DevOps the forgotten team when it comes to security: CyberArk
Source – zdnet.com
Due to the dynamic nature of DevOps and the business “secrets” they have access to, security vendor CyberArk has highlighted the importance of ensuring these teams are protected from the threat landscape.
According to Jeffrey Kok, senior director of solution engineering for Asia Pacific and Japan at CyberArk, exposing DevOps to the elements means privileged account credentials — such as SSH keys, API keys, and other credentials — are proliferating throughout IT infrastructure at a rapid-fire pace, creating massive security risks for organisations.
The CyberArk Advanced Threat Landscape 2018 highlights that 75 percent of security respondents reported their organisation has not implemented a privileged account security solution for DevOps.
This is potentially problematic when 60 percent of the DevOps respondents said they store privileged account or administrative passwords in a document on a company PC or laptop.
52 percent of DevOps respondents said they rely on the native secrets functionality of their cloud or DevOps vendors to be protected.
“This is potentially a risky approach because it creates separate security silos that are difficult to manage with an overall security policy,” the report says.
As respondents were able to provide more than one answer, 50 percent also said they employ a paid-for secrets solution; while 37 percent said they use systems built from open-source software.
“Most of the time the security guys get brought in when the applications are going to go live,” Kok told ZDNet.
43 percent of respondents confirmed that the security team is always brought in at the end of each development cycle, with CyberArk noting this may be adequate only if the length of a sprint averages a week or so.
While Kok said it might seem a “little bit daunting” for organisations to bring the security talent into the development process earlier, once the concept is embraced, he said, the end result is a much better user experience.
“That is one of the key gaps,” he explained.
The most effective business strategy will demand that security and DevOps work closely, which is why Kok pitched the idea of “SecOps” — where the application is designed with operation, but also with security in mind.
“Security by design,” Kok reiterated. “The most effective strategy will demand that security and DevOps work closely together from the very beginning and throughout development, testing, and deployment.”
The report said that as DevOps is a relatively new discipline, it is not entirely surprising that respondents report a lack of integration between DevOps and security teams.
CyberArk said that while collaboration varies by industry, it was found the closer partnerships between DevOps and security are most often found in consumer services and technology and telecommunications segments. The financial services organisations reported slightly below-average collaboration, and only 16 percent of healthcare respondents said their security and DevOps teams were “well integrated”.
“Today when everything is on the cloud and you have a lot of automation tools, the DevOps have anywhere from 5-20 tools that are used and all of them contain secrets … just one will break the entire chain,” he explained. “The idea is to not have ‘islands of security’.
“If DevOps can bring two teams together, why not then SecOps just bring one more to the party.”
Although Kok is focused mostly on the APJ region, he said the issues raised in the report cover DevOps teams globally.
However, as the APJ region is a little bit later to the DevOps game, it’s more imperative for the region to learn from the mistakes of others.
“We have the benefit of hindsight we can avoid the pitfalls,” he said.
Kok said the report was commissioned following a lot of déjà vu CyberArk was experiencing with customers concerned over the security of their organisation’s secrets.
The survey was conducted on behalf of CyberArk by market research firm Vanson Bourne during September and October 2017, and saw more than 1,000 IT security decision makers, DevOps, app developer professionals, and line of business owners across seven countries probed on their company’s practices.
PREVIOUS AND RELATED COVERAGE
What is DevOps? An executive guide to agile development and IT operations
To make the most of today’s containers, servers, virtual machines, and clouds, you need to deploy DevOps in your enterprise. Or, you can let your rivals put you out of business. It’s your choice.
DevSecOps: What it is and how it can help you innovate in cybersecurity
DevSecOps is like DevOps, but with security principles baked in. Here’s a quick guide to the basics, and how to incorporate it in your company.
Time to move on from DevOps and continuous delivery, says Google advocate
CI/CD, DevOps are so 2007. IT leaders and professionals need to elevate their thinking to guiding their businesses through disruptive times.
DevOps: The smart person’s guide (TechRepublic)
This comprehensive guide covers DevOps, an increasingly popular organizational structure for delivering rapid software deployments in the enterprise.