If you are a board member or business executive and start hearing your IT development, operations and security teams start talking about a “shift left” you should pay careful attention. It could be one of the more important decisions your teams can make in terms of both accelerating speed-to-market and improving security protections.
In the parlance of DevOps and security, a shift left simply means that security is built into the process and designed into the application at an earlier stage of the development cycle. The goal is to increase quality, reduce the amount of time required for testing and, perhaps most important, mitigate the risk of security problems at the end of the cycle, when it is much more expensive and time-consuming to make fixes.
In the past, development teams have been somewhat reluctant to shift left because of concern that involving security personnel too early in the process would cause delays and complications. However, the world of DevOps has changed dramatically in the past few years, and shifting left is not only more viable, it is fast becoming a best practice in the worlds of both DevOps and security.
DevOps and the Cloud
Cloud computing has one of the key change agents in allowing DevOps and security to shift left. Public cloud services enable DevOps teams to spin up infrastructure much more quickly than ever before. Cloud also enables DevOps to accelerate cycles through faster and more reliable testing and by leveraging technology innovations such as containers and microservices, which make it faster and simpler for teams to collaborate.
One of the most critical benefits delivered by the cloud is automation. Because many of the tasks in the cloud are highly automated, it makes it much simpler for DevOps teams to do both continuous testing and continuous deployment, which are essential practices for organizations looking to shift left and incorporate security earlier in the cycle.
I’ll give you an example from my own experience. I’ve been part of both the DevOps group and the information security group in my organization. Several years ago, we began increasing our use of automation and saw a lot of value in that. At the same time, our executive team was unsure how our organization was going to incorporate the cloud and how to approach it.
We decided to leverage public cloud to see if we could improve our speed and agility in developing applications. The results were well beyond our expectations. Previously, it had taken about 45 days to deploy a mid-size application. When we shifted DevOps to the cloud, we were able to develop a comparable app in one hour. From 45 days to one hour is a remarkable achievement, particularly in today’s world of rapid innovation and highly “consumerized” customer expectations.
With that experience, we decided that we wanted to move forward, which was when we created our DevOps group and continued with automation. The results have been so successful, we’ve made a decision to go all-in with the cloud for our entire organization. Our current philosophy is: If we can move an application to the cloud we are going to do so—as long as we know that we can secure it properly.
Shifting Left Securely
Ensuring that we can secure each application in the cloud has necessitated a shift left for our organization, so that we are defining and configuring security at the beginning of the development process and not at the end. It has also required us to make sure that our teams understand one of the core concepts of cloud security, which is that it is a shared-security model. Our cloud provider is responsible for certain aspects of security, and we are responsible for certain aspects, including our applications.
While public cloud has been a critical catalyst in our ability to shift left with security, we would not have been able to do so as easily or successfully if it were not for technology innovations in the world of security as well. Without getting too technical, one example of a new technology helping us shift left is an open-source solution called Terraform.
Basically, Terraform gives us the ability to modularize the security policy, so it lives with each application and is vetted, approved and defined throughout the application’s lifecycle. When we need to change security policies, it is much easier. And, when the application goes away, the policy is removed from the firewall. This not only helps with security; it also helps with compliance and auditing because you have an audit trail of any policy changes made in the application.
The Benefits of Shifting Left
By embracing public cloud and shifting left with DevOps and security, organizations can see significant benefits in cost savings, quality control, speed to market and even corporate culture. At my organization, we are seeing rapid acceleration in the way we’re able to remediate applications and, at the same, we are significantly increasing our security.
We are reducing risk to the organization at multiple levels. We can deploy infrastructure and applications at a quicker pace, and we can mitigate the risk of ransomware in the cloud because we have more agility in securely redeploying our applications if our servers are locked.
The benefits are not just in cybersecurity, but also disaster recovery and business continuity. In the case of a natural disaster, we can redeploy our servers in another location. By integrating security into our deployment strategies, we have greatly enhanced our ability to do all of those things in an expeditious manner.
One of the additional benefits, at least in our organization, is a culture shift. Our teams are more collaborative than ever before. In fact, we are building a whole new campus designed to encourage that type of collaborative culture. It really feels like everyone is on one team.
Executives in the boardroom and executive suite don’t necessarily need to get too deep into the weeds when it comes to DevOps and security. But they do need to encourage their teams to be innovative in leveraging technology to accomplish key business imperatives.
DevOps and security teams, working cohesively in a cloud environment, can be empowered to reduce risk, accelerate speed to market and improve your overall cybersecurity posture. Particularly if your teams are ready, willing and able to shift left.