Research Study: 5 Ways to Ensure Your Cybersecurity Practices Are Ready for DevOps, IoT, and the Cloud
June 6th, 2018
Next-generation technologies like AI, IoT, and the cloud, are radically transforming how organizations like yours are doing business. Higher operational efficiencies, greater business agility, and improved cost savings are on full display in initiatives such as Alphabet’s (Google’s parent company) implementation of AI throughout its business, Amazon’s creation of a dedicated DevOps team and it Apollo program, and Nest’s leveraging of its IoT data to provide insights to utility services on a subscription basis.
It’s an exciting time in how IT can enable real business change, yet, there is also a dark side to these next-generation initiatives: Security vulnerabilities.
We were curious to learn how security issues, such as privileged access management (PAM), can affect the adoption of things like the cloud, IoT, AI, and DevOps so we commissioned our annual Implications of Using Privileged Access Management to Enable Next-Generation Technology study. We talked to more than 600 organizations across the globe, and I’ll briefly summarize below what we learned was most impacting – or inhibiting – next-generation technology (NGT) adoption. Also, check out the infographic at the bottom of this blog.
Get full report now
DevOps, IoT, and AI are the Transformative Technologies Delivering the Most Impact Today
Clearly, organizations are actively engaged in technology-enabled business transformation, with 65% of respondents to the study indicating they have already implemented, or are actively discussing or trialing, DevOps. 54% of respondents say they have implemented or are discussing AI and IoT. 50% indicate that DevOps has a large impact on the business, with 42% saying AI/Machine Learning, and 40% IoT. When you layer on when these transformative technologies will impact the business, the picture becomes clearer: 60% of respondents indicate that DevOps has already become mainstream.
Cloud Adoption is Accelerating
Respondents indicate that – today – 62% of workloads are on-premises, with 34% using some form of cloud (public, private, or SaaS application). In 3 years? On-premise use is projected to drop to 44%, while cloud use jumps to 53%. Almost a total flip! With such an increase in cloud-hosted workloads expected over the next three years, it’s vital for organizations to address security issues in their hybrid environments.
Security is the Biggest Challenge – and for Good Reason… Breaches Cost!
Unsurprisingly, security issues remain the number one deterrent to organizational adoption of NGTs, with 78% of respondents saying IT security is a somewhat or extremely large challenge. And, as evidenced from our survey respondents, security issues, as a result of NGTs, are happening at an alarming rate.
- 18% of respondents indicated they had a breach related to NGTs in the last 24 months that resulted in data loss
- 20% experienced a breach that resulted in an outage
- 25% saw breaches over that time period that triggered a compliance event
- One in five organizations experienced 5 or more breaches
Let that sink in for a second…. 20% of organizations experienced five or more breaches in the last 24 months related to a next-generation technology, such as the cloud, IoT, or AI. Whoa…
When a breach occurs, there are substantive negative outcomes. 47% of respondents cite lost productivity, 31% say the loss of reputation, 27% say monetary damages, and 19% cite compliance penalties. Considering the costs of data recovery, outages, lost productivity, and compliance audits – if NGT security issues are not dealt with proactively, these costs can spiral out of control.
Breaches Happen When Users Are Over-Privileged
The study shows that 52% of the time, breaches arise from trusted users doing inappropriate things for innocent reasons, with 13% of respondents indicating it happens often or all time! In 18% of the cases, it’s trusted insiders going rogue, and in 15% of the cases, it’s outsiders gaining privileged access to steal credentials.
Privileged Access Management Can Facilitate the Move to NGTs
Respondents overwhelmingly indicate that PAM-related capabilities can improve security and adoption of next-generation technologies. Top PAM practices include controlling and governing privileged and other shared accounts (60% and 59%, respectively), enforcing appropriate credential usage (59%) and creating and enforcing rigorous password policies (55%).
NGTs present incredible business opportunities, but also present significant security challenges. Privileged access management can help.
How Privileged Access Management Can Enable the Transformation to Next-Generation Technologies
To improve security while reaping the transformative benefits that NGTs offer, organizations should implement five privileged access management (PAM) best practices that address use cases from on-prem to cloud.
#1: Discover & Inventory All Privileged Accounts and Assets: Perform continuous discovery and inventory of everything from privileged accounts to container instances and libraries across physical, virtual, and cloud environments.
#2: Scan for Vulnerabilities & Configuration Compliance: For DevOps and cloud use cases, scan both online and offline container instances and libraries for image integrity. Additionally, implement configuration and baseline scanning against industry configuration guidelines and best practices from NIST, STIGS, USGCB, CIS, and Microsoft.
#3: Manage Shared Secrets & Hard-Coded Passwords: Examples of shared secrets include developer access to source control, DevOps tools, test servers, and production builds. The hard-coded secrets include scripts, files, code, and embedded application credentials in DevOps tool configurations, as well as build scripts, code files, test builds, and production builds. Manage and rotate privileged passwords across the environment so that all audited activity is associated with a unique identity. Doing so adds accountability and reduces risks by closing backdoors to critical systems. Additionally, securing access to edit DevOps scripts, utilities, and refining user permissions ensure IP protection.
#4: Enforce Least Privilege & Appropriate Credential Usage: Grant required permissions to appropriate build machines and images through least privilege enforcement. Securing access to edit DevOps scripts and utilities, and enforcing permissions is an essential part of least privilege. This requires first eliminating administrator privileges on end-user machines, securely storing privileged account credentials, establishing a workflow process for check-out, and monitoring privileged sessions.
#5: Segment Networks: Focus on keeping roles separate and segmentation isolated between steps. This approach restricts access based on the context of the user, role, application, and data being requested, and reduces line-of light access that attackers may have into internal systems.
BeyondTrust Can Help
How do your security and PAM practices stack up? How prepared are you for secure DevOps, cloud, and IoT? Want more detail on the five steps, including how to make them work in your enterprise? Download the results paper – or, take a look at the infographic for a summary.