The importance of DevOps in digital transformation

Source – networksasia.net

In this digital age, enterprises are automating IT infrastructure and instituting DevOps methodologies to accelerate the pace of innovation. However, traditional identity and access management solutions are not designed to support the security needs of DevOps workflows. Organisations need new systems and practices to support dynamic workloads, microservices and automated IT without compromising security or service velocity. Thus, DevSecOps was born, where security is designed and in built throughout the DevOps pipeline and multi-cloud environment.

“Organisations that have chosen to build security throughout the DevOps pipeline are able to mitigate any potential issues or exploitable vulnerabilities,” says Elizabeth Lawler, Vice President, DevOps Security, CyberArk, in an email interview with Networks Asia.

“Ideally, if we are able to build-in security with the application, we can eliminate future security problems as we then are able to continuously monitor, attack and determine vulnerabilities before attackers discover them.

With increased DevOps adoption comes an expanding attack surface with an exponential set of secrets that insiders and malicious external threat actors can misuse, target and exploit. To address this concern, CyberArk recently launched an open source version of CyberArk Conjur. CyberArk Conjur enables DevOps teams to automatically secure and manage secrets used by machines and users to protect containerised and cloud-native applications across the DevOps pipeline.

In the interview with Networks Asia Staff, Lawler also answers questions about the role of DevOps in digital transformation.

1. As companies embark on their journeys of digital transformation does security have to continue being a top priority? We’ve been maintaining the confidentiality, integrity, and availability of data in all these contexts: on premises, in the cloud, and in hybrid environments so do needs change with digital transformation?

Cyber security must always be a top priority, and also a foundation for all digital transformation initiatives. Beyond just BYOD, cloud, or hybrid environments, digital transformation also encompasses initiatives and technologies such as big data analytics, the Internet of Things, blockchain and DevOps. The automation of various business processes and the digital connectedness of the entire business poses greater threats and risks even as business processes become more dynamic and efficient.

Attackers today are constantly finding new methods to breach the network, and gain full control of an organisation’s IT infrastructure to steal confidential information, commit financial fraud and disrupt operations. As such, a strong security infrastructure should always be used as a foundation for any digital transformation initiative. Ensuring that a company’s most valuable assets are secured by robust privileged accounts and credentials management means it is possible to more safely take advantage of new innovations and growth opportunities.

2. In a digital world, we’ve been told that the classic, contained enterprise network no longer exists so security must be embedded into all applications as the first line of defense. Digital transformation provides the opportunity for security, regulations and compliance issues to be considered and included at the outset of a project. Currently popular is a DevSecOps approach – where security is considered as code and written into the application to make this possible. But is this the way forward for applications and enterprises?

Organisations that have chosen to build security throughout the DevOps pipeline are able to mitigate any potential issues or exploitable vulnerabilities. Ideally, if we are able to build-in security with the application, we can eliminate future security problems as we then are able to continuously monitor, attack and determine vulnerabilities before attackers discover them.

3. But IT don’t own the applications anymore. Multiple business owners and stakeholders are building / moving business critical applications to the cloud. As agile methodologies are adopted and cloud infrastructure removes the inertia in spinning up and testing new services, how do security strategies evolve to reflect this agile approach?

Moving workloads to the cloud can bring significant business benefits, but it also expands the attack surface and allows unprotected privileged accounts, credentials and secrets to become damaging security vulnerabilities.

Whilst public cloud vendors take steps to ensure the security of the cloud, it is the enterprise and application owner that is responsible for security in the cloud, and for ensuring that enterprise data is secure.

This can be even more challenging when organizations use multiple cloud vendors and operate multiple on-premises environments. Security is critical— attackers have, in some cases, successfully moved laterally from cloud to on-premises environments.

Here, security solutions that integrate with the existing network infrastructure provides the business the agility and stability to see the benefits of cloud computing while reducing the risk of unauthorized access to privileged accounts.

Some effective security strategies that organisations can adopt are as follows:

Securing the management console – Privilege accounts are an attractive target and a likely entry point for an attacker, given the human administrator’s vulnerability to phishing. It is important for organisations to lock down controls and monitor the management console and secure associated credentials.
Protecting asset credentials in cloud – too often, credentials for applications such as customer databases and other assets are hardcoded in applications. This is a troubling and unnecessary vulnerability that must be addressed. Organisations can use a reliable vendor that is able to store, rotate and control application credentials according to policy.

4. Security and indeed IT has historically been predicated on the idea that stability and uptime should be the primary goal. “If nobody touches it, then it won’t go wrong” became the tacit understanding, making IT the NO guys. How can we create or improve understanding between the organization’s cybersecurity professionals and those who develop applications?

Without a strong security foundation, it is difficult for a company to take advantage of new innovations. It is imperative that developers and the cyber security team work together to embed security controls into software development processes as early as possible. CIOs, CISOs and developers need solutions that offer control and security without impeding the agility and speed of the DevOps pipeline.

To that end, CyberArk Conjur has enabled DevOps teams to automatically secure and manage secrets used by machines and users, whilst giving security teams assurance that security and compliance best practices are being applied to these dynamic environments.

5. Shadow IT was a problem during the initial Cloud era and caused headaches for IT and security folks. But how does a well-executed Digital transformation program presents the opportunity to eliminate the need for shadow IT and therefore eliminating the associated threat to corporate information?

In the context of security, a well-executed digital transformation program includes an integrated security infrastructure that new innovations and technologies can be built on.

Shadow IT begins when employees are frustrated with the IT department’s inability to deliver what they think they need. Sometimes, this introduces new vulnerabilities for the enterprise network. Ultimately, the problem stems from employees and IT teams moving at mismatched paces in adopting new technologies.

With a strong security infrastructure that protects the very core of the business, new technologies can be rapidly introduced into the network with confidence that the enterprise is protected against cyber threats before the attack can escalate.

6. Is cybersecurity maturity where it should be in the digital business and transformation reality?

Today, we are seeing that interdisciplinary stakeholders, such as software developers, compliance and security teams working together as early in the software development process as possible, to ensure that protection is applied and embedded. Companies embracing digital transformation are adopting DevOps methodologies and the cloud to bring new services to market at speed, and open source and community-driven development is a fast-growing way of working. There is a greater awareness and maturity in cybersecurity currently.

However, there is no common tool or standard approach for everyone. Now that DevOps is driving into the enterprise, this is the right time to have a conversation about driving standards – and managing security concerns at scale for all enterprises.

7. Digital transformation is about change, agility, speed, connectivity, real-time economy, customer expectations and disruption. Does security stand in the way of all this?

Security is a starting point for digital transformation, and not an obstacle – or at least it should be. The technologies that enable digital transformation introduce new unsecured privileged accounts and secrets, which represent the largest security vulnerability an organisation faces today. Without fully managed and secured privileged accounts and secrets, any digital transformation initiative will be an attacker’s entry point – effectively hindering the company from innovating or growing. As such, it is impossible to separate security from digital transformation. Moreover, the organisations that are doing it right see security as an enabler.