By Jonathan Sidney, Synthesis Cloud Engineer.<\/p>\n
In this year\u2019s \u201cPuppet State of DevOps\u201d report, an interesting discussion point was uncovered: Does DevOps fundamentally include security requirements or should it be described with a separate word \u2013 DevSecOps. This might seem to be relatively trivial discussion, but it gets to the essence of both DevOps as well as the entire point of modern security and compliance. On the one hand, the authors of the \u201cDevOps Handbook\u201d, make the claim that security is part of every employee\u2019s job description. Yet, on the other hand, security is a vast and complex area of expertise. Can the industry really expect every single developer to understand the ins and outs of asymmetric encryption, operating system vulnerabilities and so much more? Surely there is more value in them writing code and letting trained experts worry about the minutia of security?<\/p>\n
To understand this environment, it is important to understand a distinction between two philosophers \u2013 Soren Kierkegaard and Hegel. When approaching a debate with two contradictory statements \u2013 a thesis and an antithesis \u2013 Hegel claims that a synthesis can always be found that resolves the contradiction. However, Kierkegaard argues that sometimes a synthesis cannot be found. Rather, the tension between the two contradictory statements is what provides meaning to the contradiction.<\/p>\n
In the spirit of Soren Kierkegaard\u2019s philosophy of dialectical tension, let us understand how the tension between these two statements above can bring a more holistic and impactful view of security in the world of IT. It is completely correct to say that security is the responsibility of a dedicated, highly trained team. At the same time, it is just as correct to say that security is the responsibility of every employee at the company.<\/p>\n
In the last 18 months to two years, a new approach to the structure of teams in organisation has become increasingly popular. In the book \u201cTeam Topologies\u201d, Matthew Skelton and Manuel Pais describe four standard models of teams and three fundamental modes of communication between them. This is not the forum to discuss the entire \u201cTeam Topologies\u201d, but two core concepts in the book serve as a possible solution to the contradiction outlined above. At the core of \u201cTeam Topologies\u201d is the stream-aligned team. This team is focused on delivering value to end users. This team must be capable of delivering as much value as possible without needing the assistance of an external team or provider. The second core concept is that of \u201cthe platform and the platform team\u201d. These two related concepts refer to the organisation\u2019s accumulated knowledge and understanding of best practices. The platform is a \u201cproduct\u201d that can be accessed through easy-to-use interfaces (eg: a well-defined API) by any team in the enterprise so that they can re-use components that have a validated and guaranteed level of quality. Related to this is the team that is responsible for managing and maintaining this platform. The team is comprised of members across every capability of the organisation who curate and define the standards that the stream-aligned teams can make use of.<\/p>\n
Even though, according to Kierkegaard, a contradiction cannot be \u2018solved\u2019, it can be important to frame the tension between the two sides of the debate. Using the concepts of \u201cTeam Topologies\u201d, the two arguments about who is responsible for security in software makes a lot more sense: The stream-aligned teams are fundamentally responsible for ensuring that the products that they build are secure and comply with any legislation that applies. As with the rest of the software development life cycle, the stream-based team should be capable of accomplishing most of the day-to-day security related work. Furthermore, if the stream-aligned team is accomplishing this work, they are not being made dependant on an external team and, thus, a potential bottleneck in the delivery of value to the end user is avoided.<\/p>\n
However, there are going to be instances when the stream-based team cannot be expected to adequately deliver on these requirements by themselves. This is where the concept of the \u2018platform\u2019 and \u2018enabling teams\u2019 become crucial. Firstly, since the platform contains the accumulated best practices and templates of the organisation, it will naturally include components that are of the highest possible quality. Thus, when stream-aligned teams make use of these components, they naturally are building security and compliance into their applications. Even though they did not personally design the components, the platform itself guarantees that they are secure. Secondly, Team Topologies can also define how teams respond when the stream-aligned team cannot use the platform to fulfil their needs. The concept of an \u2018enabling team\u2019 can be used in the edge cases to facilitate the fulfilling of these needs. However, this facilitation cannot simply end at \u201cdoing the work for them\u201d. The authors of Team Topologies emphasise that the enablement must always include the following two components:<\/p>\n
Unlike a more traditional approach, team topologies are focused on giving more capabilities to the teams directly delivering value to their customers. However, it must also be aware of the reality that not every team member in an organisation can be an expert in one hundred percent of security-related situations.<\/p>\n
A colleague once remarked that \u201cif you are not doing DevSecOps; you aren\u2019t doing DevOps\u201d. This sentiment is totally accurate. A core belief of DevOps is that quality \u2013 which is a metric that clearly includes security \u2013 is the responsibility of the entire team. One cannot claim to be operating as a \u201cDevOps\u201d team if the team does not take responsibility for building systems that are secure and comply with all the relevant rules and regulations. However, there is also a clear and present need for a team devoted to the overall security posture of the organisation. This team must be capable of taking strategic decisions on how best practices need to be encouraged and implemented by the various stream-aligned teams in the organisation.<\/p>\n
The tension between these two stances is not fundamentally bad. As Kierkegaard taught us, the tension between the two stances in a contradiction is what adds value and meaning to the contradiction. It is up to organisations to utilise the team layouts and communication methods that are best suited to it to facilitate these overlapping areas of responsibility and to ensure that their overall security posture is improved by this tension. \u201cTeam Topologies\u201d is one possible way of facilitating this and it has shown to be very successful in a multitude of environments. However, every organisation must find the best way to implement this need. The critical factor is to be aware of the tension between these two positions and create a positive atmosphere in the organisation.<\/p>\n","protected":false},"excerpt":{"rendered":"
By Jonathan Sidney, Synthesis Cloud Engineer. In this year\u2019s \u201cPuppet State of DevOps\u201d report, an interesting discussion point was uncovered: Does DevOps fundamentally include security requirements or should it be described with a separate word \u2013 DevSecOps. This might seem to be relatively trivial discussion, but it gets to the essence of both DevOps as […]<\/p>\n","protected":false},"author":12,"featured_media":7667,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"episode_type":"","audio_file":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","itunes_episode_number":"","itunes_title":"","itunes_season_number":"","itunes_episode_type":"","footnotes":""},"categories":[34],"tags":[],"ptype":[11],"sectors":[26,29],"class_list":["post-7660","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-conversation","ptype-articles","sectors-cloud","sectors-msp"],"acf":[],"yoast_head":"\n