Is your IP important? If yes, then these thoughts may be of interest.
Reducing release cycles is on the agenda of most product development companies. There are many reasons why this is becoming ever more a way to keep ahead – even more so as competition is changing and coming increasingly from newcomers to the market or from market players acting nowadays in completely different domains. But what is the advantage of faster releases? Well, there are many, such as less risk, less waste, lower cost and happier customers because they get earlier what they are really asking for, or they’re able to harvest the benefits from new innovations earlier.
This increasing speed also impacts organisations enhancing and intensifying the cooperation with partners and suppliers. Consequently, keeping up with this speed and putting measures in place to protect the Intellectual Property (IP) is ever more becoming a challenge for the security office. With speed increasing the dynamics increase as well, and static measures become fast a burden and can lead to frustrated development teams not advancing as fast as they could.
While increasing the speed in development it is very likely that processes need to be reassessed, as automating and improving activities is only one part of the picture. When looking at the delivery pipeline holistically and looking at it as a development stream (like in the eyes of Value Mapping in lean thinking), most delivery pipelines are very likely to be 30% doing and 70% waiting. The doing can be optimised through automation but in order to optimise the waiting, processes changes are needed which usually have an impact on the organisation. The desire to do this can be considered to be a major goal for every company as it also helps keeping remediation fast. In a DevOps scenario you should be looking at the paradigm of infrastructure as code, i.e. to automate the complete deployment process as this not only increases speed but also helps with respect to security since any attacks on your running system can be more easily remediated.
From a security standpoint Forrester says that the continuous delivery paradigm is seen more like a continuous friction or nagging. (Forrester: Secure DevOps – Overcoming the risk of modern Service Delivery). According to a study, 75% of attacks are successfully done in days, whereas only 25% of those are detected in days. And I would claim that this is getting even worse. Traditional security measures are not working sufficiently. Forrester again thinks that most organisations are still using technologies of the 90s, mainly based on the fixed perimeter paradigm – outdated and no more applicable, the perimeter is DEAD. Firewalls are no more scalable to the extranet. Identity and access management is important, but is becoming ever more a challenge especially in large co-operations due to complexity and dynamics. Lately I heard from one of our customers that he needed to wait at least a week to be granted access … a situation which could easily kill the existence of small innovative companies. Further, the “kidnapping” of accounts is becoming ever more an issue and even if two factor authentication will help – is it really the solution? All these measures are static and do not really help in surfacing threats.
Finally, security is still working mostly in silos (security, development, production). A more holistic approach is required – in every sense of the word. Security aspects need to be integrated in all aspects. A more real-time analysis on the data and more is required, and the analysis needs to be done on every file, ever user, every interaction. Thus the analysis needs to support large data amounts from various sources. Those who are acting in this field will for sure bring benefit to the challenges which most security responsible are facing.
What are your thoughts on this subject?