IT leaders seeking to adopt DevOps or optimize a DevSecOps culture in their organizations to improve DevOps security face several possible challenges, from the technical to the human-centric. Oftentimes, the process and the technical issues can be resolved, but the people challenges can take a bit longer. I’m writing this blog to help IT leaders understand what cultural challenges you might face as you adopt DevSecOps, and how to respond to help your teams get past these challenges.
Typical DevSecOps Cultural Challenges
IT leaders will experience a wide range of reactions from staff as they are asked to embrace DevSecOps over just plain DevOps. The primary reasons are due to an inherent desire not to give something away that they already have (for example, privileges, and authority) and how the separation of duties is enforced (e.g. permissions). These will manifest themselves in the following cultural challenges.
IT Staff and Developer Access
Developers and IT admins will no longer have privileges, permissions, or authority to operate, deploy, and administer systems from end-to-end. Their ability to interact with systems will be restricted to predefined automation. The procedures included in the automation will not be accessible outside of DevSecOps. This may make staff feel like they are being replaced with automation (much like manufacturing robots) and may result in a refusal to relinquish the administrator authority they have today.
Access to secrets
Credentials, accounts, passwords, and keys used in DevSecOps will be unknown even to the most trusted IT staff and developers. Today, they know them or have access to them. However, in a DevSecOps model, they will not—instead, secrets will be coded, stored, rotated, and managed using privileged access management solutions. This shift may make the most trusted individuals feel like they have done something wrong since they no longer have access.
Separation of duties
A sound DevSecOps process interacts with multiple departments, assets, and resources. Security across all of them is no longer ubiquitous. Each silo is unique and automated and no one individual will (probably) hold the knowledge of the entire process any longer. This separation of duties will dethrone any individuals who are the knowledge keepers of the kingdom, and change the culture by distributing that knowledge amongst the owners within each department. In short, the knowledge hierarchy for operations will change.
How Can You Help Your Team Get past DevSecOps Challenges?
You can help get past these technical, cultural, and emotional challenges by explaining the benefits of DevSecOps and re-enforcing that no one is being “punished” if they lose access, credentials, permissions, or authority to assets, applications, or resources they managed in the past. This is an education problem. Technical cultures need an explanation as to why things are changing and why the changes will benefit everyone – from security to operations.
While this may sound a bit tongue-in-cheek, I like to use the example from Charlie and the Chocolate Factory (the Johnny Depp version). Charlie’s grandfather worked in a toothpaste factory for low wages screwing the top on toothpaste tubes. He was replaced by a robot and ultimately fired. When the robot broke, someone needed to fix it. Charlie’s grandfather took the new job to fix it for higher wages and learned a new skill set.
DevSecOps is the same (no, you’re not going to be fired!) Teaching someone to join a Windows host to a domain, for example, is easy within the UI. But teaching them to write a PowerShell script, automate it, and maintain it for new versions of Windows is more challenging, and should command a higher salary. Admins will no longer need administrator rights to a system, but must learn how to automate the steps based on business goals.
Therefore, educate teams as to why you are changing, identify who can step up to the new requirements, and assist them in the journey of growing and re-inventing themselves in alignment with the new challenges DevSecOps will mandate. DevSecOps will require maintenance and development in a secure fashion, just using a different paradigm then what teams are used to today.
BeyondTrust has developed an eight-step strategy for DevSecOps infographic that leverages the same processes and technology you’re using today for your traditional, on-prem systems. That strategy is meant to be as unobtrusive to processes as possible. Check it out today, and if we can help you as your transform DevOps into DevSecOps, read our lasted white paper "Secure DevOps: Secrets Management and Beyond" or contact us!
Morey J. Haber, Chief Security Officer at BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.