In his previous interview, Xavier Van Lindt explained how Best Practices prevent communication problems encountered by IT. In this second article, Xavier presents how Best Practices help to avoid IT security problems.
Indeed, the second problem observed which joins the first point on the lack of communication is security. Security is the result of effective communication between business management and IT. IT security is only an alignment with the security needs mentioned by the business. Here too, the impact is spread over the 3 hierarchical levels of the company (strategic / tactical / operational). It is therefore governance that will make it possible to know what the needs and requirements of the businesses are with regard to security.
Several Best Practices address the topic of IT security. In the ITIL 4 framework, security is studied in the strategic modules ITIL 4 DPI and ITIL 4 DITS. In DevOps, there is a module dedicated to security, which is one of its fundamental principles, DevSecOps.
Contrary to popular belief, IT security is not just a design concern. It is not enough to put passwords, firewalls or ISPs. DevOps modules teach that security is present in everyday life when you are in the RUN (production). During a run, the overarching concept of safety is called observability.
It is often forgotten that it is essential to observe everything that is happening in order not to miss anything in terms of safety. IT Security is not just about hacking, phishing, or spamming. IT Security is also about the availability of data, in addition to confidentiality and integrity. DevOps, through its SRE, Continuous Delivery and DevSecOps modules, focuses on measuring everything that happens in production to be sure to guarantee availability.
IT security incorporated in Best Practices
The master benchmark for security remains the ISO 27000 series. ITIL mentions security as a practice, but DevOps, in a very operational way, focuses on observability and culture. In DevOps Foundation and DevSecOps security is not just the role of the CISO but the concern of ALL members of the organiSation, which makes it a cultural phenomenon. Safety is not technical, it is above all cultural and comes from the profession. Everyone needs to be involved, which is well mentioned by DevOps.
Thus, what we will expect from the CISO (Chief information security officer) is not simply to evoke security policies (as mentioned in the ITIL 4 training) but also an evangelization of the entire IT department. As well as of users and customers at the level of different security aspects (strategic or operational tactics). Safety is everywhere and concerns everyone. Since security is not just a matter of politics, mechanisms or systems must be designed, tested and supervised in operation. In order to keep Safety in line, we must communicate!
There are 5 universal concepts found in DevOps, ISO and ITIL repositories, to protect the information the organisation needs to run its business:
- Confidentiality: access to data limited to authorized persons
- Integrity: accuracy throughout the system
- Availability: data available when, where and for whom.
- Authentication: ensure the identity of the requester
- Non-repudiation: being able to prove the action carried out.
However, the DevSecOps framework broadens the topic, makes security a cultural aspect in addition to being technological, and places a huge focus on observability. Knowing everything that goes on in day-to-day production is an integral part of safety.
Unfortunately, even though almost all companies have observability tools, there is not always someone in front of the screens to see what is going on. Or you do not really get to see what you should see, so the issue returns. ITIL calls this practice “event management”; DevOps, “observability” but above all DevOps focuses on the criticality of security and event management.
For a professional who would like to run security, I recommend ISO 27000 training and for the professional who wants to understand the security issue as a whole, I recommend DevSecOps training instead.