Recently, KuppingerCole released the first edition of its Leadership Compass for Privileged Access Management for DevOps. BeyondTrust is pleased to be recognized as an overall Leader in the report as well as the Product Leader. The KuppingerCole report recognizes the unique and complex challenges that exist in DevOps and other dynamic environments. The report also calls out BeyondTrust’s recent advancements in the secrets management category of Privileged Access Management, and other strong PAM capabilities.
In this increasingly DevOps-powered world characterized by the constant pursuit of perfection, nothing is ever finished. Developers are empowered to continuously innovate with a mix of interconnected code and applications – making microservices, APIs, desktop apps, and mobile apps fundamental to the software development lifecycle.
This blog will explore some key challenges of DevOps that BeyondTrust PAM can solve for, and provide some highlights from the KuppingerCole report, which you may also download here.
The DevOps Secrets Management Challenge is no Secret
Keeping everything across the CI/CD environment running requires a constant stream of updates and patches – not to mention the roll out of brand-new software projects. At the heart of this process, is a large set of applications, bots, automation platforms, CI/CD tools, and many more non-human entities that must leverage secrets (privileged credentials) to keep the software delivery pipeline running smoothly.
A constant challenge and source of friction is the security need of consistently enforcing secrets management best practices (uniqueness, complexity, ephemeralness etc.) without slowing down DevOps teams across all the different tools and applications. Credentials should not be left stagnant / unchanged or left embedded in scripts or tools where they can easily be forgotten, or potentially discovered by a threat actor performing reconnaissance across the environment.
However, when the problem is addressed at all, it is commonly done by relying on native toolsets or a patchwork of niche tools that each only address a slice of the environment. And having multiple overlapping point tools is a sure way to lose sight of secrets sprawl, introduce inconsistencies, administrative gaps, and potential vulnerabilities.
To address these challenges, BeyondTrust created a purpose-built product, DevOps Secrets Safe, for centralized secrets management (create, store, access, and audit) of all your DevOps secrets (passwords, API keys, certificates, etc.) used in CI/CD and automation workflows. DevOps Secrets Safe is specifically designed for the high volume and high-change workloads found in DevOps environments.
In their PAM for DevOps report, Paul Fisher, Senior Analyst at KuppingerCole says, “DevOps Secrets Safe goes beyond securing passwords and stores secrets used by applications, tools and other non-human identities such as Kubernetes service accounts. BeyondTrust also supports native integration with DevOps tools such as Jenkins, Puppet, and Azure DevOps, while Password Safe now supports better protection for shared credentials for DevOps and QA teams with a view to improving productivity in agile environments. These are all good developments.”
With BeyondTrust DevOps Secrets safe you can:
- Implement secrets management best practices: Secure and automate the storage and access of secrets used by applications, tools, and other processes across your development operations environments.
- Supports peak DevOps agility: A REST API-first approach and CLI tool provide your teams with a preferred UX that helps drive fast adoption and increased productivity. DevOps Secrets Safe is a standalone application built on an extensible microservices-based design utilizing Docker containers and targeting Kubernetes as a deployment platform.
- Integrates with DevOps tools: Enable faster application delivery via frictionless native integrations with common DevOps tools such as Ansible, Jenkins, and Azure DevOps.
- Implement JIT cloud infrastructure access for automated workflows: Dynamically generate accounts to access APIs and enable an automated way for DevOps engineers to securely manage cloud infrastructure.
Overprovisioned Access and Shadow IT
Because they move fast and lean into self-service, DevOps teams can also be substantive drivers of shadow IT. This shadow IT includes tools and applications that may not be properly hardened or that have dangerous security vulnerabilities or backdoors. Often, these tools and applications, as well as the people who use them, are also overprovisioned with privileges, which bloats the attack surface and provides many pathways for lateral movement. Together, these attributes create an environment ripe for ransomware spread, malware infections, and for simple mistakes to turn into widespread outages or security issues.
BeyondTrust’s industry-leading Endpoint Privilege Management solution enables organizations to enforce least privilege across their entire organization, including their DevOps estate, to protect against known and unknown (i.e. zero day) threats. Privilege management not only impedes most threats from gaining a foothold in the environment in the first place, but also restricts lateral movement, helping contain and minimize the damage of any threat that does intrude.
With BeyondTrust Endpoint Privilege Management, you can:
- Make Leaps in Least Privilege, Fast: Unique quick-start capabilities enable organizations to implement a least-privilege posture in hours or days, versus weeks or months with competitor solutions
- Enforce just-in-time access: By applying context and triggers, organizations can provision and de-provision privileges only for the finite moments it is needed. Eliminating standing privileged access vastly reduces the threat services.
- Gain visibility and control over CI/CD tools and shadow IT: Combines pragmatic application control with endpoint privilege management to deliver many security synergies. Granularly control applications and provide powerful protection against fileless attacks, such as by applying context to application execution and controlling or preventing child processes
- Prevent errors: Block malformed or inappropriate commands and scripts to prevent or mitigate errors.
Securing Remote Access Pathways across DevOps
The expansion of DevOps and cloud, as well as the vast increase in remote workers, has made remote access arguably the hottest attack vector. When privileged access is involved, VPNs and other common technologies don’t provide the granular access controls or auditing necessary. This is particularly important when it comes to securing access to cloud and DevOps control planes / management consoles. Often, organizations also rely on third-part vendors to perform some of the work.
The above types of remote access demand that organizations extend traditional privileged access security controls beyond the perimeter. BeyondTrust’s Secure Remote Access solution—called out in the KuppingerCole report as one of our strengths—does just that. The BeyondTrust solution enables organizations to secure, manage, and audit vendor, internal privileged user, and helpdesk remote access activity, both on-premises and in the cloud—without the need for a VPN or other tunneling technology. The solution enables secure session management, with the ability to proxy access to RDP, SSH, and Windows/Unix/Linux hosts.
Additionally, Secure Remote Access can be leveraged as a bastion host for cloud-based access, such as to DevOps consoles. The solution provides a Chromium-based browser embedded in a bastion host (proxy) that can access a web-based resource remotely. With BeyondTrust Secure Remote Access you can:
- Apply least privilege on remote access: Granularly control access for all remote sessions—no matter the user, endpoint, or system.
- Enforce segmentation of cloud & DevOps environments: Proxy remote access to cloud management consoles and to computing resources. Ensure access is authorized only when need and for the right identities. Segmentation also protects the broader environment from lateral movement attacks
- Automate credential injection: Inject secure, managed credentials to initiate a session—completely invisible to the end-user (employee, vendor, etc.).
- Monitor and manage remote session: Record screens and audio and log every action involving privileged activity—whether by an employee, remote worker, or machine. In addition to providing an unimpeachable audit trail, the solution also enables the pausing or termination of suspicious sessions.
Learn First-Hand Why BeyondTrust is a DevOps Security Leader
BeyondTrust provides foundational security to help enable DevSecOps and zero trust environments. To learn how you can improve your DevOps IT security and risk management with BeyondTrust, contact us today.
Veroljub Mihajlovic, Sr. Manager, Product Marketing
Veroljub Mihajlovic is a Sr. Product Marketing Manager at BeyondTrust, focusing on Privileged Password & Session Management solutions. His experiences traverses diverse areas, including Analytics, Security, and Networking solutions at an enterprise-level. Veroljub has led efforts around strategic growth, developing go-to-market initiatives, and product marketing.