Whether you take a minimalist view of the idea of NetOps -- it's just the network stuff DevOps folks already do...
-- or the maximalist view, in which it's the whole network run DevOps-style, security must be a key factor in what gets done and how it gets done.
Of course, security should be integral to any DevOps effort -- a fact sometimes emphasized by explicitly saying DevSecOps. It makes equal sense, then, to say NetSecOps to emphasize network security is just as important as application security in any DevOps effort.
NetSecOps brings the practices of DevOps to the network space, with the goal of improving network security, while also making the network more agile in meeting the needs of new workloads and business services. That's right: improving network security, not just preserving network security, by introducing a way to automate security testing.
NetSecOps should, after all, include a higher amount and broader range of ways to automate security testing for networks, compared with many development shops and production environments. This is possible because DevOps introduces the idea of automated testing, which is integral to the process at every stage. In contrast, most current security testing is manual and only done at the end of a development effort.
Additionally, libraries of secure configuration code make it easier than ever to comply consistently with security policy and best practices. This code can be improved upon continually, with improvements easier to push out to all services than in the past -- again, thanks to the ability to automate security testing.
Teamwork required to automate security testing, prevent challenges
To meet the goals of agility with security, NetSecOps will aggressively pursue an infrastructure-as-code approach to all of networking -- not just in the data center. It will emphasize the use of network virtualization, the idea of a software-defined perimeter and microsegmentation, and software-defined networking more broadly. This includes shifting to virtualized network appliances, network functions virtualization and white-boxing.
At an organizational level, NetSecOps means further eroding or eliminating divisions between security, network, developer and systems administration teams. But, there's a major challenge: NetSecOps makes segregation of duties (SoD) harder to implement and manage. SoD is an essential principle of IT security operations and cannot be abandoned. Not only is SoD a best practice, it is sometimes imposed by law or regulation.
To compensate for any blurring of lines at a divisional level, teams need to be tracking the activities of individuals when they automate security testing. For example, use collaboration, task and code management tools to ensure whoever develops security policies coded in a section of a campus network should not also review, test or approve the code. And this process should, of course, be auditable.
In sum, NetSecOps aims to make securing an application look like part of the development process, rather than as an externally imposed hurdle to be cleared after development -- something slowing down the whole process. That perception, too often, has led to efforts to circumvent, compress or short-circuit security testing to speed up delivery. NetSecOps says delivery without security is like delivery without any other minimum required feature: unacceptable.