DevOps, the trendy management philosophy that aims at rapidly developing and deploying software, raises important, even “philosophical,” questions about the role of cybersecurity in a government agency, two officials said Tuesday.
“It’s a philosophical discussion … What is the role of the [Chief Information Security Officer] and the authorizing official within an agency” organized according to the DevOps ideal, said Transportation Security Administration CIO Steven Rice. He said the management restructuring implied by DevOps would raise questions for government agencies about lines of authority — for example the sign-off on the deployment of new software.
But it’s not just a theoretical question.
“That’s an issue that people are dealing with right now,” said Maj. Gen. Sarah Zabel, vice director of the Defense Information Systems Agency.
She and her fellow panelists at Tuesday’s Symantec Government Symposium were asked about balancing DevOps’ demands for swifter delivery and deployment with the need to protect networks.
“The typical approach,” said the questioner, to laughs of recognition, “is ‘We don’t need to have all this security risk management stuff, we don’t need to have cybersecurity, we need a solution now.'”
Zabel said IT leaders at the Pentagon were trying out different approaches to demand for swifter deployment.
One was “Accrediting a developer’s process rather than than necessarily the product,” she said. “So a developer comes out shows them ‘Here’s my process, here’s the controls [I use] … Here’s how I work [cybersecurity] into my process,’ and therefore we have some amount of assurance that when something comes out at the end, it has a level of assurance” about the security of the software.
The other approach, she said was “building out test labs, test ranges, so that you can take any [new software] stick it in the test lab or the test range and just throw everything you got at it, so at least you do your testing very quickly.”
“I don’t know which one or either of them are gonna be successful in the long run,” she said.
DevOps breaks down the “traditional verticals of engineering, development, enterprise architecture, customer service, information assurance and the like and you start going to a teaming approach,” noted Rice.
DevOps advocates cross-departmental teaming, but that raises questions, Rice said.
“How do we ensure that we have the right cybersecurity presence in each of those teams? And how is the CISO ensuring that they’re meeting the guiding principles of the security architecture that are required [by law and regulation] as each of these [software development] sprints is going on? And how is that being communicated up as a risk aperture to the authorizing official?”
DevOps should really be called “DevTestSecOps,” joked David Blankenhorn, the chief technology officer of government contractor DLT Solutions.
“The reality of the DevOps environment is not that you’re not doing your testing, your [quality assurance], your security … it’s that you’re doing it on a much more micro scale.”
Those processes could be shortened by focusing on the points at which the latest software iteration deviated from previous versions, the so-called delta.
Instead of doing your [information assurance] on your entire stack, you’re focussing on the deltas. If you have a strong [security] foundation, you’re focussed on the deltas every step of the way,” Blankenhorn said.
In the end, the management agility required by DevOps might need a more empowered CISO, Rice added.
“It may force us to kind of look at … the management level of the CISO [needed] to be able to keep his or her fingers on the pulse of all these DevOps teams,” he said. “It philosophically changes the organizational structure and the responsibility of the security executive within an organization.”
“I don’t think there is an ideal solution out there but it is something we’re all gonna have to grow into at our own pace,” Rice concluded.