Day[58/100] #100DaysOfCloud – Jonnychipz – DevOps Continuous Security and Continuous Operations

In order to ensure that your Continuous Improvement strategy employed via DevOps is kept Secure and in Operation, it is imperative that methods are utilised to ensure a Continuous Security and Continuous Operations mindset is adopted.

Follow along with the fantastic Microsoft Learn Article:

Explore DevOps Continuous Security and Continuous Operations

Continuous Security

We all know that cyber crime is an inevitable fact of the digital world we live in today. Attacks are carried out by criminals and hackers alike, all of which have the potential to significantly harm an organisation.

Some examples:

The advice given today is to generally assume that you have already been breached and to employ a defence in depth security posture for your organisation.

There are two types of companies: those that have been breached, and those that don’t know it yet

Michael Hayden, former Director NSA & CIA

The Microsoft product group philosophy which inspired DevSecOps is as follows:

  • to assume you have been breached
  • the bad actors are already in the network with internal access
  • defense-in-depth is essential.
Diagram depicts the results of the State of Application Security, 2020 showing that applications remain the most common attack vector. 42% of external attacks were carried out through software vulnerability. 35% were carried out through web applications. 27% were carried out through use of stolen credentials. 25% were due to exploitation of lost or stolen asset, and 24% due to strategic web compromise. 24% were distributed denial of service attacks. 22% were due to mobile malware. 21% were DNS attacks. 18% were due to phishing. 15% were ransomware attacks. 6% of the attacks were committed through social engineering.

What is Continuous Security?

Security can be summarised as the application of technologies, processes and controls in order to protect systems, networks, programs, devices and data from unauthorised access or criminal use.

Continuous Security is based on three elements:

  • A strong security focus within the organization’s culture
  • An infrastructure implemented and operated by adopting latest security recommended practices
  • software delivery process that focuses on security, such as the Microsoft Security Development Lifecycle (SDL)

Three principles in DevOps that need to be taken into consideration are:

Diagram depicts the elements of continuous security: shifting left, continuous improvement and automation. These elements combined with the secure infrastructure, security culture and secure software delivery, and represent a holistic approach to security.

Continuous Operations

Continuous Operations is one of the eight capabilities in the DevOps taxonomy.

The impact to business and the overall cost of any breach can go well beyond the impact of trust of a business or loss of sales:

  • Response and notification
  • Lost employee productivity and turnover
  • Lawsuits / settlements
  • Regulatory fines and responses
  • Brand recovery costs
  • Other liabilities

What is Continuous Operations?

The idea of Continuous operations is to reduce or eliminate the need for any planned downtime.

Diagram shows how AIOps and Digital Experience Monitoring, Application Release Orchestration, and uptime-based monitoring support Customer Experience Insights, Rapid Application Deployment, Dynamic Scalability and Cloud-first strategies.

New methods, technologies, and ways of working call for a new approach to Continuous Operations. The following eight main Continuous Operations practices have emerged and continue to evolve:

  • Security & compliance by design acknowledges that certain standards, legislation, but also business requirements such as traceability and auditability must be taken into consideration at design time when designing for highly-automated cloud environments.
  • Continuity & resilience requires close collaboration with the organization to ensure business needs are reflected in the design and implementation.
  • Telemetry & monitoring can be used to discover customer usage patterns, potential new needs, and detailed information about where users encounter errors. These tools can also help ensure that value is delivered.
  • Service Management is a different conversation in a DevOps culture:
    • Shift towards means you own it. You build it, you run it, and when it breaks you fix it.
    • Focus on what’s required.
    • Empower governance.
    • Facilitate transparency.
  • Culture & collaboration are essential for Continuous Operations. Organizations are often required to change the way they work to facilitate transformation toward DevOps teams. Collaboration is also essential when designing for security and resilience.
  • Automation & AI/ML Ops are important aspects of what make DevOps (and cloud) different compared to traditional operations teams. The focus must be on the whole system being automated (systemic automation), and not just one area.
  • Continuous Deployment uses modern release pipelines to allow development teams to deploy new features fast and safely, allowing a continuous stream of customer value and shortening the time to remediate issues.
  • Shift-right testing uses practices such as dark launching, feature flags, monitoring, and A/B testing. Teams are then able to continue testing to make sure an application meets behavior, performance, and availability expectations during live use.

To evolve into a DevOps approach, a major paradigm shift needs to occur in the culture to deliver business value with a modern IT approach.

100DaysOfCloud Overview

My Main ReadMe Page is all set up with a bit about me!

The guys at 100DaysofCloud have set up the GitHub repo to be cloned and also have a great repo containing ideas and areas to collaborate on: https://github.com/100DaysOfCloud/100DaysOfCloudIdeas

My Github Journey tracker can be found here: https://github.com/jonnychipz/100DaysOfCloud

Please Watch/Star my repo and feel free to comment of contribute to anything I push! I really look forward to hearing from anyone who is going to jump on the journey around the same time as me! Lets see where I get to in 100 days!

I would encourage others to jump on this journey, I’m not sure that I will be able to commit every day for 100 days, but as long as I can complete 100 days that will be great!

http://www.100daysofcloud.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s