Lead Machine Pink 160x1200

Lead Machine Pink 160x1200

iTWire TV 705x108

Tuesday, 14 June 2022 11:22

Why combining DevOps and security is critical in a cloud-native world

By Steve Judd, senior solutions architect, Jetstack
Steve Judd, senior solutions architect, Jetstack Steve Judd, senior solutions architect, Jetstack

GUEST OPINION: Keen to speed up innovation and achieve a competitive edge, increasing numbers of Australian organisations are turning to cloud-native architectures and DevOps practices. The logic is that this will allow faster development cycles and give the ability to take advantage of new opportunities as they arise.

However, the resulting increased pace of software development cycles is putting pressure on IT security. Faced with tight deadlines, developers run the risk of overlooking security or focusing on innovation at the expense of security.

Worryingly, according to a survey by Threat Stack, 52% of companies admit to cutting back on security measures to meet business objectives, potentially leaving critical systems vulnerable to exploitation. This is because maintaining security is a challenging task and can increase the workload of already busy development teams.

One factor contributing to this complexity is the growing usage of Kubernetes as a container-orchestration system. Because it offers flexibility and a consistent code-based experience, Kubernetes has quickly become the platform of choice among developers.

The role of machine identities

When it comes to managing a Kubernetes ecosystem, one key source of risk stems from the way in which organisations configure and manage machine identities. Each time a developer spins a microservice, container or virtual machine up to production, they must assign it an identity so it can communicate securely and manage that identity throughout its lifecycle.

Increasing usage of cloud-based resources is also contributing to the explosion in the number of machine identities. Without consistent security standards and appropriate tools to manage them in place, companies risk leaving themselves vulnerable to cyberattacks.

To address this issue, many companies are merging their development and security teams to form a DevSecOps capability. This makes sense in theory, however some are reporting the shift is not yet delivering the anticipated uplift in security.

According to research conducted by Threat Stack, 85% of companies confirm that employing SecOps best practices is an important goal for them, however only 35% say that SecOps is currently an established practice. 

Achieving DevSecOps success

To enable a strategy of DevSecOps to be deployed successfully, there are four key principles that should be followed.

1. Constantly monitor machine identities

With the pace of digital transformation within many organisations increasing, the number of machine identities needing to be managed is on the rise. However, as many security teams are discovering, it’s almost impossible to manage large volumes of digital identities manually without creating concerning security holes.

A better approach is to make use of automation tools that can continually monitor machine identities. This will significantly reduce security incidents from cloud-native workloads while also ensuring organisations can keep up with the speed of modern development and increased usage of cloud resources.

2. Maintain a consistent approach

IT teams within many organisations make the mistake of being inconsistent when managing machine identities. The use of multiple tools and methods to initiate machine identity security can result in confusion within teams. By clearly defining and communicating straightforward execution processes, teams can ensure the way in which they initiate machine identity security is the same every time.

3. Achieve organisation-wide visibility

With many IT teams deploying multiple containers every minute during peak periods, maintaining visibility of the entire IT infrastructure becomes difficult. Issues that might be missed include misconfigurations in containers or the underlying Kubernetes infrastructure.

Through the introduction of automation, teams can scan containers at every phase to identify their single most common vulnerability and create a policy to eliminate it.

4. Use a strategy of application isolation

To ensure strong security, it is also important to make a point of isolating applications. This approach will lower the impact of any cyberattack by ensuring that a compromised application is less likely to affect other areas of an organisation’s IT infrastructure. It also helps to limit the risk of harm to a system when releasing new applications or functionality.

For the best security, IT teams should introduce container runtime scanning. Once a container is in production, put suitable mechanisms in place to ensure the container remains secure.

The power of following a DevSecOps strategy

Despite the potentially crippling impact that a cyberattack can have on an organisation, many development teams still see security as something that holds back their progress. Nothing could be further from the truth.

By combining development and security by following a DevSecOps strategy, it’s possible to embed security in the development process. This ensures required measures can be put in place from the outset without slowing down the development pipeline.

Preventing cyberattacks is critical for all organisations, and a DevSecOps strategy is a big step in the right direction.

Read 927 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News