Chapter 7. People and Processes

Up until this chapter, we have focused on technology. We’ve discussed how different types of tools help us achieve different security functions. But, just like every sound security program, we have to address the entirety of the People, Process, Technology framework, which we briefly introduced in Chapter 5. This framework was popularized in the 1990s by cryptography expert Bruce Schneier, who argues that these three things form the foundation of security. Security cannot be implemented with technology alone, nor can it be implemented with just people or just a process. Balancing the three lets us security-minded folks focus on building secure systems instead of spending 99% of our time responding to events.

Now that you know what security tools and setups you need to get your technology to a minimum viable state, this chapter will cover the people and processes related to securing your IaC. Before we dive in, we want to make it very clear that there is no one right way to manage people or processes related to securing your infrastructure. Each organization has its own approach, based on its size, culture, and team structure. The pointers we give in this chapter are derived from our personal experiences, and from common themes we have seen among organizations that have implemented DevSecOps successfully.