IT leaders seeking to adopt DevOps or optimize a DevSecOps culture in their organizations to improve DevOps security face several possible challenges, from the technical to the human-centric. Oftentimes, the process and the technical issues can be resolved, but the people challenges can take a bit longer. I’m writing this blog to help IT leaders understand what cultural challenges you might face as you adopt DevSecOps, and how to respond to help your teams get past these challenges.
Typical DevSecOps Cultural Challenges
IT leaders will experience a wide range of reactions from staff as they are asked to embrace DevSecOps over just plain DevOps. The primary reasons are due to an inherent desire not to give something away that they already have (for example, privileges, and authority) and how the separation of duties is enforced (e.g. permissions). These will manifest themselves in the following cultural challenges.
IT Staff and Developer Access
Developers and IT admins will no longer have privileges, permissions, or authority to operate, deploy, and administer systems from end-to-end. Their ability to interact with systems will be restricted to predefined automation. The procedures included in the automation will not be accessible outside of DevSecOps. This may make staff feel like they are being replaced with automation (much like manufacturing robots) and may result in a refusal to relinquish the administrator authority they have today.
Access to secrets
Credentials, accounts, passwords, and keys used in DevSecOps will be unknown even to the most trusted IT staff and developers. Today, they know them or have access to them. However, in a DevSecOps model, they will not—instead, secrets will be coded, stored, rotated, and managed using privileged access management solutions. This shift may make the most trusted individuals feel like they have done something wrong since they no longer have access.
Separation of duties
A sound DevSecOps process interacts with multiple departments, assets, and resources. Security across all of them is no longer ubiquitous. Each silo is unique and automated and no one individual will (probably) hold the knowledge of the entire process any longer. This separation of duties will dethrone any individuals who are the knowledge keepers of the kingdom, and change the culture by distributing that knowledge amongst the owners within each department. In short, the knowledge hierarchy for operations will change.
How Can You Help Your Team Get past DevSecOps Challenges?
You can help get past these technical, cultural, and emotional challenges by explaining the benefits of DevSecOps and re-enforcing that no one is being “punished” if they lose access, credentials, permissions, or authority to assets, applications, or resources they managed in the past. This is an education problem. Technical cultures need an explanation as to why things are changing and why the changes will benefit everyone – from security to operations.
While this may sound a bit tongue-in-cheek, I like to use the example from Charlie and the Chocolate Factory (the Johnny Depp version). Charlie’s grandfather worked in a toothpaste factory for low wages screwing the top on toothpaste tubes. He was replaced by a robot and ultimately fired. When the robot broke, someone needed to fix it. Charlie’s grandfather took the new job to fix it for higher wages and learned a new skill set.
DevSecOps is the same (no, you’re not going to be fired!) Teaching someone to join a Windows host to a domain, for example, is easy within the UI. But teaching them to write a PowerShell script, automate it, and maintain it for new versions of Windows is more challenging, and should command a higher salary. Admins will no longer need administrator rights to a system, but must learn how to automate the steps based on business goals.
Therefore, educate teams as to why you are changing, identify who can step up to the new requirements, and assist them in the journey of growing and re-inventing themselves in alignment with the new challenges DevSecOps will mandate. DevSecOps will require maintenance and development in a secure fashion, just using a different paradigm then what teams are used to today.
BeyondTrust has developed an eight-step strategy for DevSecOps infographic that leverages the same processes and technology you’re using today for your traditional, on-prem systems. That strategy is meant to be as unobtrusive to processes as possible. Check it out today, and if we can help you as your transform DevOps into DevSecOps, read our lasted white paper "Secure DevOps: Secrets Management and Beyond" or contact us!
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.