Sergey Nivens - Fotolia
In some enterprise IT shops, DevOps is evolving into DevSecOps, and new tools are needed to automate IT policy management as part of that trend.
One such tool emerged this week in Sentinel, an option now included with the enterprise versions of HashiCorp DevOps tools such as Consul for service discovery, Vault for secrets management, Nomad for container scheduling, and Terraform for infrastructure as code. Sentinel automates IT policy management with a policy language that can be tested, version-controlled and integrated into a DevOps pipeline as with any other application code.
IT policy management is typically focused on regulatory compliance, a closely related but often separate discipline from IT security, but eventually the two fields will merge just like the traditionally separate app development and IT operations fields. Sentinel offers policy as code features for both security and compliance.
With Sentinel and policy as code, HashiCorp seeks to attract DevOps pros such as Mykel Alvis, DevOps coach at Cotiviti Labs, the R&D arm of Atlanta's Cotiviti Holdings Inc., which provides data analytics and financial services to U.S. healthcare payers and retailers.
"I want everything automated, including fully automated security," Alvis told attendees in a public presentation at last week's DevSecCon in Boston. "We the developers need help with managing how we test security-related things, and if you can't help me write a test, you can't help me."
IT policy management everywhere or bust
IT pros in other large, heavily regulated enterprises have begun to preach the same principles. HashiCorp DevOps customers such as Barclays and SAP Ariba advised the vendor on Sentinel's design, then put the tool through its paces in beta.
John Mitchellinfrastructure architect, SAP Ariba
SAP Ariba, a business procurement software company in Sunnyvale, Calif., has used Consul, Vault, Terraform, Nomad, the Packer configuration management tool and the Vagrant VM-based development utility from HashiCorp for the last two years. SAP Ariba plans to deploy Sentinel with all of those tools to support its eponymous business network software and services.
"I'm a 'policy everywhere' guy," said John Mitchell, infrastructure architect at SAP Ariba. "If policy isn't everywhere -- and that means enforceable everywhere, reproducible everywhere, and testable everywhere -- then it's not real."
Policy as code is a natural follow-up to the infrastructure as code SAP Ariba already has with Terraform, Mitchell said. He hopes that policy enforcement will become consistently pervasive throughout the company by training people to think about policy and security no matter what their specific role is.
Mitchell likes the fact that Sentinel will be a feature of existing HashiCorp DevOps tools rather than a separate product.
"It doesn't have an extra cost in terms of time to set up," he said. "It's a natural part of other tools, not a ... bolt-on exterior piece."
HashiCorp proposes active enforcement approach
HashiCorp will join Chef InSpec in the policy as code space, though the two are focused on different layers of the data center infrastructure. Through Terraform, Sentinel addresses low-level server and container resources, while Chef InSpec is focused on the operating system and applications that run on each server, so the two can be used together.
Overall, policy as code is still a woefully under-addressed market, IT experts said.
"With automation, you can codify the same mistakes that people make in manual processes -- you need a tool that can make sure the automation you build is doing the right things," said Zubin Irani, CEO of cPrime Inc., an Agile software development consulting firm in Foster City, Calif. "This new tool starts to address that problem, and it's one that desperately needs attention."
HashiCorp IT policy management takes an active enforcement approach, meaning it sits in the data path and blocks things that are against policy from taking place. This is in contrast to the passive enforcement approach that allows changes that are against policy, but notifies administrators. Chef InSpec combines active and passive enforcement, where customers incorporate InSpec in the continuous integration and continuous delivery pipeline to actively enforce policies, then passively monitor the environment for changes that violate policies.
The active enforcement approach has its drawbacks because it sits in the data path, so the security and high availability (HA) of Sentinel itself are important deployment considerations. Active enforcement could also slow down the continuous delivery workflow. But proponents of active enforcement argue that companies under strict regulation must be able to show auditors that bad actions and bad states are simply not possible, rather than occasionally allowed under certain circumstances.
"Yes, it's extremely annoying, but go ask Equifax if they would prefer to have code liability screens simply give them an FYI or actually prevent them from being exposed to risk," Irani said.
By design, Sentinel can't run for long time periods or use large amounts of memory, which prevents misuse by an attacker, said Armon Dadgar, CTO of HashiCorp. Sentinel can also use the HA features available in underlying HashiCorp DevOps tools to protect against outages, and a Sentinel Simulator tool guards against misconfiguration vulnerabilities.
Third-party DevOps software tools can integrate with the Sentinel plug-in software developer's kit (SDK) also released this week, to extend automated IT policy management beyond HashiCorp DevOps tools. SAP Ariba will use that SDK to integrate Sentinel with its homegrown tools and lobby other software makers to do the same, Mitchell said.
"We'll start pushing our vendors to integrate with Sentinel and move to the 'policy everywhere' way of life," he said. "HashiCorp has released the backbone, and now it's up to us to help create the ecosystem and fill in the blanks."
Steps to bring security fully into the DevOps circle
DevSecOps starts in planning -- security can't be an afterthought
Security threats evolve as fast as the IT landscape -- don't fall behind