Authored By: Jeffrey Kok, Vice President, Solution Engineers, Asia Pacific and Japan at CyberArk
As digital transformation drives more and more companies to adopt DevOps to meet their need for faster and more frequent release of new products and software, a major problem remains in this strategy: security. In the process of creating new software and updates, security is often an obstacle to what the DevOps team is trying to accomplish. According to IDC's 2020 Asia/Pacific Software Survey, 67% of organisations secure their organisation only during the deployment phase, which means it is far from being baked-in.
Although the practice of DevOps in 2021 is focused and agile, the issue of security one raised by multi-cloud, developer tools and applications. It stems from the method of handling the credentials that are required to access these services. A familiar circumstance is that all these credentials used for the various services are stored on a multitude of various virtual locations. In practice, the method of accessing and managing these credentials variable, fragmented discipline that poses significant operational and security concerns to the enterprise. Holes in credentials management processes can be easily exploited by attackers.
DevOps Tools are Easy Targets for Cyber Criminals
Many of the tools companies need to succeed in DevOps are enticing enough for cybercriminals to try and use to access the corporate network. A prime example is the cloud access keys used by cloud providers like Azure or Google Cloud Platform that, unprotected, expose private company data to cybercriminals. Another potential issue that security teams and CISOs need to consider involves the use of GitHub. It is not unusual for developer teams to own several accounts, resulting in a jumble between personal and corporate projects. Often, developers embed private information into codes like database credentials which leaves company and customer data vulnerable to cyberattack.
In addition, Continuous Integration (CI) and Continuous Delivery (CD) tools, that configure management and CI servers, also require admin access to be secured. With microservice and containers added to the mix, there are so many components that require credentials to function.
Who is your weakest link in the company?
Recurring low-level phishing and impersonation attacks set up by cybercriminals target developers who have high levels of access to credentials. Developers are largely preyed on as they build the software and are frequently tasked with administrative privileges, which provide a valuable entry point to the rest of the organisation. Cyber attackers know this and they aim to misappropriate admin privileges that could jeopardise the whole application environment. While enabling organisations to become more efficient and faster, development and operations (DevOps) have significantly expanded the attack surface across the company.
CyberArk’s CISO View research showed that high-level DevOps engineers are constantly being hunted by cybercriminals due to having access to private company assets. This shows the necessity to manage and secure the credentials that staff in this area use on a day-to-day basis – in a centralised and controlled way.
When these predators are able to access privileged credentials, unrestricted access to DevOps pipelines, sensitive databases, and cloud systems become targets for abuse, potentially resulting in breach of data and intellectual property theft.
Securing Developers with centralised secrets management
To address these operational and security threats, organisations must adopt a secrets management solution that secures and manages all secrets used by machine identities (including applications, microservices, applications, CI/CD tools and APIs) and users throughout the DevOps pipeline to reduce risk without compromising speed.
There are several steps security teams need to take to centralise secrets management:
Tightly working with Software Engineering and IT/DevOps will be beneficial for developers to protect their applications. Supporting the idea and understanding the importance of security should be the priority and instilled early into Software Architects, Developers, and DevOps/IT Operations. Acknowledging that the extra process is not to decelerate the development work, rather it is to accelerate via simple integration points. Identifying security breaches before it becomes critical requires security teams to focus early in the development cycle.
Remove all hard-coded secrets in code, DevOps tools, configuration files and scripts. It’s also important to never use default passwords. For example, some tools establish a developer default user to create projects.
To bring most value, Privileged Access Management and secrets management for DevOps infrastructure should be integrated cohesively; one system to centralise the management of all privileged accounts, secrets, and other credentials.
The development, security and operations teams could utilise security-policy-as-code for efficient and unambiguous communication. Security tests and scans are integrated in the CI/CD pipeline to routinely and continuously identify potential risks and security gaps. Thus, organisations can improve their security posture, while maintaining DevOps velocity and scalability
Securing credentials used in DevOps tools and processes is not always straightforward, but one aspect that is a must is to automate this effort. Minimal human hands-on and manual work allows administrative overhead reduction and a reduction in errors.
Automatic rotations for secret, passwords, keys, and certificates hinders cybercriminals from accessing DevOps tools and access keys. Moreover, this automation reactively informs security teams if and when a breach happens when rotated secrets and credentials are used. Taking a proactive method to protection, which makes use of automation and programmability, will encourage collaboration throughout DevOps teams, accelerating innovation to answer the evolving needs of the business.