Most people are painfully aware that security breaches have increased in recent years, while at the same time becoming more sophisticated in their approach. In addition, ever-expanding application environments and ever-evolving workloads have created more opportunities than ever for attackers. What’s not clear to those outside the tech bubble: The world is dangerously ill-equipped to deal with the scale of these threats.
Organizations may wish to meet this challenge with armies of skilled technicians willing to maintain secure operations. But in reality there is a huge shortage of capable DevOps experts, especially those with cybersecurity skills. This creates major problems for all organizations operating in modern cloud and container environments.
According to the Cyber Security Defense Group (ISC)2However, this skill gap has noticeable and meaningful consequences for DevOps and security teams. Responses collected from more than 4,500 cybersecurity professionals around the world indicate just how serious the problem is. More than 30% of respondents said they regularly encounter misconfigured applications, 29% feel their teams are too slow to debug critical systems and 27% are unable to maintain the necessary awareness of all active threats against their IT infrastructures.
It is clear that cyber security teams are not staffed to meet current – and expected future – requests, processes are not managed, assessment is not processed and monitoring is incomplete. However, this is not just a matter of hiring more people to perform these tasks. The people needed to keep DevOps environments secure simply don’t exist because the role has changed faster than the workforce.
Time is a critical factor in security, and a solution cannot be waited for. DevOps leaders and CISOs must do something, and fast. Fortunately, they can ease the burden of the skill shortage and continue moving forward in their move to the cloud, containers, and Kubernetes by taking the following steps:
1. Employing automation
Security teams and DevOps have to verify that the security controls are indeed working as intended, but they also aren’t slowing down development efforts. Many companies run manual checks to determine this, but this is simply not scalable. Automation is the only way to do this effectively. Companies need tools that can analyze cloud activity without manual processes to understand if things are working as expected, even on larger deployments.
The tie factor that combines speed, agility and safety is found in automation. With an automated approach, cloud activity can be analyzed and interpreted and DevOps and Security teams can be alerted about abnormal behavior within their cloud and container environment. This helps address vulnerabilities and issues before they are exploited, reduce friction in the development process and ensure secure deployment.
For starters, DevOps teams should take advantage of security tools to automatically create and customize policies. The right tools, some of which can be found in open source frameworks like Falco, are designed to adapt to container lifecycles and integrations. DevOps teams can rely on these tools to enforce policies and alert you to issues that result from anomalous behavior that may indicate a threat.
The concept of shared responsibility is rooted in the automation approach; The security of cloud and container activity is placed squarely in the domain of the cloud client. They are free to act as needed, but no organization can ignore modern requirements for speed or necessary requirements for security. This requires DevOps teams to understand and adapt to security oversight needs while security teams must act according to their terms of reference while not slowing down development and delivery.
2. Training people for the task at hand
If the right people aren’t around, it’s up to the security and DevOps teams to create them. Organizational training is key to adding people with the right skills, and every organization should look to develop the right candidates into qualified DevOps and security experts.
Many of these people can actually be found working as app developers or under a security job. You may find individuals at the beginning of their careers, looking to enhance their skill set and eager to participate in on-the-job training. Every organization should encourage mentoring by more experienced staff, but it should also have formal training programs in place to familiarize people with the unique needs of DevOps security.
Some colleges now offer certificates or certificates specializing in cybersecurity. Programming schools, like the Eleven Fifty Academy in Indianapolis, for example, train students in the latest cybersecurity practices and can be a great source of talent. The US Army also offers some of the most technologically advanced training and is a fertile recruiting ground for highly skilled Security and DevOps players.
3. Think Global
There is no one specific way to attack or hack cloud and container environments. Curricula vary, which is why the talent responsible for security must also advocate for diversity. One way to do this is to look beyond your limits in search of talent. As the world has embraced remote work over the past two years of the COVID-19 pandemic, more organizations than ever are equipped to bring in workers from around the world to help them solve security and DevOps issues.
Think broadly about where you can find talent and hire people who can demonstrate their ability through tests and work samples. Not only does this deepen the pool of potential workers, but it also helps you bring new people into the fold with different perspectives and approaches that can enhance the work you already do.
Nearly half of the employees at the company I work for are based outside the United States. This greatly increased talent for us. With a little diligence, the main barrier to hiring globally – the time difference – is not an issue, and you may find that it makes you more efficient.
4. Rely on proven solutions
Finally, use commercially available products to support your DevOps security needs. Building it yourself is always an option, but when it comes to security, this approach can take longer than you have; A luxury you can’t afford.
SaaS products are the most reliable and effective in this regard, as they will expand and adapt as your team’s needs change. These tools are specifically designed for the shared responsibility model, so they reduce distractions and allow you and your team to focus only on the necessary security and speed tasks that are critical to helping you achieve your goals. Site review, experience, and perspectives from developer communities will be very helpful in guiding you to make the best decision for your organization.
Managing Security and DevOps is never easy. With strict schedules and delivery deadlines, it is easy to let the discipline required for security fail. What makes it even more difficult is that we cannot employ enough people to take care of these needs. However, with a combination of innovative training, fresh perspectives on staffing, and effective use of technology, any organization can overcome these limitations.