In just a few short years, it's gone from an obscure mashup of the words Development and Operations to being one of the most commonly adopted software development methodologies in use. Today many organizations have made, and many continue to make, the very significant move from the highly structured and time consuming Waterfall development approach to the much more flexible and responsive DevOps approach. In fact, IDC predicts that the worldwide market for DevOps software will reach $15 billion by the end of 2023.
There are lots of benefits to adopting a DevOps methodology; as the development landscape moves from monolithic applications to microservices, DevOps means fixes happen faster and products get delivered faster. Teams get to collaborate more closely and gain increased agility and flexibility. There also an increased level of personal responsibility as security shifts left. According to Atlassian, “DevOps culture is all about a shared understanding between development and operations teams, and a shared responsibility for the software they build. That means increasing transparency, communication, and collaboration across development, IT/operations, and “the business”.
The Bright Side of DevOps-As-A-Service
This is all very nice--but some organizations cannot hire their own DevOps team; this could be due to lack of budget, remoteness of location, and a myriad of other factors. But no problemo; Enter DevOps-as-a-service, or DaaS. DaaS is everything you'd think it would be. Just as with SaaS, IaaS, and PaaS, in which the “aaS” portion of the term refers to a service provided to a user, without causing the user to incur the costs of the underlying assets, and instead, paying a rental fee, DaaS implies that you are renting DevOps services, without the need to hire additional developers.
DaaS provides access to experienced engineers which a company might not otherwise be able to afford or have access to. And since these outsourced teams have the benefit of experience or working with many clients at once, they often use the most cutting edge techniques and tools, which again, the organization otherwise may not know about. They can also potentially aid in helping in-house devs ensure that best practices are always being used, and so much more. And as organizations deal with the realities of the COVID-19 pandemic, teams need all the remote help they can get--and DaaS is tailor made for such a use case.
And Now, The Other Side - Data Leaks and Data Breaches
But there some significant potential drawbacks that come with trusting an outsourced team with your business. Your infrastructure is the backbone of your organization and handing it over to another party is no small risk. The main issue with DevOps-as-a-Service is the lack of visibility that comes with using a team that doesn't know the intricate details of your infrastructure and may not understand your specific use cases.
Here at Lightspin, we have seen first-hand what can happen when organizations blindly trust well-meaning DevOps-as-a-Service providers. For example, we recently met with a company who had been using the DaaS model and found themselves with over 12,000 unused containers. These are assets that, if left unattended to, could be exploited by attackers and greatly impact DevOps security. To illustrate, let’s imagine the external DevOps team creates a Security Group, which for whatever reason is currently not in use. If another developer mistakenly attaches that group to a private EC2 instance, it can result in an exposure of the internal server to the internet.
Want another big name example? Look to 2017’s Tata leak; a developer from the India-based consulting services company accidentally leaked customer documents to GitHub. Most of the affected organizations were large banks in Canada and the US. Though customer data was not exposed, the source code and planning and development reports were among the leaked data set. Though all these institutions were safe in the end, the truth is that not every company is a major financial player; most cannot bounce back unscathed after a breach of epic proportions. A similar incident might wipe out a smaller company.
Another troubling issue we have come across is that of DaaS providers creating over-permissive access policies with the intention of making things simpler for the organization down the road. While this is convenient, it provides individuals with permissions far beyond the level they should have, which can lead to exposures and breaches.
Securing Your DevOps-As-A-Service
So you still want to use DevOps-as-a-service?
Relax. If outsourcing your DevOps makes sense for your organization, know that with the right set up, it can be done in a way in which your in-house team can extract maximum value from the services, without opening your organization up to potentially dangerous exposures.
Lightspin’s platform enables teams to perform cloud security audits to monitor the quality of services provided by DaaS, to proactively prevent data breaches and other security issues like the ones above. With Lightspin’s contextual cloud security platform, your team can continuously visualize, detect, and block any attack path in your cloud and Kubernetes environment, enabling you to reduce risks while establishing a clear plan for remediation. And Lightspin integrates seamlessly into your existing workflow and delivers simple instructions for mitigation of all threats, allowing prioritization based on real risks. It helps you think like an attacker, to see all potential pathways a malicious actor could take to make their way inside your environment.
Integrating Security into DevOps-As-A-Service - The Key is Visibility
The key to being able to take advantage of everything DevOps-as-a-service has to offer is establishing visibility across your cloud environment to create a contextual understanding of all events and findings. To learn more about getting started with contextual cloud security, and securing DevOps in the cloud, reach out to Lightspin today.