertain that everyone is on the same page during the development process. Real-time knowledge sharing is important and it may also be necessary to integrate ChatOps, automation, as well as artificial intelligence in the process.
Final Thoughts
DevSecOps and cloud security may appear unrelated or remotely connected concepts. But the former does have an impact on the latter.
DevSecOps will not address all cloud security issues or threats. But it can make DevOps-driven apps used on the cloud or in hybrid environments less vulnerable, and can limit means for threat actors to penetrate cyber defenses.
If you want to learn more about DevSecOps in depth, check out this free article and course from freeCodeCamp.
Image via Murrstock / Adobe Stock