How CISOs can safeguard security in CI/CD environments

DevOps is a staple at every forward-thinking organization these days. The agile development and release formula helps companies address customer issues and marketplace innovation demands quickly. However, DevOps does not mesh well with traditional security protocols, and this creates a sticky situation for CISOs to counter.

Traditionally, security teams work separately from developers, chiming in at predetermined points during the release cycle. This approach doesn’t work with a rolling release schedule, which is what DevOps prioritizes. Thus, CISOs faced with security audits becoming roadblocks during the release process, at times even disconnected from organizational needs.

Security is a product pillar these days, given the dire consequences of data breaches. Organizations must marry security with agile DevOps releases. How can CISOs facilitate this integration and create an agile security mechanism that complements agile development?

Here are three ways CISOs can achieve these goals.

Prioritize machine ID verification

Traditional identity management protocols prioritize human ID verification. User IDs and passwords dominate that landscape. However, automation rules DevOps protocols, and as a result, machine IDs dominate the ID verification landscape.

An agile security approach begins by securing systems from unwarranted machine access. Machines are interwoven into modern applications through the use of microservices, cloud-based containers, and other automated processes throughout an organization. Given security’s distance from development, most applications fail to secure and verify the machine IDs accessing sensitive secrets.

CISOs must thus prioritize machine ID verification when approaching identity security. However, given the sprawl of applications that enterprises use, most IAM solutions fail. CISOs need to rethink their IAM approach and adopt API-based services that integrate disparate containers and microservices into a centralized secret management platform, without interrupting the flow of product development.

Akeyless, for example, helps teams to unlock an agile approach to certificate and key management. This tool automates machine ID verification by allowing CISOs and engineers to define risk and time-based access parameters. Secret management and one-time access ID generation are also automated, reducing the burden security teams face, and giving them more time to dive into root cause analysis.

Increase security and dev collaboration

Developers and security teams are siloed away from each other in traditional processes. Currently, DevOps prioritizes quick code releases and doesn’t include security in the loop. As a result, security works on a different timeline from development, creating needless friction.

Communication and collaboration are the solutions to this problem. For starters, CISOs must work with CIOs to identify communication gaps and design agile teams. An agile team consists of full-stack developers with knowledge of the entire release cycle. These teams also include security professionals well-versed with agile release cycles.

Thus, security becomes an integral portion of the CI/CD pipeline. Tools such as Jira foster communication between all teams and bring everyone on the same page. For instance, security teams can view release schedules and work to remove friction created by code validation processes.

Some examples of such initiatives are code templates pre-validated for security, coding standards that enforce security from the ground up, and automated testing tools that run sanity tests on pre-release code. Additionally, security teams can also examine and pre-validate dev environments to ensure code portability doesn’t introduce any potential breach risks.

Just as DevOps prioritizes tool usage to achieve more efficiency, CISOs must adopt tools to create an agile posture. The underlying message is that security doesn’t need to be viewed as an obstacle. It’s a product feature that buyers need and demand.

Monitor configuration changes

DevOps environments prioritize rapid releases and feedback management. Thus, configuration changes occur frequently, creating a nightmare for CISOs. Configuration changes account for some of the biggest security risks in a rapid release environment.

Monitoring changes is challenging, given the pace at which they occur. CISOs must embrace automated logging and auditing tools that flag potential errors. For instance, Ansible for DevOps helps CISOs stay on top of code changes and configuration management by offering automated logs and tracking.

The tool also helps security teams establish environments for development, whether sandbox or QA. By automating most of these tasks, CISOs reduce the clerical burden on their teams and boost efficiency.

Shadow IT is an increasingly large concern in organizations these days, given how often teams use tools to get their jobs done. SaaS has normalized the free trial business model, much to the detriment of enterprise security. CISOs must monitor tool usage and create lists of approved tools.

In addition, CISOs must also specify protocols for dealing with expired free trial IDs. These shadow IDs offer an easy attack vector to malicious actors. In addition to monitoring shadow IT, automated patching and certificate management are also essential.

Becoming agile

Introducing agility into security is a tough task. However, by adopting DevOps principles when designing security protocols, CISOs can create a security posture that integrates seamlessly with development. The result is a well-rounded CI/CD pipeline that offers higher-quality products.