How to Secure NetOps Initiatives Using Agile Methodology

Although NetOps may be just an abbreviation for network operations, it is also a discipline that network teams can use to treat infrastructure as code, or IaC. IaC paves the way for network and security teams to enable DevOps and support network automation using continuous integration and development.

Continuous integration and continuous development define the new frontier of orchestration and automation. Imagine if the Agile methodology extended beyond the Software Development Life Cycle (SDLC) to promote an application from testing to QA or from QA to production. Automation can make the necessary changes to the network, storage, and security appliance that enable an application to deliver services to users.

A look at DevOps and Agile

DevOps is a concept built around the Agile software development model. It takes the traditional Waterfall development methodology and turns it on its head. Waterfall is a simple methodology that moves sequentially from requirements through design, implementation, testing, and deployment, followed by equally important maintenance cycles. The main problem with Waterfall, however, is that it’s slow to market and the end product is unusable until it’s deployed. Many such systems can take months or even years to develop.

Agile, on the other hand, builds capabilities over time, and basic functionality can appear in just a few weeks. Its iterative sprints enable rapid prototyping, and Agile delivers functionality much faster than previous models.

While DevOps creates a continuous development environment, its flaw is that software requires real-world deployment through infrastructure, which has remained significantly manual and waterfall in nature. Infrastructure can be virtual, deployed in a cloud, or physically, but it must always exist to support an application and access the required data.

NetOps and service chaining

Cascading systems typically use static infrastructure, and the application delivery chain involves all aspects of a static infrastructure change. This work can be automated, but it is often piecemeal, i.e. automating deployment in the data center, triggering requests to add firewall or load balancing rules. Each team does what it wants and automates its own processes, but the service is only available when the last element of a relatively long chain of services is completed.

NetOps, on the other hand, defines the use of a more Agile methodology and examines all the components involved. This process is called service chaining, which adds software-defined networking capabilities in a specific sequence to automate traffic flow between services in a virtual network. Service chaining can deliver an application all at once, along with the appropriate network, network services, and security needed to promote workloads from test/development to quality assurance to production.

This type of automation can provide template-based approaches. These models lay the groundwork for the code that the service chain will use for the entire IT delivery chain, across all DevOps SDLC processes.

The process of a system providing end-to-end services is often called service orchestration. Some organizations are hesitant to commit to this principle, arguing that automation could be a security nightmare, like someone using automation against a business. This perspective is short-sighted, as any proper implementation would not allow manual triggering of this type of service outside of an approved change control – with an existing requirement to roll back the change, also through the automating.

Cultural issues

Traditional Waterfall-based IT processes involve coordination with multiple teams. Typically, the company’s server, network, and security teams need to work together to deliver a new service, but they often don’t work well together. The application and server teams usually come up with a new service and offer it to the network team to design the necessary subnets, load balancing, encryption, and firewalls. When the networking group is done, it’s the security team’s turn.

Ultimately, operations must take a holistic approach. In a DevOps world, security and networking must be part of the solution.

In my experience, one of our clients was implementing DevOps for web applications. The server team created an automation system capable of generating resources for a full SDLC environment, which included workloads for a sandbox, test/dev, QA, and production environment. The development community was thrilled. However, since network and security were out of reach, the system generated emails to the teams that handle load balancing, network address translation, and the firewall.

It has been said that automating one component of a service chain only results in moving a bottleneck. In reality, it’s much worse than that. Since the client had created an Agile working environment for developers and the server team was not tracking external work done by other teams, significant issues arose. Their automation destroyed unnecessary workloads, but it didn’t keep up with the networking and security components used by those workloads. Within a few years, the #1 problem for the customer has become orphaned firewall rules.

How to Secure Applications in Agile

These infrastructure and DevOps concepts are ideal for integration into an Agile system. With the level of automation possible, security testing can be part of the process and provide interim feedback. This can happen from sprint to sprint rather than waiting for a project to finish when delivery commitments have already been made. In Waterfall systems, the security and testing community is often the one holding up deployment.

Ultimately, operations must take a holistic approach. In a DevOps world, security and networking must be part of the solution. A new term under consideration includes a version of DevNetSecOps abbreviations, allowing developers, network teams, and security personnel to work together more comprehensively.

Margie D. Carlisle