DevSecOps for Authorization
1. Overview
What is DevSecOps? DevSecOps refers to the strategy of development, security, and operations teams working hand-in-hand on their projects, rather than working in isolation. Each component of DevSecOps – development, security, and operations – is meant to be integrated into the processes of its fellow components. For example, in terms of security, DevOps should be part of the lifecycle of security procedures.
If we are to apply DevOps to security, we must treat security as code. In this article, we will review how by treating authorization policies as code, we can effectively bring authorization into the strategy of DevSecOps.
2. Centralized and Externalized Access ControI
In order to practice the agility and responsiveness that the strategy of DevSecOps calls for, access control must be centralized and externalized from applications, similar to what is described in the eXtensible Access Control Markup Language (XACML). Centralizing and externalization authorization also makes an organization safer as well because the security policies are in one place rather than baked into every application. This means we have to review one set of policies rather than several!
A modern trend is microservices. A common issue is a microservice implementing authorization and not following the the principle of single responsibility. Both monolithic and microservice applications need to externalize and centralize their authorization.
3. Version Control of Policies
In order to treat security as code, we need to apply version control our authorization policies. The benefits of using version control on our policies include:
- The ability to roll back to a previous policy if an issue is encountered with a new version.
- To properly deploy policy in development, QA, and production.
- To effectively collaborate within a security policy team, as you can compare policies, identify differences, and merge changes as see fit.
As we can see, the benefits of using version control amount to more agility and responsiveness, which are cornerstones of DevSecOps.
4. Automation
By integrating our externalized and centralized authorization software with an automation server, such as Jenkins, we can automate:
- Deployment of policies from our version control system, such as Git.
- Acceptance tests that ensure that critical authorization errors aren’t part of the new policy.
5. Conclusion
By following the DevSecOps principles we discussed here today, we can greatly improve the efficiency and responsiveness of authorization. The benefits of implementing these changes lead to a more secure organization.
To read more about modern authorization, check out my posts Authorizing Resources Based On Who Created Them and Expression-Based Access Control.
Published on Java Code Geeks with permission by Michael Good, partner at our JCG program. See the original article here: DevSecOps for Authorization Opinions expressed by Java Code Geeks contributors are their own. |