The DevOps model is based on rapid and constant feedback, both from the development process and from the system in production. Continuous integration, user review, and automated testing provide feedback during development; production monitoring, alerting, and user behavior provide feedback in production.
The Federal Government has been moving toward an interpretation of FISMA (The Federal Information Security Act) that is very much consistent with this feedback-based approach. The National Institute of Standards and Technology (NIST) publishes guidance on how agencies should implement FISMA. Their publication 800-137 promotes the use of Information Security Continuous Monitoring (ISCM) and makes it the cornerstone of a new Ongoing Authorization (OA) program. A later NIST publication (June 2014) titled “Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management” provides additional details. DHS and GSA have worked to create a Continuous Diagnostics and Mitigation (CDM) framework and a contract vehicle through which agencies can procure CDM services.
The core idea is that federal information systems should be continuously monitored for vulnerabilities while in production. Those vulnerabilities should be rapidly remediated and can be used to “trigger” security reviews based on the agency’s risk posture. In other words, we are moving from a process where security is tested and documented every few years to a process based on continuous feedback from production to a team that is charged with remediating and optimizing. It is, in other words, a DevOps system.
The title of the NIST publication indicates that there is more here than meets the eye. The intention is to move to a “near real-time risk management” approach that is based on frequent reassessments of risks, threats, and vulnerabilities. It moves the focus of security activities from documenting that required controls have been implemented (a compliance focus) to one of responding to a changing landscape of real, emerging threats (a risk-based, dynamic focus).
DevOps provides an ideal way to implement this new security approach. Continuous Monitoring for security vulnerabilities is just another type of production monitoring in the DevOps world. A rapid feedback cycle enables the DevOps team to respond quickly to the newly discovered vulnerability. Since the DevOps team has already shortened cycle time and automated its deployments, the vulnerability can be addressed as quickly as possible. As an added bonus, the system in production doesn’t need to be patched; instead the source system can be modified, and the entire system rebuilt and deployed to a new set of VMs, and the old ones torn down.
The influence can go both ways: by incorporating the ideas of triggers and business-based risk assessments, DevOps can be extended to include risk-based decision making.