DevOps security refers to the discipline and practice of safeguarding the entire DevOps environment through strategies, policies, processes, and technology. DevOps security should enable a productive DevOps ecosystem, while helping to identify and remediate code vulnerabilities and operational weaknesses long before they become an issue.
The DevOps ethos has ushered in a transformation in how organizations develop, operate and maintain applications and IT infrastructure, both onsite and in cloud environments. By relentlessly pursuing velocity, automation, DevOps teams condense development cycles, while keeping product features and capabilities responsive to customer feedback and evolving business objectives. However, the culture of speed and scale can also mean security is an afterthought, and that any vulnerabilities or misconfigurations created may also have large-scale implications.
While it’s clear that security should be ingrained throughout the entire DevOps lifecycle, how do you accomplish this without hampering speed, agility, and other essential DevOps tenets? To tighten DevOps security, while balancing the need for agility, consider implementing the following nine best practices.
When DevOps and security teams are misaligned, the fallout can include insecure code, vulnerabilities, misconfigurations, unsecured hardcoded passwords, and application security weakness that cause operational dysfunction or are easy targets for attackers. When security is built into every fabric of the DevOps lifecycle and culture (from inception, design, build, test, release, support, maintenance) it is often referred to as DevSecOps. DevSecOps entails embedding governance and cybersecurity functions such as identity and access management (IAM), privilege management, firewalling / unified threat management, code review, configuration management, and vulnerability management throughout the DevOps workflow. Embracing a DevSecOps culture means that everyone shares responsibility for security, helping ensure accountability and alignment across teams.
Create transparent cybersecurity policies and procedures that are easy for developers and other team members to understand and agree to. This will help teams to develop code that meets security requirements.
Without automated security tools for code analysis, configuration management, patching and vulnerability management, etc., you stand no chance of scaling security to DevOps processes. Security automation also minimizes risk arising from human error, and the associated downtime or vulnerabilities. The closer you can match the speed of security to the DevOps process, the less likely you are to face culture resistance to embedding security practices.
The potential proliferation of shadow IT and incomplete visibility hampers an organization’s ability to protect itself. DevOps teams often leverage new, open-source or immature tools to manage hundreds of security groups and thousands of server instances. Containers can be spun up and down almost instantly—and run across almost any kind of computer and cloud. Often security teams lack visibility into the containers themselves, which is complicated because they share an OS with other containers. And, since DevOps usually relies heavily on cloud deployments, cloud security is a major consideration as well. Therefore, prioritize the continuous discovery and validation of devices, tools, accounts, cloud/virtual instances, containers and credentials, and ensure that they are brought under security management in accordance with your policy.
Vulnerabilities should be scanned for, assessed, and remediated across development and integration environments—including within containers—before deployment to production. When products are launched into an operational environment, DevOps security can run tests and tools against the production software and infrastructure to identify and patch exploits and issues.
The speed and scale at which DevOps environments move, mean that any configuration mistake could be rapidly copied and multiplied if not rapidly detected and fixed. Scan to identify and remediate misconfigurations and potential errors. Provide continuous configuration and hardening baseline scanning across servers and code/builds for physical, virtual, and cloud assets.
DevOps teams may use a dozen tools (Chef, Puppet, Ansible, Salt, etc.), which all require secrets management. DevOps secrets may include privileged account credentials, SSH Keys, APIs tokens, etc., and may be used by humans or non-humans (e.g., applications, containers, micro-services and cloud instances). Improperly managed, secrets can provide attackers with easy backdoors to privileged access, and with it, the ability to tamper with security and other controls, disrupt operations, steal information, and basically own an organization’s IT infrastructure. Often, secrets/privileged credentials are embedded in code, scripts, files, and service accounts. Secure management of these credentials requires privileged password management solutions that can remove the embedded credentials from code and securely store and manage them.
DevOps teams often permit nearly unrestricted access to privileged accounts (root, admin, etc.) to multiple individuals. Often, these individuals share credentials, which virtually eliminates the possibility of a clean audit trail. Orchestration, configuration management, and other DevOps tools may also be granted vast privileges. Excessive privileged access represents an increased threat surface. To rein in privileged access risk, implement the principle of least privilege. Enforcing least privilege access will reduce opportunities for internal or external attackers to escalate privileged user rights or exploit bad code. Enterprise privileged access management (PAM) solutions can automate the control, monitoring, and auditing of privileged access as well as the full lifecycle of secrets/privileged credential management.
Segmenting the network reduces an attacker’s “line of sight” access. Group assets, including application and resource servers, into logical units that do not trust one another. In the case of access that needs to cross the trust zones, deploy a secured jump server with multi-factor authentication, adaptive access authorization, and use session monitoring to provide oversight. Further segment access-based context, including user, role, application, and data being requested.
Introducing DevOps security early in the product lifecycle ensures that security underpins every part of application and systems development. This, in turn, enhances availability, reduces the possibility of data breaches, and ensures the development and provisioning of powerful technology to meet business needs.