In order to ensure that your Continuous Improvement strategy employed via DevOps is kept Secure and in Operation, it is imperative that methods are utilised to ensure a Continuous Security and Continuous Operations mindset is adopted.
Follow along with the fantastic Microsoft Learn Article:
Explore DevOps Continuous Security and Continuous Operations
We all know that cyber crime is an inevitable fact of the digital world we live in today. Attacks are carried out by criminals and hackers alike, all of which have the potential to significantly harm an organisation.
The advice given today is to generally assume that you have already been breached and to employ a defence in depth security posture for your organisation.
There are two types of companies: those that have been breached, and those that don’t know it yetMichael Hayden, former Director NSA & CIA
The Microsoft product group philosophy which inspired DevSecOps is as follows:
- to assume you have been breached
- the bad actors are already in the network with internal access
- defense-in-depth is essential.
What is Continuous Security?
Security can be summarised as the application of technologies, processes and controls in order to protect systems, networks, programs, devices and data from unauthorised access or criminal use.
Continuous Security is based on three elements:
- A strong security focus within the organization’s culture
- An infrastructure implemented and operated by adopting latest security recommended practices
- A software delivery process that focuses on security, such as the Microsoft Security Development Lifecycle (SDL)
Three principles in DevOps that need to be taken into consideration are:
Continuous Operations is one of the eight capabilities in the DevOps taxonomy.
The impact to business and the overall cost of any breach can go well beyond the impact of trust of a business or loss of sales:
- Response and notification
- Lost employee productivity and turnover
- Lawsuits / settlements
- Regulatory fines and responses
- Brand recovery costs
- Other liabilities
What is Continuous Operations?
The idea of Continuous operations is to reduce or eliminate the need for any planned downtime.
New methods, technologies, and ways of working call for a new approach to Continuous Operations. The following eight main Continuous Operations practices have emerged and continue to evolve:
- Security & compliance by design acknowledges that certain standards, legislation, but also business requirements such as traceability and auditability must be taken into consideration at design time when designing for highly-automated cloud environments.
- Continuity & resilience requires close collaboration with the organization to ensure business needs are reflected in the design and implementation.
- Telemetry & monitoring can be used to discover customer usage patterns, potential new needs, and detailed information about where users encounter errors. These tools can also help ensure that value is delivered.
- Service Management is a different conversation in a DevOps culture:
- Shift towards means you own it. You build it, you run it, and when it breaks you fix it.
- Focus on what’s required.
- Empower governance.
- Facilitate transparency.
- Culture & collaboration are essential for Continuous Operations. Organizations are often required to change the way they work to facilitate transformation toward DevOps teams. Collaboration is also essential when designing for security and resilience.
- Automation & AI/ML Ops are important aspects of what make DevOps (and cloud) different compared to traditional operations teams. The focus must be on the whole system being automated (systemic automation), and not just one area.
- Continuous Deployment uses modern release pipelines to allow development teams to deploy new features fast and safely, allowing a continuous stream of customer value and shortening the time to remediate issues.
- Shift-right testing uses practices such as dark launching, feature flags, monitoring, and A/B testing. Teams are then able to continue testing to make sure an application meets behavior, performance, and availability expectations during live use.
To evolve into a DevOps approach, a major paradigm shift needs to occur in the culture to deliver business value with a modern IT approach.
My Main ReadMe Page is all set up with a bit about me!
The guys at 100DaysofCloud have set up the GitHub repo to be cloned and also have a great repo containing ideas and areas to collaborate on: https://github.com/100DaysOfCloud/100DaysOfCloudIdeas
My Github Journey tracker can be found here: https://github.com/jonnychipz/100DaysOfCloud
Please Watch/Star my repo and feel free to comment of contribute to anything I push! I really look forward to hearing from anyone who is going to jump on the journey around the same time as me! Lets see where I get to in 100 days!
I would encourage others to jump on this journey, I’m not sure that I will be able to commit every day for 100 days, but as long as I can complete 100 days that will be great!