After the publication of a KuppingerCole report on DevOps security, Josh Kirkwood, DevOps Security Lead at privileged security and cloud services company CyberArk, discusses how firms should secure agile IT through privileged access security and automation.
Agile IT is rapidly emerging as the de facto form of IT in many organisations, and DevOps is by and large proving the driving force behind this new model. Despite being a comparatively young practice – it was only born back in 2009 and is still a field of ongoing innovation – it has fundamentally changed the way in which organisations develop and deploy new software and services. Developer teams have begun to move away from long-planned deployments of monolithic applications, and instead are building applications based on micro-services – small software modules – and rapidly deploying them into containers in an automated manner.
This new, agile form of IT has seen widespread adoption as it allows for quicker iteration and requires less of a long-term project plan, which can sometimes stymie product development. Allowing developer teams to steer the roadmap of their product based on internal or external customer feedback means organisations can release features quickly, increasing end user satisfaction and supporting business objectives. But what challenges does ‘agile’ create from a security perspective?
Expanded attack surface
The shift to such agile environments brings its own security challenges. Security for DevOps is far bigger than for traditional environments, as there are far more services and applications with secrets that need protection, as well as DevOps tools such as Jenkins which are used to run development pipelines.
Moreover, while these agile environments are helping deliver improved services to end users more quickly, they do make IT more complex, fragmented, dynamic and automated than previously. There is no longer one single place to make a DevOps environment secure, and no single tool which exists to do so.
Securing DevOps pipelines
Security must be managed in a way which secures development lifecycles and defined security patterns for the services and applications built, and ends with automated security for automated operations – not in a traditional style with heavy manual configuration. It must not slow down developers while supporting automation. Rather, it should support the management of secrets at the level of micro-services, and integrate tightly with developer environments and libraries, as well as the runtime environments of these new applications.
This creates a fundamental challenge. On the one hand, security must be built around these automated, agile environments, and harness automation so it does not act as a barrier to developers. On the other, existing IT infrastructure and applications will not disappear, and must also be secured. Solutions should be integrated so they can protect secrets from a multitude of different development environments, whether cloud-native or traditional. Above all, they should be predicated on their ability to deliver the following:
Consistently manage all types of secrets.
Avoid islands of security or reliance on the native capabilities of standalone tools
Focus on simplicity and ease of use for developers.
Establish a robust tamper-proof audit capability.
Integrate with the organisation’s existing Privileged Access Security
Privileged Access Security
With this in mind, new approaches for security such as Privileged Access Security must be considered, as they cater for the new way applications are engineered and IT infrastructures are run. In the DevOps world for example, there are more secrets and more components to protect than ever before – all while contending with higher volatility and increased scale. Protection must be ubiquitous at all levels, not only for the runtime environments for containers, underlying orchestration infrastructures and DevOps workflows and toolsets, but also the secrets and credentials used by the applications and micro-services themselves, the admin consoles for CI/CD tools, and other management tools.
Traditionally, the focus for protecting secrets and credentials has been primarily on servers and network components. Nowadays, it must also span the application credentials, and more configuration and management tools than ever before. This is where Privileged Access Security proves its value, as it can protect all the secrets which exist within DevOps environments, including API keys, passwords, SSH keys, and tokens, and manage the privileges associated with each set of credentials. It can also support machine identities by assigning and managing privileged credentials for machines not just humans, which is critical in an increasingly automated environment.
Fortunately, there are solutions available which deliver a strong foundation for securing the DevOps pipeline – from micro-services and containerised applications to cloud-native applications. To deliver on the vision of Agile IT and DevOps, organisations must consider deploying Privileged Access Security to manage and secure the rapidly increasing number of secrets and credentials being used.
