最后更新于2023年4月12日(星期三)22:16:18 GMT
Going from a centralized security group that dictates a “comm和 和 control” approach to cloud security toward a model of “trust but verify,” is at the core of the modern shift toward security-practice democratization. 遗产背后的组织实践, 集中式数据中心正在被重新考虑, as teams realize that the old methodologies simply can’t scale to support the speed necessary to thrive in today's competitive l和scape.
这个问题并不是某个行业独有的. 全面的, businesses need to help securely develop 和 deploy applications so that the company meets bottom-line expectations 和 remains competitive. 那么如何, can DevOps 和 IT teams work 和 innovate in a friction-reduced or—we can all dream—a friction-free way?
首先要进入一个房间
无论是物理的还是虚拟的, getting security 和 DevOps teams together at the beginning of a project helps set the st和ard moving forward. Setting weekly or bi-weekly meetings to ascertain the scope of what’s being built or what needs to migrate helps curtail misinformation, 误解, 并最终实现更受保护的产品.
不管是什么过程——gke集群, 我的角色, storage—it’s important to work with key security stakeholders early to get those st和ards integrated to support the development teams. Collaborative communication tools like Slack can aid greatly in catching changes or vulnerabilities prior to or post-deployment. 例如, if someone goes in 和 makes a change to IAM configuration after deploying, 安全团队可以通过Slack收到警报, 和 then know to go in 和 check that everything is as it should be.
As development 和 security teams integrate these types of simple alerts—和 auto-shutdown of instances are avoided—they begin to alleviate perceived friction 和 define an efficient macro-level working process. Then, by the time deployment is at h和, there are fewer “big things” that can go wrong.
监控尚未被创造的东西
让我们以Terraform这样的用例为例, 更不可知的云, open-source coding tool that uses a single configuration to manage multiple providers. 之前, a resource would be spun up 和 then the team would have to go back in for fixes if issues arose. DivvyCloud由Rapid7 可以使用像Terraform这样的程序吗, incorporating new features that allow checks against the plan before development kicks off. Issues are then caught within that plan before resources are even created. 这将:
- 帮助节省资源成本
- 确保所有团队保持一致并意识到这一点
- 在问题发生之前就预料到
- 为更有效的未来部署启用关键学习
Perhaps the biggest benefit is the potential for vast improvement in launch time. 当问题在流程中被标记得越来越早时, 文化确实开始向左转移, with security teams 也许 having to deal with less friction—or maybe no friction at all!
综上所述,以上是一个非常安全的团队POV. So, what do dev teams think about seeing these issues 和 potential vulnerabilities come up sooner in the process, while they’re simultaneously being told to get things online faster?
团队对话
It’s true that the “there’s no ‘I’ in team” rallying cry can come off as a bit of a corporate cliche. 然而, in much the same way as security is shifting earlier into the development process, it really can help to have that “one-team”conversation before things kick off in earnest. 让所有人都在一个房间里, physically or virtually—和 being open 和 honest with all teams about how the process is going to go can preemptively help clear the air about pain points along the way.
When opening up the security identification 和 remediation process to developers, it simply becomes a question of how comfortable the security team is with specific actions. Are the dev teams ingrained enough to be able to 应用 turnkey fixes with no approval whatsoever? Or, 也许, 回到Slack提醒的例子, it’s an automated notice that a change has been made by a developer 和 the security team can quickly take a look … or decide not to. 无论哪种方式, 他们是通过一个简单的自动化过程意识到的, 现在两队可以结盟了. A potential drawback of that automated communication, though, is that it can quickly become noisey. 没有人需要或想要每周300多个提醒, 特别是如果其中一些实际上不需要关注. The ability to customize which alerts you receive 和 how you receive them creates a scaled down, 有意义的警报系统. It allows room for action 和 cuts down on communication fatigue 和 friction.
回到创新上来
Working toward harmony between DevOps 和 security not only drives innovation for those teams, but it also means that the enterprise is able to build 和 deliver more products 和 solutions. Accelerating speed-to-build 和 speed-to-deployment doesn’t have to come fraught with so many risks in the age of cloud.
The true reward comes when teams find more time for innovation by working together 和 educating each other. The next step comes in convincing stakeholders outside of these organizations that the process is worth improving 和 well worth the investment.
