What DevOps teams need to know about privileged account security
Dan Ritch
In a DevOps workflow, your testing and production environments are constantly changing. DevOps teams need access to a variety of infrastructures, across cloud, multi-cloud, hybrid cloud and on-prem environments. Administrative privileges are used by the configuration management and orchestration systems that continually spin up new servers, install software and make configuration changes throughout the SDLC. In an “infrastructure as code” model, the code itself acts as a privileged user, with no human intervention.
Creating and managing administrative privileges must not slow down your pipeline
To ensure rapid release cycles DevOps teams must eliminate all bottlenecks in the production and testing process, including wait time on security teams. Creating and managing administrative privileges must not slow down your pipeline.
With reward comes risk
To keep pace with a rapid, iterative DevOps workflow, your team may be guilty of disregarding DevOps best practices and introducing bad habits that expose your organization to a cyber attack.
Developers may embed hardcoded keys or credentials in a file somewhere in an application’s environment. Or, they may store credentials in a repository such as GitHub, forget about them, and then commit them to production. Some DevOps teams share private keys and credentials for immediate access, which increases the risk of insider threats, either malicious or accidental.
These privileged accounts must be discovered, protected, controlled, and managed.
So, what are your options?
Use a free DevOps solution.
Free options for DevOps privilege management may offer temporary key generation, secret storage, and dynamic secrets. But, they don’t meet enterprise needs, such as logging and audit trails, session monitoring or disaster recovery. If malicious code is injected into an application, or an application account is hijacked, DevOps teams need a way to instantly detect and alert when an application has gone rogue and prevent unauthorized escalation of privileges. Basic, free tools aren’t enough to prevent an advanced attack.
Build a solution yourself.
Because you have tons of free time, right? Most developers aren’t security experts. Why spend time developing something not core to your business when you could use your resources in more effective ways?
Leverage the solution your security team uses.
You aren’t in this alone. Chances are your security team is also worrying about the privileged accounts used in the DevOps process. They may already have solutions in place for managing credentials for servers, databases, and workstations. Come to them with your requirements for speed and scale and see if you can work together to meet everyone’s needs.
Manage DevOps secrets safely