DevOps: Underestimated Security Risks
If companies use DevOps models, they also have to create more privileged accounts and login details and share them automatically via integrated business networks. Those details include service accounts, keys for encryption, API and SSH, secrets of containers or embedded passwords in the code of the program which is often also stored in central repositories.
The security risk is even higher if companies use various tools for orchestrating and automating. Tools for CI (continuous integration) and CD (continuous delivery) or source code repositories like GitHub are for example used in DevOps projects.
The tools that DevOps Toolchain uses, like Ansible, Chef, Puppet and Jenkins, do not have a common standard, making it challenging for companies to establish individual, specific security measures for each and every tool.
Especially workflows for access management diverge greatly. Consequently, a lot of companies either do not have any strategies for access management, or they do, and they are inconsistent and inefficient. Security vulnerabilities are therefore a given.
How can you combat these developments?
One approach is an own DevOps security stack. Here, the IT security department has to be involved and has to systematically support DevOps teams in realizing a higher level of security.
The collaboration of DevOps and security teams is, therefore, the first step for the successful creation of a scalable security platform and the implementation of a DevSecOps strategy which can keep up with the dynamic and the rapid pace of technology.
All DevOps tools and login details should be managed on such a security platform. Central, automated administration and storing of all login details used in a DevOps pipeline – for example API or encryption keys, database passwords or transport layer security (TLS) certificates – are essential.
Of course, individual secrets which manage access in a DevOps production are also managed centrally and automatically.
A vault – a highly available, secure system storage – should be used for the protection of all login details of machines, systems and people. This vault should essentially be a especially hardened server which can stop unauthorized access through various security layers.