What is DevOps security?
DevOps Security addresses the integration of cybersecurity best practices into the rapid-release cycles of today’s application development and deployment operations (DevOps).
Instead of releasing a few application updates per year, more and more development teams are pushing frequent micro-releases to react more rapidly to market demand. Thus, new environments are created and disposed of by DevOps teams on a rapid and regular basis while connecting hundreds—even thousands—of times every day.
Corporate pressure to maintain this competitive pace can create a culture that prioritizes productivity over security. This has major implications for privileged access security.
That’s because DevOps practices can expose security vulnerabilities tied directly to privilege management. However, conventional PAM solutions are not designed to support the speed and scale required of DevOps team workloads.
DevOps and privileged access
DevOps configuration management and orchestration also depend on privileged access to continually spin up servers, install software and make changes as part of the process. Cloud services these days are also used by DevOps teams to scale up to tens of thousands of containers, servers, and applications and quickly deploy them across multiple environments, including dev, test, and production.
How do DevOps practices put organizations at risk for credential compromise?
Because DevOps teams need on-demand access to cloud-based applications and databases to administer systems and debug issues, it’s common for developers to share private keys and credentials for immediate access. This substantially increases the risks from insider threats, either malicious or accidental. Developers may hardcode passwords or store them externally in GitHub or locally in a spreadsheet to save valuable time within applications they build. These passwords may provide unintentional access to data or other critical corporate resources that live in the cloud.
Even if DevOps teams use security tools like vaults to manage passwords for privileged access, they will likely spend extra time building their own instead of focusing on product development. In some cases, organizations could use multiple vault instances that aren’t connected, centrally managed, or auditable.
The result of all these standard development practices means that rapid PAM practices and solutions should be implemented to protect accounts and access DevOps. This is particularly true for DevOps teams relying on cloud services for development. For example, more than half of organizations use some form of Platform-as-a-Service (PaaS) to develop applications.
How can PAM solutions help assure DevOps security?
There are several ways in which PAM solutions can help meet typical DevOps security challenges by establishing best practices in protecting privileged access.
Manage access to admin consoles - The control panel, or dashboard, for PaaS resources gates usage of containers, microservices, databases, and orchestration tools used for application development and deployment. PAM tools can govern, monitor, and record access to this central management console.
Secure how tools talk to each other - Tools within an integrated DevOps toolchain need to seamlessly and automatically work together, according to policies and thresholds, to maintain the necessary velocity in the development cycle. PAM solutions allow for crosstalk among development applications via API injections instead of inserting a human, which introduces error into the mix and slows things down.
Eliminate the need for hard-coded or externalized credentials in code - With PAM, instead of housing secrets in unsecure repositories where they can be hijacked and exploited. Credentials can be pulled from a secure vault. There, they can be hidden and rotated automatically to mitigate risk. Usage can also be tracked to monitor for unexpected activity.
More DevOps Security Resources:
An introduction to DevOps secrets management and vaulting
A Need for Speed: What’s a High-Speed Vault and why do DevOps teams need one?
Best Practices to Incorporate DevOps in Enterprise Security
Take Control of Secrets in Your DevOps Environment
DevOps PAM Tools