Customers continue to expand their vulnerability and privilege management programs to cover additional DevOps use cases, so I’d like to share with you how BeyondTrust is enabling secure DevOps. In this blog I will discuss BeyondTrust’s DevOps security strategy and demonstrate our capabilities.
DevOps Security Strategy
It’s important to note that we are not positioning a new, unproven, point solution that requires a separate install, with a separate license, that puts more responsibility and coding complexity on the developers themselves or removes the control from the PAM or security team. Rather, BeyondTrust has a very robust “Secure Cloud First” strategy that has been developed alongside our customers, partners and Security Advisory Council, which includes the DevOps use case. Our use case coverage can be demonstrated through integration between our existing vulnerability management, password management and privilege management solutions that have been successfully deployed across millions of nodes worldwide.
DevOps Security Best Practices
In our experience, the ideal solution to enabling secure DevOps should offer flexibility and:
- Ensure that all approved and unapproved devices are discovered and validated.
- Ensure that vulnerabilities are appropriately managed and remediated across development and integration environments before they are deployed to production.
- Ensure that all configurations are hardened using industry best practices.
- Eliminate hardcoded credentials in code, scripts and service accounts that can be easily exploited by external attackers or malicious insiders.
- Limit excessive user privileges that can open pathways for attackers or bad code to move laterally throughout an environment.
- Deliver greater visibility over account usage and activity that can quickly identify any suspicious or malicious activity.
- Be transparently usable within automated processes without introducing human delay.
Top 10 DevOps Security Use Cases
Below, I have identified ten typical DevOps use cases. As we work with our customers looking for simplicity and value out of their security vendors, we have approached these new challenges as natural extensions to their existing investments.
|Use Case||Development | Test/Stage | Prod||Solution|
|1. Asset Discovery & Inventory||Provide continuous discovery of assets across physical, virtual and cloud environments.||Retina will perform discovery and inventory of container instances, libraries and more, ensuring that only properly configured and approved images are available and used in your environment. This is a roadmap item slated for a Q4 release.|
|2. Vulnerability Management||Provide continuous vulnerability assessment and remediation guidance of the infrastructure and code/builds across physical, virtual and cloud environments.||Retina will scan container instances and libraries, options for offline image scanning, start/stop image scanning, image integrity tracking and more. This is a Q4 roadmap item. Future enhancements will include container/image integrity checking and inheritance tracking to ensure that deployed and runtime images have not been altered from their approved base templates.|
|3. Configuration Compliance||Provide continuous configuration and hardening baseline scanning across servers and code/builds across physical, virtual and cloud deployed assets. Ensure configurations are consistent and properly hardened across the entire devops lifecycle.||Retina automates and streamlines auditing and reporting against industry configuration guidelines and best practices from FDCC, NIST, STIGS, USGCB, CIS and Microsoft. The benchmark library includes over 75 benchmarks with new benchmarks being added on a regular basis. Support for custom benchmarks is also provided.|
|4. Accountability Over Shared Accounts||Control and audit access to shared accounts and ensure that all audited activity is associated with a unique identity. This would include developer access to source control, devops tools, test servers, production builds, etc. Ensure that all passwords are properly managed and rotated across the devops environment.||PowerBroker Password Safe provides the enterprise password management functionality. The base price includes several additional capabilities including an API to provision assets into the system for management. In the devops use case the team would typically include an API call when provisioning these assets to ensure that they can be managed once deployed into the environment.|
|5. Eliminate Hardcoded Passwords||Control scripts, files, code, embedded application credentials and hard-coded passwords to close back doors to critical systems. This includes removing hardcoded passwords in devops tool configurations, build scripts, code files, test builds, production builds, and more.||PowerBroker Password Safe provides the enterprise password management functionality. The base price includes several additional capabilities including an Application to Application API to eliminate hard coded passwords. The API is supported by a service that can be scaled out. There is no limitation or licensing restrictions on the number of API caches that are needed to enable the level of performance and flexibility the devops process requires.|
|6. Enforce Appropriate Credentials Use||Eliminate administrator privileges on end-user machines, securely store privileged account credentials, require a simple workflow process for check-out, and monitor privileged sessions. IT organizations can limit lateral movement in the case of a compromise and provide a secure audit trail for forensic purposes.||PowerBroker Password Safe provides the enterprise password management functionality.|
|7. Segment Networks||Group assets, including application and resource servers, into logical units that do not trust one another. Segmenting the network reduces the “line of sight” access that attackers must have into internal systems. For access that needs to cross the trust zones, utilize a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. Segment access based on context of the user, role, application and data being requested.||PowerBroker Password Safe provides the enterprise password management functionality. The base price includes the session management capability which can be used to segment networks and enforce privilege governance across sessions.|
|8. Privilege Management||Developers and testers may be restricted in their access to development, management and production systems while still being granted the required permissions to appropriately build machines and images, and deploy, configure and remediate production issues on machines and images.||PowerBroker for Unix & Linux, PowerBroker for Windows, PowerBroker for Mac|
|9. Privilege Management – Desktop/Dev Machines, Desktop/QA Machines, Desktop/Admin Machines||Define pre-approved or whitelisted files and executables, limiting the opportunity for attackers to exploit insecure applications.||PowerBroker Windows, PowerBroker for Mac While using our Password Management solution alongside Session Management (which is included in our base password management price), we find that most customers looking for additional controls and visibility that go beyond whitelisting/ blacklisting commands options for a more industrial strength privilege management solutions for the devops environment.|
|10. Privilege Management & Isolation – Docker/ Containers||Developers may be restricted in their access to systems and specific container templates and runtime access to container on systems while still being granted rights needed to code, build, test, verify and manage application components.||PowerBroker for Unix & Linux will implement a container and microservice authorization plug-in, ACA network and file/services in PB Server. This roadmap item will provide the ability to delegate access to runtime containers without exposing access to the host system. Note that these policies exist within PBUL and wrap the “code” as opposed to require specific access calls etc. to be coded into each application/ component.|
The 10 use cases above span three modules available in the PowerBroker Privileged Access Management Platform:
- PowerBroker Password Safe is deployed as software, appliance (hardware or software) or in the cloud. Password Safe performs a network scan and also includes an API such that as machines are being provisioned into Test, Staging or Development they can be automatically added to the solution to take systems under management.
- Retina Vulnerability Management scanning can also perform network based discovery and assessment. Alternatively, scan agents can be provisioned on the systems are they are being built and deployed into development, test, staging and production environments.
- PowerBroker for Unix & Linux, and PowerBroker for Windows are agent based and are usually deployed as a step in the overall provisioning process.
BeyondTrust is addressing the core use cases of secure DevOps today without deploying point solutions. As your journey towards agile development continues, please contact BeyondTrust for a strategy session on how we can help enable secure DevOps in your environment.