Don’t overlook configurations as you embrace DevOps
As many organizations adopt the more agile, streamlined, and rapidly changing landscape of DevOps, configuration management becomes a more critical and daunting task. Modern DevOps pipelines empower development teams to release early, release fast, and allow more control over the production environment. Many organizations find that identifying and managing non-compliant systems within these agile environments can be complicated, lead to a lag in remediation and increased cybersecurity risk.
Why is configuration management important in DevOps?
Today’s IT environment is complex and large organizations are learning what it means to manage hybrid cloud environments, secure data, and still maintain the availability and scalability of services. Regardless of the use case, configurations are the first line of defense to protecting your organization. Without proper documentation or change control processes, system administrators and software developers often end up not knowing what is running in their environment. Worse, a misconfigured boundary enforcement or data handling process can expose sensitive data and result in expensive security compliance, performance, and business impacts.
How do I empower my configuration management process through DevOps?
As a part of every security operations domain, asset management, classification, and grouping play a key role in managing baseline settings and knowing where certain services exist.
Central Base of Configurations
A central base of configuration, whether it is Infrastructure as Code (IaC) or a play-book syntax, allows your organization to easily manage and scale configuration changes. As we well know from managing IT environments, one size rarely fits all. Developing custom policies and configurations is important but should be applied consistently across systems and services according to the defined asset group (see Asset Management above).
As your DevOps organization adopts Infrastructure as Code (IaC), managing changes to configurations through both testing and peer review processes is critical for documentation and evaluation code integrity. Note that research suggests that using peer review is correlated with high software delivery performance, as opposed to requiring approval from a manager or Change Advisory Board (CAB).
|Privileged Access Management||
Like many other IT processes, access controls to privileged actions are critical to secure the delivery and implementation of configuration changes. Principles of Zero Trust, Role-Based Access Controls (RBAC), and secret management protect your configuration management process and production environment.
Configuration management can be integrated into your development practice to allow for staging environment testing, rolling updates based on asset grouping, and zero downtime.
Entropy has a way of finding its way into technology, especially in large IT environments. Developing strong configuration monitoring for the live infrastructure is important in identifying unexpectedly outdated systems or non-compliant configurations.
While servers or containerized services may be a critical part of your production environment, “Configurations as Code” can be applied to a multitude of infrastructure services, such as databases and load balancers. Don’t forget to update enterprise security standards and policies to accommodate cloud-native service offerings such as edge computing and serverless.
The capabilities above provide a high-level starting point for how to assess your current Configuration Management posture. As your DevOps environment continues to scale, its complexity will increase. Solid configuration management will reduce technical debt, enable high-velocity delivery, and build confidence in the security of your DevOps environment.