The DevOps philosophy has transformed how organizations develop, operate, and maintain applications by merging two traditionally separate worlds, software development and IT operations. Through rapid iteration and automating processes at scale, DevOps teams bring high-value applications to the world. But it is not without its faults. This methodology of application delivery introduces new security challenges. As a consequence, DevOps practices often widen the attack surface and increase the enterprise’s risk of data exposure. But why is securing DevOps environments so challenging? What makes DevOps security different from more traditional IT security?
Privileged access galore
To expedite the process of delivering code, DevOps environments often override critical security safeguards. For instance, within DevOps, the level of privilege afforded to humans and machines has skyrocketed as compared to traditional development and operations environments. It's common—even standard practice—for developers to share private keys and credentials with colleagues for quick access. This malpractice vastly elevates the risk of insider threats, whether malicious or accidental, while also complicating, if not making impossible, the ability to produce clean audit trails.
Within applications, developers may hardcode passwords so they can easily be found locally or on repositories such as Github, Bitbucket, and others. Other common practices for storing credentials include config files and excel spreadsheets, which are highly insecure. These credentials likely provide access to data or other critical corporate resources that must be safeguarded. These risky practices have significantly increased secrets sprawl in the enterprise, creating dangerous backdoors, and increasing the attack surface.
Security a casualty of speed
DevOps teams move at an incredible rate of speed to deliver applications in accordance with condensed timelines. These teams thrive in an environment of ad-hoc tooling with an emphasis on intense code sharing and automation at every step. These practices have resulted in a significant shrinking of application delivery time, but unfortunately, have contributed to the flourishing of security shortcuts. Integrating traditional security into the DevOps pipeline has been challenging because traditional tools force developers to change the way they work and slow down their pipeline, resulting in low tool adoption.
A culture of gettin' it done
There's hardly anything wrong with this highly collaborative, iterative, and open approach to getting code out the door quickly. It's certainly a culture worth fostering in the enterprise, given its high yield of valuable applications and features. But as the "shift left" practice at the core of the DevOps philosophy moves security to be considered earlier in the process, the glaring shortcomings of traditional security tools come into focus. Developers need solutions that adapt to their workflows and highly collaborative environments. Lightweight applications that leverage code to deliver robust security, using developer-preferred UIs such as CLI and APIs, will see more successful adoption as compared to traditional security-minded GUIs.
So, how can enterprises overcome these challenges and implement security solutions that enable the speed and agility needed in DevOps?
Here is a shortlist of steps to help organizations embark on the secrets management journey:
1. Establish enterprise requirements for securing credentials and secrets in DevOps
As organizations accelerate the adoption of DevOps, enterprise security requirements must expand to ensure they cover all environments, including DevOps. These requirements should aim at centralizing the management of credentials and secrets, controlling the sharing of credentials amongst users, eliminating hardcoded credentials and passwords from scripts and, eliminating the storage of secrets or passwords in config files, excel spreadsheets or other repositories not explicitly built for security, where unauthorized users or machines can access them.
2. Centralize management of DevOps secrets
Implement a centralized secrets management system that acts as an intermediary between the user (human or machine) and the application, process, or tool they want access to. Use the centralized system to store all secrets used by DevOps practitioners, tools, and applications in a password safe and provide enforcement for access, credential complexity, and other basic tenets of privileged access management.
3. Remove adoption barriers and support peak DevOps agility
DevOps teams use automation to accelerate application delivery and minimize pipeline delays. Their agile workflows may be disrupted by security tools that work counter to their practices. To be effective, organizations must adopt approaches that leverage automation and the way developers work to deploy security solutions. Providing out-of-the-box integrations with common DevOps tools (Puppet, Jenkins, Ansible, Chef, Docker, Git, etc.) that can be managed through the developers' preferred interfaces increases tool adoption and enables greater agility in the DevOps process.
Unmanaged credentials and secrets sprawled across DevOps environments presents considerable risk, as they offer tantalizing targets to threat actors. DevOps and security leaders recognize that DevOps requires a new approach to security that mitigates risk while enabling the agility required by their teams. Implementing a centralized administration solution—built specifically to address the requirements of complex enterprise environments that is also easy to adopt by the DevOps teams—is the key to getting on the right (and secure) path.
Alex Leemon, Director, Product Marketing
Alex Leemon is Director, Product Marketing at BeyondTrust. She has over fifteen years of experience working with enterprise-level and Critical Infrastructure organizations solving safety and security challenges. Before joining BeyondTrust, Alex served in various roles related to the development of operational technology (OT) products and the Industrial Internet of Things (IIoT).