Decoding DevOps Security: Insights for Security Leaders
Insights for the gen-next CISOs and Security Leaders
By Rohan Vaidya
We live in a time of paradigm shifts and constant evolution, of virtual existence and evolving fundamentals. In a bid to stay relevant, you now find some of the most traditional business enterprises such as banking, utilities and even government organizations making a swift move toward digitization. However, technology is more advanced than ever before and as we take a step forward, the IT world as we know it now is already in DevOps mode. With the amalgamation of software development and software operations, we are in a state of perpetual automation and monitoring. From integration to testing to deployment and management, there is just no time to wait and watch.
Now, more than ever, it’s important to merge speed and agility with a faster security and compliance delivery model. One of the biggest gaps that security teams face today is the massive proliferation of secrets and privileged users through the DevOps pipeline. That’s why, in the backend, you’ll find security teams constantly scrambling to secure and manage the plethora of new tools and technologies used to deliver services.
But as a CISO, where do you start?
For security teams, one of the biggest challenges is that of doing code analysis and security routines on software, before it is deployed in production. But take that as an opportunity – think of it as a scope to introduce security quite earlier in the development cycle. This means that the core issues can be addressed sooner and that’s a good thing.
For starters, the list of tools and technologies can seem to be overwhelming and disparate, however, understand that you do not need to know every single tool in order to help control the security of DevOps environments. The key here is to keep a system-based approach that is API driven and that will pave the way of how the next-gen users and their technologies of choice will interact with the security tools.
Based on the required security standpoint for the environment, let your security teams set the best practices in place beforehand. Allowing the development and operations team to come up with ad hoc solutions or implementation details on the fly in order to meet deadlines and deliverables will only worsen matters. Instead, get the development teams on board with your core agenda to have them follow the basic principles. While they may already know these are good practices, they may not be doing them visibly or consistently.
Next on the list, let there be no secrets in source control. Remember that DevOps is a collaborative effort and everyone involved is an equal partner and you are in the game together. Subsequently, keep a tab on the over-privileging of system accounts – it can be very risky. Follow a strict privileged access control across the infrastructure as this increases accountability.
Micro-segmentation of access to secrets, passwords, SSH keys, etc. is essential in minimizing the impact of any potential breach or event. In fact, know that the events you work to minimizing are in fact not just security-related where someone has maliciously gained access to the infrastructure; these could also be things we call misadventure, or human mistakes that are bound to happen.
An important practice is to integrate security telemetry into development pipelines and launch-demos, ensuring all applications and the software supply chain are protected from malicious code. The entire environment including the Development, QA, and Operations must be in a hardened, risk-reduced state.
Choose your allies wisely
The industry is empowered with the availability of tools that have been designed with the developer and operations team user-experience in mind. These are equipped to effectively bridge the two methodologies and help teams to work together cohesively, bearing the security of their infrastructure in mind. What’s important is to think ahead and select the best in class solutions that will evolve with your infrastructure. That’s why you must partner with companies that are industry leaders in Privileged Account Security and who believe and provide scalable solutions that are all about the automation, agility and control in order to protect your most critical and high-value assets.
The larger picture is that the industry must accept the concept of security as a service, because then, it shifts the burden of managing security policy, tooling and reporting from the development teams and puts the control back into the hands of the security team.
The author is the Regional Director of Sales – India, CyberArk
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]