The move to cloud-native architectures is having a profound impact on both security posture and operations of organizations. In cloud-native environments, one must apply the principles that drive DevOps and site reliability engineering (SRE) to security, bringing security programs into architectural and organizational alignment with the systems they protect. New controls, real-time metrics, and rapid feedback loops are just a few of the requirements security teams face in cloud-native environments.
Testing, of course, has always been a critical component of both the application development process and any effective security program. And like application development itself, testing techniques and timeframes have changed dramatically with the DevOps model. Within Continuous Integration/Continuous Deployment (CI/CD) pipelines, constant testing and improvement are an operational given. But testing alone cannot ensure the resilience of cloud-native systems. Sophisticated organizations like Netflix have moved beyond testing to experimentation, using chaos engineering.
Chaos engineering is the technique of using controlled experiments--often in production systems--to discover flaws in complex, distributed systems before problems happen.
This research note examines the current trends of adopting Chaos Engineering in actual operations and explores strategies and approaches to incorporate Chaos Engineering as part of a company’s DevOps practice.
Click here to download the “Chaos Engineering” report in its entirety.
Introduction: DevSecOps in a Cloud-Native World
The rapid move to the cloud is driving significant changes to application development models and operational processes. DevOps and Continuous Integration/Continuous Deployment (CI/CD) lead to higher degrees of automation, while containerization, microservices, serverless computing, and the more recent advent of ‘the service mesh’ enable faster deployments, more dynamic execution environments, and rapid scale.
These changes don’t just challenge the relevance of the traditional data center. They challenge enterprise IT culture at its core. As organizations adopt cloud technology stacks and DevOps models, the role and priorities of the IT professional must evolve as well. Security is no exception, and the move to cloud-native is having a profound impact on both security posture and operations, introducing the following issues:
Distributed architectures create new challenges: Diverse components interacting within a distributed architecture introduce unpredictable dynamics and unanticipated failure modes.
Ephemeral workloads challenge static security approaches: Dynamic and short-lived work loads require security controls that can change and adapt as quickly as the environments in which they run.
The DevOps mindset is upending the status quo: The DevOps model is challenging organizing principles that have long driven security operations in many enterprises.
While some security professionals have been slow or resistant to change, others are embracing these challenges, seeing an opportunity to apply DevOps technologies to security, and to blend development and security operations. Hence, the term“DevSecOps.”