On the heels of the Facebook and Cambridge Analytica scandal affecting at least 87 million users and on the eve of the era of the EU’s General Data Protection Regulation (GDPR), which will restrict how personal data is collected and handled, DevOps professionals (whose work focuses on software development and related enterprise operations) are in a whirlwind of immediate crisis and change. These teams are pressured with an urgency to evolve to the field's next iteration, DevSecOps, and toward a “Security as Code” culture.
“By developing security as code, we will strive to create awesome products and services, provide insights directly to developers, and generally favor iteration over trying to always come up with the best answer before a deployment. We will operate like developers to make security and compliance available to be consumed as services. We will unlock and unblock new paths to help others see their ideas become a reality.”
DevOps, the first iteration in this evolutionary line, brought down the walls between development and operations, recognizing the necessity for a shift toward a new collaboration to give “everyone an equal seat at the table,” according to Patrick Debois, who created the movement. “The biggest advantage is the insight that we work in a system. We have to optimize for the whole system and not just for the silo. By optimizing for the whole, we are improving for the business, not just for IT.
Now, DevSecOps is in the second stage of this evolution where, seamlessly, IT security teams are immersed in these new software engineering processes, rather than outside of it. This creates a new culture where everyone is responsible for security in a continuous delivery environment. Given the present landscape of data breaches worldwide, this integration of security into DevOps — of bringing the sometimes at-odds IT security and operations teams together with a new philosophy where security is a constant in the entire operations process — serves best to “adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.
Ours is a new world, one where data protection is not merely for enterprises and high-value individuals. It’s now about everyone everywhere, and they’ve finally figured that out — well, at least the 2.2 billion users on Facebook. Those in data protection who are pushing those in DevOps to this precipice recognize that this perilous new world is a place where existing security models no longer work, and that a fundamental change must become systemic. “We will not wait for our organizations to fall victim to mistakes and attackers,” the manifesto says. “We will not settle for finding what is already known; instead, we will look for anomalies yet to be detected. We will strive to be a better partner by valuing what you value.
There is no longer any doubt that data protection standards as they exist today — which have failed billions of individuals — must evolve in their processes, protocols and regulations, not only at the scale the EU’s GDPR envisions, but worldwide. At the World Economic Forum’s Annual Meeting in Davos this year, German Chancellor Angela Merkel challenged this reality within the framework of its immediacy concerning much larger social constructs. “The question ‘who owns that data?’ will decide whether democracy, the participatory social model, and economic prosperity can be combined,” she said.
Every two days, we generate as much data as we did from the dawn of time up to 2013, so the solutions will not come easy — and with every passing few days the complications become more and more manifold. Without a new cultural philosophy that tears down current divisions between software and IT security teams, these solutions cannot emerge. And as Merkel challenged, speaking to a global audience, this must be a global solution. The information age has all but eliminated the idea of silos. Populations of people may still live in countries with borders, varying cultures, values, beliefs and languages. However, information and related protection of data know no borders. This is truly international, and it demands a global effort. DevSecOps begins that work and Opinov8 Technology Services is providing a voice and opinion.