How DevOps Can Tackle the Growing Wave of Cloud Security Challenges

As the only domestic international DevOps summit, the DevOps International Summit (DOIS) showcases lean, agile, continuous delivery, automation testing, technical operations, high‑availability architecture, micro‑services, DevSecOps, and organizational culture. This year, YuFu Technology CTO Chen Weijia presented “How DevOps Meets the Growing Wave of Cloud Security Challenges.”

Chen has extensive experience in distributed systems, micro‑service architecture, web applications, and machine learning, having worked on large‑scale video platforms at Facebook and automated cluster scheduling at Splunk. He believes that security and usability, often seen as mutually exclusive, must be balanced to drive DevOps forward.

Evolution of Security Management

In small teams, security is simple and brute‑force: developers handle code security while operations manage runtime and application security, concentrating permissions in a few people who often lack security expertise. Larger companies typically have dedicated security or compliance teams that audit code and enforce KPI‑driven fixes, but this approach introduces heavy communication overhead and low efficiency.

DevSecOps integrates development, security, and operations to reduce communication, enable collaborative security practices, and allow automated code scanning. Tools such as FindBugs, SonarQube, and commercial solutions like CodeSonar can be embedded in CI/CD pipelines to detect vulnerabilities early, though free tools may produce false positives and lack deep analysis.

Third‑party open‑source components must be vetted; a whitelist in CI/CD should allow only trusted packages, and outdated libraries (e.g., the 2017 Fastjson vulnerability) should be promptly upgraded.

Online Security

To ensure online security, DevOps should adopt three encryption measures: transport encryption (HTTPS, SMTPS, LDAPS, RDP over SSL), data encryption (using per‑data sub‑keys encrypted by a master key), and regular key rotation to invalidate compromised keys quickly.

Key rotation mirrors password rotation: changing keys before attackers can exploit them reduces risk.

Permission Segmentation Management

Separate permissions into complementary parts so that a breach of one segment does not expose the entire system. Practices include:

Decoupling secret keys from code and storing them in a centralized configuration service managed by operations.

Applying three principles: developers should not see secret keys, each environment (test, pre‑prod, prod) uses distinct keys, and keys should be dynamically updatable.

Using secret‑sharing algorithms to split master keys into multiple shares, requiring several parties to reconstruct the key.

Application Security Management

Enforce strict identity and access controls: no system should run without an account system or permission checks. Implement unified identity management to automate permission changes during staff transfers or departures, and employ audit systems (or unified authentication logs) to track user actions.

Multi‑factor authentication adds an extra protection layer, especially for sensitive systems, while allowing conditional triggers to balance usability and security.

YuFu Technology focuses on unified directory (UD), single sign‑on (SSO), lifecycle management (LCM), and security auditing (SA) to help enterprises lower costs, improve operational efficiency, and enhance overall identity security.