Securing DevOps with Unified Privilege Management

Derek A. Smith, Founder, National Cybersecurity Education Center

Securing DevOps

DevOps goal is to provide continuous software development and upgrades in a fast and efficient manner. It allows for great strides in how organizations develop, operate and maintain applications and IT infrastructure, both on-site and in cloud environments. However, the DevOps approach magnifies the potential for security mishaps during development. So, how do we effectively secure DevOps operations and environments? Privileged access management (PAM) may provide the answer.

Before we begin to discuss how PAM can aid in DevOps security, I think it is important that I provide you with a brief understanding of DevOps and privileged access management, at least as I present them in this article. These terms are thrown around a lot, so I want to make sure you understand what’s being discussed and how because like many popular terms, people tend to confuse what these terms mean.

What is meant by DevOps anyway?

DevOps is a term for a group of concepts that, while not new, has become the talk of the development community of late. It brings together two concepts, “software development” and “operations. Here’s my take on how DevOps can be defined. DevOps is a software engineering practice aimed at combining software development (Dev) and software operations (Ops). The main theme for the DevOps crusade is to strongly advocate automation and monitoring at all steps of software construction, from integration, testing, releasing to deployment and infrastructure management. The DevOps goal is to have shorter development cycles, increased deployment frequency, and more dependable releases that align closely with business objectives.

…and What is Privileged Access Management?

I define privileged access management as a method to manage and audit account and data access by privileged users. A privileged user is a person with administrative access to your critical information systems. For example, anyone who can create and delete user accounts and roles in your DevOps environment is a privileged user. Since this is an action that can open up your network to security risks, you only allow your most trusted users, with the proper knowledge and training, access to accounts with “root” privileges (like the ability to change system configurations, install software, change user accounts or access secure data). However, even trusted access needs to be controlled and monitored. That’s where privileged access management comes into play!

How can PAM Secure My DevOps Environment?

Now that we are on the same page as far as the definition of DevOps and PAM we can discuss the convergence of these two methodologies. According to Gartner’s 2017 Market Guide for Privileged Access Management interest in PAM tools is driven by several factors:

  • “The risk of breaches and insider threats
  • The need to prevent, isolate and limit malware attacks that leverage privileged accounts
  • An increase of operational efficiency for administrator and operator access
  • Regulation and failed audits, because auditors are paying closer attention to privileged accounts, and regulations are forcing organizations to record a trail of evidence for privileged access
  • The need to grant privileged access to third parties: contractors, vendors and service provider technicians
  • The need to address requirements for a comprehensive cybersecurity defense strategy, specifically for critical infrastructure”

As far as DevOps is concerned, Gartner recommends that security and risk management leaders seek ways they can help to secure nonhuman service and application accounts, as these accounts are major sources of operational security and risk, and most organizations have such accounts.

Access to and within your DevOps environments have thrived over the past few years, with both users and scripts (with embedded credentials). Today, the delivery of software is primarily focused on delivering high-quality products and services to market faster and more efficiently. Companies attempt to do this by utilizing DevOps methodologies and practices that they deem essential for gaining and maintaining a competitive edge. Building on the “Agile” approach, DevOps promises faster software development and testing, more frequent builds, and a more reliable end product. However, it can be difficult to guarantee security and compliance in high-velocity, cloud-based DevOps environments. This can lead to a variety of security threats because DevOps focuses on rapid, continuous development, integration, delivery and deployment, but it is not designed with security in mind. Also, almost every aspect of DevOps components are highly interconnected and rapidly changing and utilizes secrets. Additionally, developers, IT operations staff and administrators require quick, easy workflow to do their jobs effectively, and as such, cannot be constrained by restrictive policies that impede the speed at which projects are introduced to market.

Unfortunately, the secrets represent one of the largest security vulnerabilities an organization faces today. Under the control of an external attacker or malicious insider, secrets allow them to take full control of your IT infrastructure, disable security controls, steal confidential information, commit financial fraud and disrupt operations. DevOps expands the security problem even further, and traditional approaches won’t cut it, making an automated PAM solution essential for your DevOps security needs.

Due to the dynamic nature of DevOps, “secrets,” such as privileged account credentials, SSH Keys, API keys and more, are increasing throughout the IT infrastructure at a fast pace, creating massive security risks for organizations. Because of this, PAM tools are essential for providing comprehensive privileged account and secrets protection.

The very nature of DevOps multiplies these risks. For example, DevOps usually requires you to grant administrative access not only to multiple staff but also to configuration management and orchestration systems. This demands tightly controlled privilege controls, as well as methods for managing passwords, keys and other secrets. The goal is to automate the task of provisioning/de-provisioning access, granular access control, and auditing/reporting. With the help of a PAM solution, you could give identities to all the machines in your DevOps environment, treating these machines as users within the DevOps workflow. Then, PAM can be used to apply security policies to all your DevOps activities.

You can also assign the various identities into groups sorted by the level of security risk, or group them by function or departments depending on your workflow. The result would be an automated security solution, as well as a map of interactions between machines or users that would provide some insight into where your security weak links lie.

A well-known cybersecurity best practice is never to share passwords, especially those of your privileged accounts, and this applies to your DevOps environment as well. But you may be surprised by how many organizations still do this! Sharing privileged accounts completely eliminates your auditability and accountability of the users in your environment. They essentially have carte blanche to do whatever they like on your servers, and you will not be able to track who did what. Your security policy should dictate the approvals, time limits, access limits, keystroke logging, session capture, and other activities allowed in your DevOps environment. This will allow for on-demand access to your sensitive IDs while maintaining stringent audit and control.

Automating your DevOps and PAM solutions is a powerful way for you to reduce risk, ensure compliance, and maintain governance. For example, release automation enables your developers to deploy new code without having personal access to your sensitive production systems, allowing the tool, and not the individual, to access the system. It also restricts access to your DevOps systems by using ‘known-good processes,’ to ensure policy and deployment are in agreement. Using PAM to control and track who initiates deployment maintains that essential audit trail for your governance and reporting requirements. Test automation, data management, process automation, configuration management and other automation tools all provide similar security benefits throughout the application delivery lifecycle.

The bottom line is that you want to use PAM in your DevOps environment to create and manage your privileged accounts. You must automate this process because, in today’s elastic, auto-scaling environments, your organization may have hundreds or thousands of systems as well as internal and third-party users around the world and manual management is simply out of the question in a DevOps centric world. PAM will allow you to rapidly assign every system administrator within your organization a personal user account that provides access to all systems within your DevOps environment to which they have access.

To learn more, check out this informational and technical blog from BeyondTrust’s CTO, Brad Hibbert, “Continuous Cybersecurity in a DevOps World“.

Derek A. Smith, Founder, National Cybersecurity Education Center

Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently the Director of Cybersecurity Initiatives for the National Cybersecurity Institute at Excelsior College, responsible to perform complex duties relating to the development and coordination of cyber initiatives at NCI. Formerly, he has worked for a number of IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He has also taught business and IT courses at several universities for over 20 years. Derek has served in the US Navy, Air Force and Army for a total of 24 years. He completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education.