Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Protecting DevOps Credentials: The Critical Initial Steps

January 9, 2020

  • Blog
  • Archive

The DevOps philosophy has transformed how organizations develop, operate, and maintain applications by merging two traditionally separate worlds, software development and IT operations. Through rapid iteration and automating processes at scale, DevOps teams bring high-value applications to the world. But it is not without its faults. This methodology of application delivery introduces new security challenges. As a consequence, DevOps practices often widen the attack surface and increase the enterprise’s risk of data exposure. But why is securing DevOps environments so challenging? What makes DevOps security different from more traditional IT security?

Privileged access galore

To expedite the process of delivering code, DevOps environments often override critical security safeguards. For instance, within DevOps, the level of privilege afforded to humans and machines has skyrocketed as compared to traditional development and operations environments. It's common—even standard practice—for developers to share private keys and credentials with colleagues for quick access. This malpractice vastly elevates the risk of insider threats, whether malicious or accidental, while also complicating, if not making impossible, the ability to produce clean audit trails.

Within applications, developers may hardcode passwords so they can easily be found locally or on repositories such as Github, Bitbucket, and others. Other common practices for storing credentials include config files and excel spreadsheets, which are highly insecure. These credentials likely provide access to data or other critical corporate resources that must be safeguarded. These risky practices have significantly increased secrets sprawl in the enterprise, creating dangerous backdoors, and increasing the attack surface.

Security a casualty of speed

DevOps teams move at an incredible rate of speed to deliver applications in accordance with condensed timelines. These teams thrive in an environment of ad-hoc tooling with an emphasis on intense code sharing and automation at every step. These practices have resulted in a significant shrinking of application delivery time, but unfortunately, have contributed to the flourishing of security shortcuts. Integrating traditional security into the DevOps pipeline has been challenging because traditional tools force developers to change the way they work and slow down their pipeline, resulting in low tool adoption.

A culture of gettin' it done

There's hardly anything wrong with this highly collaborative, iterative, and open approach to getting code out the door quickly. It's certainly a culture worth fostering in the enterprise, given its high yield of valuable applications and features. But as the "shift left" practice at the core of the DevOps philosophy moves security to be considered earlier in the process, the glaring shortcomings of traditional security tools come into focus. Developers need solutions that adapt to their workflows and highly collaborative environments. Lightweight applications that leverage code to deliver robust security, using developer-preferred UIs such as CLI and APIs, will see more successful adoption as compared to traditional security-minded GUIs.

So, how can enterprises overcome these challenges and implement security solutions that enable the speed and agility needed in DevOps?

Here is a shortlist of steps to help organizations embark on the secrets management journey:

1. Establish enterprise requirements for securing credentials and secrets in DevOps

As organizations accelerate the adoption of DevOps, enterprise security requirements must expand to ensure they cover all environments, including DevOps. These requirements should aim at centralizing the management of credentials and secrets, controlling the sharing of credentials amongst users, eliminating hardcoded credentials and passwords from scripts and, eliminating the storage of secrets or passwords in config files, excel spreadsheets or other repositories not explicitly built for security, where unauthorized users or machines can access them.

2. Centralize management of DevOps secrets

Implement a centralized secrets management system that acts as an intermediary between the user (human or machine) and the application, process, or tool they want access to. Use the centralized system to store all secrets used by DevOps practitioners, tools, and applications in a password safe and provide enforcement for access, credential complexity, and other basic tenets of privileged access management.

3. Remove adoption barriers and support peak DevOps agility

DevOps teams use automation to accelerate application delivery and minimize pipeline delays. Their agile workflows may be disrupted by security tools that work counter to their practices. To be effective, organizations must adopt approaches that leverage automation and the way developers work to deploy security solutions. Providing out-of-the-box integrations with common DevOps tools (Puppet, Jenkins, Ansible, Chef, Docker, Git, etc.) that can be managed through the developers' preferred interfaces increases tool adoption and enables greater agility in the DevOps process.

Unmanaged credentials and secrets sprawled across DevOps environments presents considerable risk, as they offer tantalizing targets to threat actors. DevOps and security leaders recognize that DevOps requires a new approach to security that mitigates risk while enabling the agility required by their teams. Implementing a centralized administration solution—built specifically to address the requirements of complex enterprise environments that is also easy to adopt by the DevOps teams—is the key to getting on the right (and secure) path.

Learn how DevOps Secrets Safe can help you protect secrets and privileged credentials and reduce secret sprawl across your enterprise.​
Photograph of Alex Leemon

Alex Leemon, Sr. Product Marketing Manager

Alex Leemon is a Sr. Product Marketing Manager at BeyondTrust, focusing on Privileged Password & Session Management and PAM for Cloud security solutions. She has over fifteen years of experience working with enterprise-level and Critical Infrastructure organizations solving safety and security challenges. Before joining BeyondTrust, Alex served in various roles related to the development of operational technology (OT) products and the Industrial Internet of Things (IIoT).

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.