Decoding DevOps security - implementing a coherent & compliant programme
Decoding DevOps security - implementing a coherent & compliant programme
Developers are shifting to a DevOps mode, increasing the speed of delivering new software features and value to even the most “traditional” enterprise businesses, and introducing security teams to a plethora of new tools and technologies. 

The biggest gap security teams face today is the massive proliferation of secrets and privileged users throughout the DevOps pipeline. Both teams must deliver without compromising on security. But as a CISO, where do you start?

First, while the list of tools and technologies can seem overwhelming and disparate, controlling the security of DevOps environments does not require knowing all of them. A strong foundation requires an API driven system-based approach, allowing next generation users and their technologies of choice to interact with security tools. The more abstraction of security “as a service” the better, because it shifts the burden of managing security policy, tooling and reporting from the development teams, and puts the control back into the hands of the security team.

The security team then needs a set of best practices based upon the desired security posture for the environment, and the path of least resistance for end users. The following basic principles, although already known by development teams, are often not being done visibly or consistently.

First, no secrets in source control. Second, follow least privileged access control across your entire infrastructure. Third, micro-segmentation of access to secrets, passwords, SSH keys, etc is essential to minimise the impact of any potential breach or event. In fact, it's essential to work on minimising both security-related events (where some malicious actor has gained access to infrastructure) but also human mistakes. Things are moving so fast in DevOps environments that having a bit of a throttle is essential when this happens to easily roll back to a previous environment or rotate a key.

Key considerations for privilege and machine identities

A key difference in controlling privileged access in a DevOps environment is focusing on the path of no human involvement. These privileges are exercised on a minute-to-minute basis. In these instances, as there is no human involvement, there's no traceability to identify the origins and movements of this infrastructure. Tools that can specifically recognise and identify machine and system account users and can ultimately authorise them based on policy—and audit that entire transaction—are crucial for forensic analysis, governance of least privilege, and ensuring that the  security posture is consistent with your programme or policy.

Extending your privileged account security programmes

Privileged account security is a proactive step to mitigate risk. It is crucial to devise a programme early on that enables the curation, and distribution via automation, of consistent security policies for access to cloud keys and credentials—in a compliant way. 

For companies with existing privileged account security programmes in place, the goal is to extend those solutions into the next generation infrastructure – also known as trust forward. Trust forward means leveraging existing tools, protocols and certified solutions to map them to next generation workflows. Best practices around controlling privileged account credentials have built up over decades. However, acknowledging when they don't work with the new workflows is key. Some break-glass, two-key human user escalation workflows should remain in the hands of humans, and not bots, to make the key and critical decisions, with full session recording.

What your DevOps colleagues need to realise about security tools

Some DevOps personnel have had negative experiences with timeliness and delivery of security in the past. But speed, velocity and resiliency do not need to be sacrificed to be secure – they need to fit into the business' consistent security and risk posture across all groups, tools and technologies.

From a cultural standpoint, DevOps engineers need to embrace the best practices and know what their security team has to offer. They have experience and focus to deliver, and are now being empowered with tools designed with user experience of the developer and operations teams in mind.  These tools can effectively bridge the two methodologies and help people work together rapidly to secure their infrastructure. From a technological standpoint, thinking ahead and selecting best-of-breed solutions that will evolve with their infrastructure is crucial. 

Security teams can work with built-for-purpose security tools that provide a strong foundation on which to build.  That's why it is crucial to empower teams to craft programmes and policies that can be used to deploy and secure cloud assets in a consistent, scalable way

Contributed by Elizabeth Lawler, vice president, DevOps Security, CyberArk

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.