Anner Kushnir, VP of Technology at AlgoSec, looks at how the DevOps process can become more agile and more secure using a ‘connectivity as code’ methodology
DevOps is all about agility, with fast, short delivery cycles and automation for software development and applications. Enabled by recently-introduced technologies such as virtualization, cloud and SDN, spinning up new servers, provisioning storage in a public or private cloud or even launching whole environments can take just minutes or even seconds. But if that new application, service or environment needs a change in network connectivity or firewall rules to enable it to work, then the pace of delivery can often slow to a crawl.
Unlike the typical DevOps scenario, in which developers create a CI/CD pipeline which includes running build processes and tests, and delivering the new application completely automatically, provisioning new network connectivity usually involves a slow, laborious process. The application developer needs to manually open a change request and then wait for approvals and implementation of the new connectivity flow before proceeding with the DevOps flow.
The application development security disconnect
As part of this the developer is usually required to provide information about firewalls, zones, subnets, and other information related to the underlying network infrastructure in these change requests – information that is not always known or clear to the application developer. On the other hand, the application requirements and context are not always understood by the network security team assigned to implement the changes. This, in turn, results in back-and-forth communication between the developer and network security, making the entire process extremely long, error-prone, inefficient and frustrating to both teams.
The challenge here is building in the necessary checks and balances to ensure that DevOps processes are not rapidly introducing security problems; while equally ensuring that security is not stepping on the brakes and slowing down the organization’s agility. So, how can this be achieved?
The solution: connectivity as code
The answer is ‘connectivity as code’, a methodology that supports not only automation and agility in the application delivery process, but also bridges the gap between application developers and network security teams on an ongoing basis, even after the application is deployed into production.
This is achieved by creating an abstraction layer that translates between the two worlds, giving application developers more control over their applications, while helping network security understand the business impact of their day-to-day tasks, and thus ensure business continuity.
Establishing connectivity requirements
In the first stage of this approach, the application developer describes the application connectivity requirements in a simple machine readable text file, listing all the logical flows that represent these requirements, including those for the different application environments (e.g. test, development, production etc). It is presented as a list of abstract flows that typically include the source, i.e. who initiates the connection; destination, i.e. who accepts the connection; service; and additional information.
There is no need to know where the servers are located, what is the underlying network topology, such as whether there is a firewall between them or cloud security controls, or even their IP addresses or subnets. Furthermore there is also no need to know whether connectivity is already available, for instance because it’s also required by other applications.
The connectivity phase
Once this list is created, a new phase in the DevOps process called the ‘connectivity phase’ will automatically take care of things, with no further involvement required from the application developer. The connectivity phase is where the actual connectivity provisioning and validation happens, leveraging a network security policy management (NSPM) solution to automate the network connectivity provisioning as part of the DevOps process just like any other configuration or provisioning step in the DevOps pipeline.
The NSPM solution will read the file before automatically checking whether the connectivity requirements have changed. If no changes were made, the solution will verify that the required connectivity remains in place, and that the application will work correctly. This provides the application developer with the assurance that the necessary connectivity is in place and connectivity-related failures are not anticipated when moving into production.
Automating connectivity changes
If the connectivity requirements have changed, the NSPM solution will use the connectivity file to provision the required connectivity while retaining it for future reference, so that the application’s connectivity remains intact in the event of future network architecture changes or application or server migrations.
If one or more of the required flows is currently blocked, a security policy change request process is triggered. Through this process a NSPM will verify that the new flows comply with the organization’s pre-approved security policy, as well as security best practices and industry regulations, and will then design and implement the required changes directly on the different security devices on the network, automatically and within minutes.
If, however, a change request is non-compliant, it will be escalated for approval and, once approved, it will be implemented automatically, thereby saving the developer the need to manually open an out-of-band change request.
Furthermore whenever a new version of the application is developed, this list of connectivity requirements is updated by the developer, and the connectivity phase will ensure that the new flows are provisioned. With the connectivity phase completed, the DevOps process can securely proceed onto the next phase.
The benefits of connectivity as code
Introducing the ‘connectivity as code’ methodology into the DevOps process achieves a range of benefits. These include:
Seamless management of network connectivity: this makes DevOps process far faster, more agile and enables problem-free application delivery, rather than as an external out-of-band issue that requires separate – and manual – handling.
Continuous compliance and auditability: throughout the application delivery process organizations will remain fully compliant with all relevant guidelines, while all changes are fully logged for auditing purposes.
Business continuity – application connectivity requirements are clearly documented and up to date, ensuring minimal disruption to the business even during network, infrastructure or architecture changes.
Ultimately ‘connectivity as code’ bridges the gap between application developers and network security throughout the entire application lifecycle, from planning and development through to deployment, production and decommissioning. It ensures both developer and security teams get what they want: dev teams don’t have to worry about security slowing them down, and security teams know that risk and compliance checks have been built-in to the continuous delivery process, complete with a full audit trail of changes. By weaving network connectivity into the DevOps process, organizations can ensure fast delivery without any compromise in security or compliance.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.