10 minute read
DevSecOps: added security
Fabrice Croiseaux CEO - InTech
Author: Michaël Renotte Photo credit: InTech
Advertisement
EBRC and InTech, which are both members of the POST group, have combined their expertise to help companies take full advantage of the agility and responsiveness of the DevOps approach while directly incorporating security practices into that one. This integrated approach reconciles continuous development with the requirements of cyber-security and data protection.
“IT decision-makers are now using three tactics to transform their organisations: modernising existing systems, cyber-security and moving towards agile development and delivery models”, says Jean-François Hugon, EBRC Head of Marketing. “In the latter area, the adoption of a DevOps approach directly based on agile methods enables IT teams to set up a continuous development and production cycle, thus increasing their responsiveness in taking into account business demands and reducing the time-to-market of applications.” Within a DevOps context, the traditional silos separating developers, testers, production managers and system administrators are dismantled. All stakeholders work more closely together throughout the development and deployment process, thus enabling them to better understand each other’s expectations and the challenges they face. “By joining forces, EBRC and InTech are able to provide end-to-end support in the implementation of the DevOps value chain, from design to operation, through development, testing and deployment”, said Fabrice Croiseaux, CEO of InTech. “EBRC, a company specialising in IT infrastructure, critical IT operations and IT transformation, has extensive experience in system operations and conducts the operational management of IT environments for many customers”, he says. “As for InTech, it is a leading stakeholder in the fields of software development, application architectures and the implementation of industrial
development platforms.”
— DEVELOPMENT,
OPERATIONS
AND SECURITY
However, while an effective DevOps approach ensures fast and frequent development cycles, it does not take into account a critical aspect of development, namely that of application security. Yet, inadequate security practices can cancel out the benefits offered by even the most effective DevOps projects. It is within this framework that an evolution of the DevOps principles, DevSecOps, is emerging. The latter is an approach that brings IT services closer in line with business needs and also strengthens the security of developments, improves their quality and demonstrates greater proactivity in terms of performance, resilience and high availability. “The global transformation of IT services that we are witnessing introduces a change in the way projects are approached”, emphasizes Jean-François Hugon. “Companies are seeking greater agility for both business and IT. Developers have more responsibilities, in particular with regard to cross-cutting considerations such as quality and safety. The latter is no longer pushed back to the end of the chain, it is integrated by design.”
— PRIORITISING SECURITY
The DevSecOps approach is based on integrated security, not on a security perimeter that protects applications and data. When security is relegated to the end of the development process, companies that adopt the DevOps approach may face long development cycles, which they were trying to avoid. The DevSecOps approach therefore involves thinking about the security of the application and infrastructure from the outset. It is based on close collaboration between development and cyber-security teams to ensure the safety of products throughout their lifecycle. This approach prioritises security by establishing a framework for development activities. “Good security practices in development are known and documented. These include OWASP, for example, which lists major application security vulnerabilities and provides the tools enabling developers to address them. On the other hand, the automatic integration of OWASP controls into the development industrialisation process can still be improved. This is precisely what we are doing with EBRC in the framework of the implementation of DevSecOps” says Fabrice Croiseaux.
— AUTOMATION AND
CONTINUOUS MONITORING
In order to avoid any slowdown in DevOps flows and since manual security checks can be time-consuming and costly, the automation of repetitive tasks is a key element of the DevSecOps approach. Automation applies in particular to development control: developers can continuously test their code to identify potential vulnerabilities as early as possible and thus reduce the number of post-deployment patches. It also affects system control through solution containerisation, which makes it possible to isolate a system’s various functions, automate security audit operations and check that cyber-security policies are being properly implemented at all times. Using containerised environments also makes it possible to secure the infrastructure by automating incident detection processes. Thus, when an intrusion attempt or abnormal flow is detected, it is possible to disable and isolate corrupted instances and instantly redirect traffic.
— OPENNESS
AND INTEROPERABILITY
“Today, the technologies that enable the agility and responsiveness objectives of the DevOps approach to be achieved can to a large extent be implemented in the public cloud”, said Fabrice Croiseaux. “However, our customers can benefit from a comparable level of service through a platform hosted in Luxembourg, in the Trusted Cloud Europe and EBRC Tier IV data centres, and meet both the regulatory requirements of the various regulators and the compliance criteria of the most demanding international standards such as ISO 27001, ISO 20000, ISO 22301, Tier IV and PCI DSS, among others.” The EBRC Kubernetes as a Service cloud platform includes all the building blocks needed to industrialise the deployment, scaling and orchestration of microservice architectures and containerised applications. With the Red Hat OpenShift solution - a continuous security-oriented platform common to development and operations teams that allows them to create, deploy and manage containerised applications -, EBRC KaaS forms the foundation of InTech and EBRC DevSecOps technology offering. By focusing on openness and interoperability, POST group companies differentiate themselves from traditional public cloud stakeholders and enable companies to protect themselves against the risk of vendor lock-in. “EBRC also has very high levels of expertise in information security and Cyber-Resilience as well as in process management and information systems governance”, recalls Jean-François Hugon. “By combining their respective expertise”, he goes on to say, “InTech and EBRC support their customers in their DevSecOps journey by helping them transform their development methods as well as by ensuring a transfer of skills relating to new ways of approaching infrastructure.” Both the scope and impact of a transition to DevSecOps are considerable. Although DevOps remains complex in the eyes of highly-responsible developers, system administrators are forced to adapt their traditional skills to information systems configured and managed by code. These are risk factors that must be taken into account in any DevSecOps
strategy. From development to operation, from ideation to maintenance, EBRC and InTech combine all the assets to enable companies to seamlessly integrate into their IT organisation all the key factors on which a successful transition to DevSecOps depends, whether for the purpose of setting up an active collaboration between all stakeholders, standardising development and delivery processes by integrating cybersecurity requirements, introducing new technological tools for automating checks and operations, or organising crossfunctional governance which is common to all businesses and professions involved in the application lifecycle.
Philippe Dann Head of Risk & Business Advisory - EBRC
Author: Michaël Renotte Photo credit: EBRC
TRUSTED ADVISORY SERVICES,
THE PATH TO RESILIENCE
Convinced of the fact that companies must acquire the resilience necessary for their development in the digital economy, EBRC has deployed a consulting offer that responds to the challenges posed by the digital transformation. This consulting activity now covers business continuity management, cyber-security, IT transformation, data centre audits and the full spectrum of all aspects of Governance, Risk and Compliance.
“Our consulting and support missions are carried out by our Trusted Advisors team”, explains Philippe Dann, EBRC Head of Risk & Business Advisory. “Our experts meet with the managers of the various facets of the company that uses our services, to identify the critical processes and activities. They can thus identify business needs and analyse the ability
of the IT infrastructure to meet these requirements.” EBRC experts’ investigations cover the entire spectrum of business continuity, from DRP - i.e. infrastructure continuity - to business impact analyses. “Our consultants work both with the business lines and with IT to ensure that both are aligned” says Philippe Dann. “They conduct impact analysis campaigns, identify applications, risk elements or the most critical elements, and then work with the customer to set up its own continuity and crisis management strategies and plans”. EBRC Trusted Advisors can then assist the customers until they obtain the ISO 22301 certification, which governs the field of business continuity. “In terms of business continuity management, we provided support to Arendt Services in their certification process, the first Luxembourg-based PFS to obtain ISO 22301 certification, the Banque de Patrimoines Privés, a pioneer among local banks, and a French insurance company”, said Philippe Dann. “At the moment”, he goes on, “we are supporting half a dozen companies in their certification process. For others, our intervention focuses on risk analysis or Business Impact Analysis activities”. The Trusted Advisory consulting offer also includes audits and support for data centre certification. These data centre audits are carried out by the certified teams that manage and operate EBRC’s own Tier IV data centres. “Beyond the traditional audits of infrastructures and their operation, these missions integrate the analysis and management of risks, whether they are environmental risks
related to data centres, cyber risks, or the elements highlighted by the NIS directive and which concern the scope of the data centre” explains Philippe Dann. “To do this, we systematically conduct an analysis of the risks to which our client’s data centre is exposed in relation to its economic activity and its IT environment. In this way, we combine our technical expertise in data centres - physical security, logical security, availability - and risk management”. “Our consulting activities also extend to GRC, Governance Risk & Compliance, an area that falls within the scope of information system security, in particular ISO 27001. We help our customers to carry out their risk analyses, set up risk management and develop their safety strategies”, explained Philippe Dann. “In this context,” he added, “we
integrate both European regulations and directives - GDPR and NIS, in particular - international standards and the company’s own internal rules to define a risk management and cybersecurity dashboard aimed at assessing compliance”. The IT transformation is another aspect of EBRC consulting services. “We help our customers select the solution that best suits their needs, business and applications as they transform their IT environment, whether in terms of relocating data centres or migrating to the cloud” says Philippe Dann. And to help companies better protect their data and system integrity, EBRC’s experts assess and strengthen the security level of infrastructures and applications based on risk analysis, vulnerability and intrusion tests.
— A RESOLUTELY
PRAGMATIC APPROACH
“Our consulting activity is based on a set of skills developed internally because what we recommend to our clients is what we apply to our own activities” explains Philippe Dann. “Our approach is pragmatic. It is based on sharing information with our customers and feedback. We are not business continuity theorists, nor are we governance theorists” he emphasizes. “To date, we have more than 800 continuity tests to our credit and many achievements in the area of crisis management” said Philippe Dann. “And we have the ISO 27001 certification since 2010, which is renewed every year, enabling us to capitalise on our long-standing experience. This is one of the reasons for which our customers trust us, because we have in-depth knowledge of the topics that we address and have the required experience to interact with IT specialists, CISOs, Risk Managers and DPOs, on the one hand, and with the business lines, on the other hand”. “Our intervention can thus be based on a request from the business lines relating to business continuity for example, or a need related to the risk identified by the CISO, the Risk Manager or the DPO. In both cases, alignment with IT will have to be assessed” said Philippe Dann. “This enables us to cover all the company’s needs and, in combination with our Cloud, SOC, and data centre activities, to offer an end-to-end solution to customers who so desire” concludes Philippe Dann.
