Blog > June 2021 > How to Bring DevSecOps to Value Stream Management

How to Bring DevSecOps to Value Stream Management

As the digital economy has progressed, organizations have focused on accelerating time to value for increased competitive differentiation and customer satisfaction. DevOps has been essential, but time-consuming and process-heavy disciplines like security have been viewed as bottlenecks and often neglected in DevOps initiatives.

In a 2020 Gartner survey, 61% of CIOs said they were increasing investments in cyber and information security, more than any other investment area. Given the digital orientation of companies today, much of this investment will contribute to tightening quality assurance throughout software development and delivery processes.

DevSecOps—the philosophy of inserting security into every step of the DevOps process—is an ideal model for implementing efficient and continual quality assurance without impeding velocity. Organizations can benefit from not only applying DevSecOps to delivery pipelines but also applying DevSecOps to end-to-end value streams where software delivery pipelines operate.

Applying DevSecOps to Value Stream Management

Many organizations are beginning to implement DevOps value stream management (VSM) platforms to manage the complexity of development and delivery across systems in their hybrid IT infrastructure. You can learn more about how to manage value streams in our eBook “The Enterprise Leader’s Guide to Managing DevOps Value Streams.”

Read the eBook

DevOps VSM platforms like ASG-Enterprise Orchestrator enable you to connect the dots in existing toolchains across systems and automate as many parts as possible to increase the efficient delivery of value to customers. However, DevOps VSM platforms touch multiple technology stacks and applications and manage large amounts of business and customer data. Therefore, they must be kept highly secure to prevent insider threats and data breaches.

It’s critical to ensure your value stream management platform is equipped with security capabilities to ensure the integrity of your systems, applications, and data. Here are two important ways to get started with DevSecOps in value stream management:

  1. strong>Leverage Privileged Access Management (PAM) Solutions
    Humans will always be the greatest security threat to organizations, whether external cyber criminals, insiders abusing privileges, or negligent users. PAM solutions are a critical safeguard for preventing these behaviors from compromising the integrity of your automation solutions and as a result your IT systems, applications, and data.

    Rather than storing credentials in an automation solution like ASG-Enterprise Orchestrator, credentials are stored in the PAM solutions it integrates with—like Thycotic, Cyberark, Hashicorp and Arcon—and used at the time of task execution before being discarded. This ensures systems and applications that ASG-Enterprise Orchestrater connects with remain secure.

  2. Implement Secure Change Control in Value Streams
    As new applications are brought into value streams or environments are changed, the rules and definitions within an automation solution must be modified. Often, changes are made by one team but implemented by another, and this work is often managed manually through spreadsheets. This opens opportunities for negligent errors that can compromise the security and integrity of processes and systems.

    With change control for automation data within a solution like ASG-Enterprise Orchestrator, developers’ changes are only accepted into higher environments like QA or production by someone with proper security. This strengthens the development and delivery process, eliminates manual effort to ensure velocity, and prevents importing and exporting of unencrypted files.

  3. Ensure Users Only Access What They Need
    Once logged in to an automation solution like ASG-Enterprise Orchestrator, users potentially have the “keys to the kingdom.” It is imperative that each user only have access to the data they need. This includes which machines and applications they can schedule tasks for, and even whether they can define new tasks at all. Operators need the ability to see and change statuses and read log files, but they don’t necessarily need the ability to modify tasks.

    A fully fledged security scheme in a scheduler should include granular and easy-to-define security schemes through role definitions. They also should include integration with Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) to ease onboarding. Single sign on through centralized authentication services should also be supported to ease administration.

Building security into every step of the DevOps process and into your broader value streams takes some serious planning. Sit down with your cross-functional teams and think about each step and how security comes into play. And, don’t forget to include scrutinizing your automation solution to ensure it supports your goals for DevSecOps.

Posted: 6/30/2021 8:00:00 AM by Mike Siemasz - Product Marketing Manager
Filed under :DevOps, DevSecOps, Security, VSM

“It’s critical to ensure your value stream management platform is equipped with security capabilities to ensure the integrity of your systems, applications, and data.”

The Enterprise Leader's Guide to Managing DevOps Value Streams

The Enterprise Leader's Guide to Managing DevOps Value Streams

Read More