In an increasingly application-driven world, the government sector is constantly challenged with prioritising resources and delivering services to citizens while having to meet stringent security and compliance requirements. In fact, this is taking place even more so in the recent climate as more authorities embrace smartphone applications for contact tracing, such as the case in Singapore, Vietnam and Australia.
As governments leverage new technologies for better citizen engagement, one approach stands above the rest– DevOps. With DevOps, government agencies can address security and compliance requirements, manage heterogeneous environments, and get immediate and ongoing visibility in their IT infrastructure.
“In Asia Pacific, we’ve had a few municipalities coming to us to help them speed up infrastructure to address their disaster recovery plans and enable the automation of applications migration from on-prem to the cloud as needed,” said Rachel Lew, Country Manager of Puppet. “Of course, you also get bad actors trying to take advantage in vulnerable situations as well. There is a need, more than ever, to make sure your infrastructure is in its optimal state for you to track any vulnerabilities that might cause disruption.”
DevOps is a way for governments to deliver assured security compliance. DevSecOps teams can model security-compliant IT environments — whether cloud-based or on-premises — in an automated fashion to develop and test software so new applications run, operate, and are secure as expected. Moreover, with a common language, teams can successfully adopt DevSecOps practices, such as version control, code review, automated testing, continuous integration, and automated deployment.
One of the key successes of DevOps adoption in the government sector is the enablement of stress-free IT audits. Leveraging tools and solutions from Puppet, teams were able to build security and compliance across their IT estate, significantly reducing audit time from months to weeks.
However, when it comes to security integration, the 2019 State of DevOps: Industry Report Card highlights that there’s no real middle ground for governments – 43% of respondents report either significant integration or full integration while 42% have no or minimal integration.
Overall, governments have the greatest impact on improving confidence in security posture, but they are faced with several challenges, such as:
- Deployment frequency: Only 41% were able to deploy on demand.
- Time to remediate vulnerabilities: Government agencies have the slowest time to remediate critical vulnerabilities, and only 3% of respondents were able to remediate in an hour or less.
- Having security integrated in the early phases of the delivery cycle: Government agencies had the lowest percentage of firms with security integrated into the build and design phases.
Lew adds on, “Cybersecurity is not just a matter of who, but also when. With cyber threats continuing to rise, governments in Singapore and around the world need to prioritise automation as a part of their security practice.”
Government agencies need to empower their teams to find and fix security issues, so they do not inadvertently end up in production – and the solution points to the integration of security earlier in the delivery cycle. Though it may sound expensive to adopt new tooling and practices, fixing defects earlier in the delivery lifecycle is much cheaper in the long run, reducing development time and costs.