Protecting privileged access in DevOps and cloud environments
While security strategies should address privileged access and the risk of unsecured secrets and credentials, they should also closely align with DevOps culture and methods to avoid negatively impacting developer velocity and slowing the release of new services.
Example of tools in the DevOps pipeline
Despite this, 73 percent of organizations surveyed for the 2018 CyberArk Global Advanced Threat Landscape report have no strategy to address privileged access security for DevOps.
The report summarizes five key recommendations based on the real-world experiences of participating CISOs, including:
1. Transform the security team into DevOps partners – Ensure security practitioners and developers have the right skills, make it easy for developers to do the right thing, encourage collaboration and adopt agile DevOps methods within security.
2. Prioritize securing DevOps tools and infrastructure – Set and enforce policies for tools selection and configuration, control access to DevOps tools, ensure least privilege and protect and monitor infrastructure.
3. Establish enterprise requirements for securing credentials and secrets – Mandate the centralized management of secrets, extend auditing and monitoring capabilities, eliminate credentials from tools and applications, and develop reusable code modules.
4. Adapt processes for application testing – Integrate automated testing of code, compel developers to fix security issues using a “break the build” approach and consider a bug bounty program.
5. Evaluate the results of DevOps security programs – Test secrets management solution deployments, measure and promote improvements and educate auditors.
Popular DevOps tools and their secrets
“For organizations embarking on digital transformation initiatives, it has never been more important to align security and risk postures across new tools and technologies. In understanding organizational and operational challenges, security teams can more effectively drive productive discussions across executive, security and developer teams,” said Marianne Budnik, CMO, CyberArk.