DevOps-As-A-Service--The Downside You Need to Consider for Cloud DevOps Security

DevOps.

In just a few short years, DevOps services have gone from an obscure mashup of the words Development and Operations to being one of the most commonly adopted software development methodologies in use. 

Today, many organizations have made, and many continue to make, the very significant move from the highly structured and time consuming Waterfall development approach to the much more flexible and responsive DevOps approach. 

In fact, IDC predicts that the worldwide market for DevOps software will reach $15 billion by the end of 2023.

The Benefits of DevOps Solutions as a Software Delivery Process

There are lots of benefits to adopting DevOps services and a DevOps methodology; as the development landscape moves from monolithic applications to microservices, 

DevOps solutions mean fixes happen faster and products get delivered faster through innovation such as Continuous Integration and Continuous Delivery, and through automated testing and automation of routine tasks that frees up developers time for greater value tasks. Continuous Delivery also means that customers don’t have to experience any downtime, providing a better experience for the end user. Teams get to improve collaboration by working more closely and also gain increased agility and flexibility. There also an increased level of personal responsibility as security shifts left. 

According to Atlassian, “DevOps culture is all about a shared understanding between development and operations teams, and a shared responsibility for the software they build. That means increasing transparency, communication, and collaboration across development and operations teams, IT, and “the business”.

What if You Can’t Manage DevOps Services In-House? The Bright Side of DevOps-As-A-Service

This is all very nice--but some organizations cannot hire their own DevOps team; this could be due to lack of budget, remoteness of location, and a myriad of other factors. When they do hire DevOps services, they have to cut costs, and so they might not end up with the right professional expertise.

As a result, code quality suffers, cost savings come at the expense of quality control, and your core business value, plus business goals are negatively impacted as you don’t have the necessary tools or industry expertise in-house. Yikes. 

But no problemo; Enter DevOps-as-a-service, or DaaS. 

Think of DevOps as a service as your own DevOps consulting services or team. DaaS is everything you'd think it would be. 

Just as with SaaS, IaaS, and PaaS, in which the “aaS” portion of the term refers to a service provided to a user, without causing the user to incur the costs of the underlying assets, and instead, paying a rental fee, the same is true of DaaS. 

DaaS implies that you are renting DevOps services to gain the benefits of the software delivery process, all without the need to hire additional developers in house and get the ongoing costs of maintaining that team.

This comes with a whole lot of benefits. To name a few, DaaS:

Provides access to experienced engineers

A company might not otherwise be able to afford or have access to this caliber of engineers. There is a serious skills shortage which exacerbates this problem, but with consultancy, DevOps professionals can be a shared resource.

Often comes with the most cutting-edge techniques and tools

The organization might not even know about these tools, with DevOps-as-a-Service may have learned about working elsewhere with other clients. 

Helps in-house developers with their work

They can also potentially aid in helping in-house developers ensure that best practices are always being used, also learned from other clients, picking up tips from following the process from end to end. 

Supports remote working use cases

Finally, as organizations continue to deal with the realities of the COVID-19 pandemic, teams need all the remote help they can get--and DaaS is tailor made for such a use case.

devops as a service

 

And Now, The Other Side of DevOps-as-a-Service: Data Leaks and Data Breaches

But there are some significant potential drawbacks that come with trusting an outsourced team with DevOps services for your business. Your infrastructure management is the backbone of your organization and handing it over to another party is no small risk. 

The main issue with DevOps-as-a-Service is the lack of visibility that comes with using a team that doesn't know the intricate details of your infrastructure and may not understand your specific use cases. Especially when they are handling elements through automated testing, how can you be sure nothing will go wrong?

Here at Lightspin, we have seen first-hand what can happen when organizations blindly trust well-meaning DevOps-as-a-Service providers or DevOps professionals from outside the business with configuration management tools, source-code management tools, automated testing, continuous delivery and more. 

Practical Examples of External DevOps Services Gone Wrong

For example, we recently met with a company who were struggling with implementing DevOps, and so had been using the DaaS model to gain DevOps expertise externally. They found themselves with over 12,000 unused containers. These are assets that, if left unattended to, could be exploited by attackers and greatly impact DevOps security. To illustrate, let’s imagine the external DevOps team creates a Security Group, which for whatever reason is currently not in use. If another developer mistakenly attaches that group to a private EC2 instance on Amazon Web Services or the equivalent on Google Cloud or any other provider, it can result in an exposure of the internal server to the internet.

Want another big name example? Look to 2017’s Tata leak; a developer from the India-based consulting service provider accidentally leaked customer documents to GitHub. Most of the affected organizations were large banks in Canada and the US. Though customer data was not exposed, the source code and planning and development reports were among the leaked data set. Though all these institutions were safe in the end, the truth is that not every company is a major financial player; most cannot bounce back unscathed after a breach of epic proportions. A similar incident might wipe out a smaller company, and is very possible with today’s rise in the use of cloud platforms.

Another troubling issue we have come across in the DevOps process when outsourcing development tools to DevOps-as-a-Service is that of DaaS providers creating over-permissive access policies with the intention of making things simpler for the organization down the road, especially with a continuous delivery pipeline. While this is convenient, it provides individuals with permissions far beyond the level they should have, which can lead to exposures and breaches.

Securing Your Software Delivery Process Through DevOps-As-A-Service

So you still want to use DevOps-as-a-service? You might think that we’re warning you off this DevOps solution, and telling you that this is a bad idea for security and compliance, and that the benefits of ci cd, and infrastructure as code, and release management etc just aren’t juice that’s worth the squeeze…. Relax! We’re not saying that at all. 

If outsourcing your DevOps makes sense for your organization, know that with the right set up, it can be done in a way in which your in-house team can extract maximum value from the services, without opening your organization up to potentially dangerous exposures.

Lightspin’s platform enables teams to perform cloud security audits to monitor the quality of services provided by DaaS, to proactively prevent data breaches and other security issues like the ones above. 

With Lightspin’s contextual cloud security platform, your team can 

  • continuously visualize, detect, and block any attack path in your cloud and Kubernetes environment
  • reduce risks in the software delivery process
  • establish a clear plan for remediation

And Lightspin integrates seamlessly into your existing workflow and delivers simple instructions for mitigation of all threats, allowing prioritization based on real risks. 

It helps you think like an attacker, to see all potential pathways a malicious actor could take to make their way inside your environment.

Integrating Security into DevOps Services for Infrastructure Management - The Key is Visibility

It makes sense that many businesses who cannot afford adequate DevOps solutions in-house at the right level of DevOps expertise are looking to outsource to DevOps services that can be bought as a service. 

This isn’t a bad thing in and of itself, but it does come with a certain amount of risk. The key to being able to take advantage of everything DevOps-as-a-service has to offer is establishing visibility across your cloud environment to create a contextual understanding of all events and findings, and not just outsource your responsibility over remaining secure alongside the delivery model.

To learn more about getting started with contextual cloud security, and securing DevOps in the cloud, reach out to Lightspin today.

-----------------------------------

About Lightspin

Lightspin’s context-based cloud security empowers cloud and security teams to eliminate risks and maximize productivity by proactively and automatically detecting all security risks, smartly prioritizing the most critical issues, and easily fixing them. For more information, visit https://www.lightspin.io/