Page 35 - FCW, June 2017
P. 35

DrillDown
Why compliance demands
a DevOps approach
Agile development allows agencies to build inherently secure systems in a way that keeps pace with innovation
BY SHAWN WELLS
Stop me if you’ve seen this scenario before: A compliance policy is devel- oped behind closed doors by federal security advisers. Once published, it’s sent to IT managers, who take one look and say, “Well, this won’t work.”
Then they begin the arduous pro- cess of trying to provide feedback, which amounts to submitting a request into a suggestion box and waiting for an answer that might or might not come. The public comment process is often opaque: You don’t know if or why your comments were rejected, and it’s difficult to appeal your case.
This classic waterfall approach to the creation of security and compli- ance procedures is in direct contrast to the fast and agile DevOps approach to application development that many agencies embrace today. In the past few years, the federal government has turned to Silicon Valley startups filled with former Presidential Inno- vation Fellows to bring agencies into the 21st century. Those people under- stand the value of DevOps principles, but they’ve been asked to meld them with an antiquated waterfall security process that has gated checkpoints, starts and stops, and long develop- ment cycles.
In a DevOps approach, the cre- ation of compliance content happens in tandem with application develop-
ment and involves input from many stakeholders. It includes soliciting feedback from numerous key stake- holders, including developers, systems administrators, security managers and especially end users.
It also means incorporating mul- tiple lines of feedback right from the
start to ensure that developers’ con- cerns regarding the balance of secu- rity, compliance and innovation are addressed early in the process and that security managers have a bet- ter understanding of how their poli- cies affect development and end-user experiences.
The classic waterfall approach to the creation of security and compliance procedures is in direct contrast to the fast and agile DevOps approach to application development that many agencies embrace today.
June 2017 FCW.COM 29





















































































   33   34   35   36   37