In 2011, Randy Bias, a prominent member of the cloud community, used the phrase "cattle, not pets" as an analogy for how DevOps engineers should think about the cloud and the benefits of managing infrastructure in a cloud-native environment. The phrase "cattle, not pets" (attributed originally to Bill Baker, a Microsoft distinguished engineer encouraging his DBA audience to think differently about their SQL Server deployments) has become pervasive within the DevOps community and is a useful way to think about the difference between a dynamically scalable cloud deployment and a more static on-premises server rack. Once the description was applied to the cloud, it was adopted across the IT community, showing up in sources as varied as Amazon webinars and CERN presentations.
Although the concept has contributed to the cloud design principles of thousands of DevOps engineers across the industry, the analogy is imperfect. Treating servers as "cattle, not pets" without broader strategies to implement security eliminates concerns about resiliency and initial server configuration, leaving the proverbial door wide open for unanticipated access issues, malicious intrusion vectors, and other security threats and vulnerabilities that have been prevalent since well before the cloud concept was mainstream.
Enter the many different flavors of infrastructure-as-code. There are many ideas about planning for DevOps, and the benefits of the overall infrastructure-as-code movement: numerous papers on the "cattle, not pets" approach; dissertations on the broader notion of replicability, rigor, scrutiny, as well as inherent security that come from code-based implementations of infrastructure; sales briefs on the benefits of being able to model infrastructure changes without time-consuming and costly mock-ups in a manually configured staging environment; and so on.
The concept of using code-based policies to impose consistent security on a broader IT environment is not new in IT or the cloud. However, minimizing security risks with comprehensive security-as-code in a way that almost entirely removes the need for any manual interaction is a relatively new practice — as is the prioritization of security principles when DevOps teams consider how to configure code-based policies to manage their own environments.
This doesn't mean the industry isn't addressing the practice. Companies including Puppet, Chef, Red Hat, AWS, IBM, and many others offer rich tool sets that are intended to ease the transition from traditional IT practices and DevOps approaches to security in favor of the DevSecOps approach to infrastructure management — and DevSecOps appears to be on its way to becoming the new normal.
Opportunity for Change
The broader implications of the DevSecOps mindset for the governance of security and compliance have been relatively underappreciated until recently. The industry now has an opportunity to shift the focus of security and compliance scrutiny from the live environment to a code repository, greatly increasing the assurance possible in any security review and simplifying the methodology required by any external auditor tasked with verifying the compliance posture of a given environment. Prominent cloud providers are releasing verified reference architectures that, if implemented without any security-impacting changes, provide compliance with any number of prominent security and regulatory frameworks their customers may encounter. An entire cottage industry has formed around the idea that security can be written instead of implemented. While not as prominent as the overall infrastructure-as-code movement, comprehensive security-as-code could be truly transformative for organizations building in the cloud.
If done carefully, true security-as-code has many benefits. Budget-conscious executives can mandate code-based security policies to minimize the large amounts of time, money, and effort traditionally required to properly deploy and vet a mature security posture. System owners can remove the human from the loop in all but the most esoteric of management actions — minimizing the risk of some of the most prominent malicious intrusion vectors seen today and virtually guaranteeing consistent implementation of security controls and policies. Architects can mock up their selected controls, service-level agreement obligations, and performance targets without delay and quickly iterate through options before allocating any resources to a test deployment.
Companies working to bring software products to market in heavily regulated industries can reduce their time to compliance — even across multiple frameworks at once — as they are only limited by the speed at which their developers can type, instead of the long lead times traditionally expected between development, assessment, and remediation. Undermanned DevOps teams can confidently reuse and recycle security policies and assets between environments without worry about customization or loss of fidelity, easing the pain of frequent requests for segregated resources or low-level tenant-by-tenant isolation.
And finally, interested reviewers and external auditors can be confident when assessing the security assurance provided by a heavily automated and code-based IT environment. Focusing such a review on a code-based architecture implemented throughout the scope of a given review reduces the chance that, somewhere, in some far-off closet, sits a critical server still being treated as a pet.