BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Protecting DevOps Credentials: The Critical Initial Steps

January 9, 2020

  • Blog
  • Archive

The DevOps philosophy has transformed how organizations develop, operate, and maintain applications by merging two traditionally separate worlds, software development and IT operations. Through rapid iteration and automating processes at scale, DevOps teams bring high-value applications to the world. But it is not without its faults. This methodology of application delivery introduces new security challenges. As a consequence, DevOps practices often widen the attack surface and increase the enterprise’s risk of data exposure. But why is securing DevOps environments so challenging? What makes DevOps security different from more traditional IT security?

Privileged access galore

To expedite the process of delivering code, DevOps environments often override critical security safeguards. For instance, within DevOps, the level of privilege afforded to humans and machines has skyrocketed as compared to traditional development and operations environments. It's common—even standard practice—for developers to share private keys and credentials with colleagues for quick access. This malpractice vastly elevates the risk of insider threats, whether malicious or accidental, while also complicating, if not making impossible, the ability to produce clean audit trails.

Within applications, developers may hardcode passwords so they can easily be found locally or on repositories such as Github, Bitbucket, and others. Other common practices for storing credentials include config files and excel spreadsheets, which are highly insecure. These credentials likely provide access to data or other critical corporate resources that must be safeguarded. These risky practices have significantly increased secrets sprawl in the enterprise, creating dangerous backdoors, and increasing the attack surface.

Security a casualty of speed

DevOps teams move at an incredible rate of speed to deliver applications in accordance with condensed timelines. These teams thrive in an environment of ad-hoc tooling with an emphasis on intense code sharing and automation at every step. These practices have resulted in a significant shrinking of application delivery time, but unfortunately, have contributed to the flourishing of security shortcuts. Integrating traditional security into the DevOps pipeline has been challenging because traditional tools force developers to change the way they work and slow down their pipeline, resulting in low tool adoption.

A culture of gettin' it done

There's hardly anything wrong with this highly collaborative, iterative, and open approach to getting code out the door quickly. It's certainly a culture worth fostering in the enterprise, given its high yield of valuable applications and features. But as the "shift left" practice at the core of the DevOps philosophy moves security to be considered earlier in the process, the glaring shortcomings of traditional security tools come into focus. Developers need solutions that adapt to their workflows and highly collaborative environments. Lightweight applications that leverage code to deliver robust security, using developer-preferred UIs such as CLI and APIs, will see more successful adoption as compared to traditional security-minded GUIs.

So, how can enterprises overcome these challenges and implement security solutions that enable the speed and agility needed in DevOps?

Here is a shortlist of steps to help organizations embark on the secrets management journey:

1. Establish enterprise requirements for securing credentials and secrets in DevOps

As organizations accelerate the adoption of DevOps, enterprise security requirements must expand to ensure they cover all environments, including DevOps. These requirements should aim at centralizing the management of credentials and secrets, controlling the sharing of credentials amongst users, eliminating hardcoded credentials and passwords from scripts and, eliminating the storage of secrets or passwords in config files, excel spreadsheets or other repositories not explicitly built for security, where unauthorized users or machines can access them.

2. Centralize management of DevOps secrets

Implement a centralized secrets management system that acts as an intermediary between the user (human or machine) and the application, process, or tool they want access to. Use the centralized system to store all secrets used by DevOps practitioners, tools, and applications in a password safe and provide enforcement for access, credential complexity, and other basic tenets of privileged access management.

3. Remove adoption barriers and support peak DevOps agility

DevOps teams use automation to accelerate application delivery and minimize pipeline delays. Their agile workflows may be disrupted by security tools that work counter to their practices. To be effective, organizations must adopt approaches that leverage automation and the way developers work to deploy security solutions. Providing out-of-the-box integrations with common DevOps tools (Puppet, Jenkins, Ansible, Chef, Docker, Git, etc.) that can be managed through the developers' preferred interfaces increases tool adoption and enables greater agility in the DevOps process.

Unmanaged credentials and secrets sprawled across DevOps environments presents considerable risk, as they offer tantalizing targets to threat actors. DevOps and security leaders recognize that DevOps requires a new approach to security that mitigates risk while enabling the agility required by their teams. Implementing a centralized administration solution—built specifically to address the requirements of complex enterprise environments that is also easy to adopt by the DevOps teams—is the key to getting on the right (and secure) path.

Learn how DevOps Secrets Safe can help you protect secrets and privileged credentials and reduce secret sprawl across your enterprise.​
Photograph of Alex Leemon

Alex Leemon, Product Marketing Manager

Alex Leemon is a Product Marketing Manager at BeyondTrust, focusing on Privileged Password & Session Management and Vulnerability Management solutions. She has over fifteen years of experience working with enterprise-level and Critical Infrastructure organizations solving safety and security challenges. Before joining BeyondTrust, Alex served in various roles related to the development of industrial control products and the Industrial Internet of Things (IIoT).

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

Whitepapers

The Operational Technology (OT) Remote Access Challenge

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.