These days, everybody in the DevOps world is talking about the “Shift Left” movement (don’t worry, it has nothing to do with politics!).
As an IT professional, you may not realize that Shift Left has grown and expanded over the last few years. Today, many organizations are integrating the Shift Left methodology far beyond development into numerous areas of IT and Ops. It’s become a way of thinking—and of improving the way your organization functions.
Let’s take a look at how Shift Left got started and what it can teach us about the right way to manage security for IT.
Shift Left in the DevOps World
Shift Left was born in the DevOps world, primarily as a movement to incorporate security early in the development cycle.
The development world has already undergone a revolution over the last decade. As Forrester put it in their 2018 report on the state of DevOps, entitled “Nimble To The Core:”
Slow and steady doesn’t win the race, and the fast are getting faster. If software delivery required acceleration in previous years, it now requires a jet engine.
According to the Forrester report, today’s DevOps software development is nimble, meaning it’s all about continuous improvement and continuous delivery, ongoing iteration, cross-enterprise collaboration, and breaking down process and technology silos.
But there’s one silo that remains in many organizations: security.
If we visualize the software development cycle as running from left (idea) to right (finished product), security has traditionally been more closely tied to the right side, one of the last things addressed before release.
But adding the security piece in at the end is too late. For one thing, it can break the product, introducing errors and vulnerabilities. For another, it’s inefficient. Designing from the ground up with security in mind from the very start will deliver more intelligent and secure data structures and applications.
Experts agree. Take the Cloud Security Alliance (CSA) report, “The Six Pillars of DevSecOps: Automation,” which states that “Applying security measures as an afterthought is a recipe for disaster.”
DevSecOps, as you can probably tell, is the movement toward shifting security into the heart of DevOps, in other words, Shift Left.
In the DevOps world, the Shift Left approach has shown massive benefits: It preempts problems, eliminating them before they emerge, and creates tighter, more secure end products without slowing the development-release cycle.
But as mentioned, Shift Left has already spread to other areas of IT and Ops. Two other major areas where Shift Left concepts and methodologies have been embraced are:
- QA/Testing, where it refers to incorporating automated testing earlier on
- ITSM/Help Desk, where it refers to empowering junior support staff and even end users through better access to specialized, self-service help information
Whether we’re talking about security and DevSecOps, QA/Testing, or ITSM/Help Desk, there are two clear parallels. Shift Left always involves rethinking who is doing what when and restructuring processes that aren’t working. And its goal is always to create more intelligible processes. This saves companies time and money, but ultimately, it also helps them create better products.
Barriers to Shift Left
Since Shift Left has so many clear advantages that we need to also understand why many organizations have failed to follow through with a full-scale implementation of it. As one IT leader reports, too many Shift Left initiatives have been impeded by barriers from both the management level and the frontline IT team.
First, there’s often a lack of corporate leadership buy-in and an unwillingness to change the corporate culture. This resistance to change is best described by the age-old saying, “If it ain’t broken, don’t fix it.” Understanding the business imperative behind Shift Left is essential to ensure buy-in. The fear that Shift Left will cost more money is short-sighted, overlooking longer-term cost savings through optimization.
Second, there are often objections from frontline team members who must implement any changes—and who fear that Shift Left will create more work for them. These fears are also short-sighted: While tasks may be redistributed unevenly in the short run, in the long run, it can save work, in part through the major Shift Left emphasis on automation wherever possible.
Fears on both these levels are created by false economies. Again, these objections are usually short-sighted: There may be some additional initial work or expense, but in the long run, the savings and process improvements will be far greater. The key to success lies in convincing both levels of the benefits that will ensue.
For example, management must be persuaded that organizational goals will be served better by Shift Left, delivering concrete, measurable benefits through improved metrics and offering tangible value to the company. It can also help to assure management that these principles can be implemented through incremental changes, with minimal disruption to operations.
You can also increase buy-in among IT team members in a variety of ways. Three features that can improve the acceptability of any new methodology, such as Shift left, include:
- Tools and techniques that adapt to existing workflows
- Clear, reasonable definitions of work scope and responsibility
- Automation and streamlining of existing tasks to lessen the workload
Ultimately, in both cases (management and IT), it comes down to education. And in both cases, it can help to focus on the core of the Shift Left philosophy: The earlier you take care of a problem, the less it can hurt you later on.
JetPatch: Shift Left for Your Security
Shift Left is a great idea that deserves to spread far beyond the DevOps world.
Fixing problems earlier saves time, whether we’re talking about during the development cycle or in an IT department. And it can eliminate time-consuming, costly customer complaints, support requirements, and more, down the line.
Security has been a major use case for Shift Left in DevOps because it is so expensive and inefficient to add security late in the development cycle, as it often has been traditionally.
That’s true in the IT world as well. Too often, in our organizations’ networks, security is an afterthought.
Companies set up a network of vulnerable (and valuable!) endpoints and add on solutions at the end to keep things secure. Then, when there’s a breach, your team faces a massive cleanup and remedial effort. And from the relatively tiny $350,000 paid by a small healthcare organization in Missouri to the $30.5 million Equifax class action settlement and beyond, breaches come with a major financial cost as well.
That’s why it’s time to start applying Shift Left to security—not just within DevOps but across your entire organization. JetPatch is the Shift Left philosophy applied to IT, cloud, and remote user security.
Using automation and predictive patching technology, JetPatch addresses remediation process flaws as far left as possible. Rather than guarding a network full of vulnerable endpoints, JetPatch remediates the vulnerabilities, so even if a threat gets in, your systems, and their valuable data, are secure.
JetPatch shifts the complete end-to-end remediation process all the way to the left:
- Proactively addressing patch failures before they occur
- Using machine learning to predict patch cycle success rates
- Adding automation to patching to save your team work
Shift Left is catching on because it creates more intelligible processes while saving time and money.
JetPatch streamlines the processes behind vulnerability remediation, letting you reach 100% remediation with a lot less work. It makes it easy to put intelligent processes in place so you can fix problems earlier, delivering to your company the business value of saving time, money, and hassle.
It may be called Shift Left… but with JetPatch, it’s clearly the right way to boost security and compliance.