2017 has been a year defined by change, and the volatile political and economic climate has created a complex picture for organisations to navigate. Technology has often been the answer, giving organisations better sight of their data and the ability to launch new options to customers, quickly. But this drive to innovate has come at a cost.
The DevOps phenomenon has taken off at businesses around the world in the past two years. However, the need to spin up new applications, processes and services quickly within businesses and launch them at speed creates its own issues; safeguards to protect the business have often fallen by the wayside in a bid to stay ahead of the competition.
Not only this, but DevOps teams have largely been left to operate in isolation. In fact, the Advanced Threat Landscape 2018 report commissioned by CyberArk revealed that 75% of security professionals report having no privileged account security strategy for DevOps within their organisation, creating significant weak points for attackers to target.
Networks can be complex in any given digital organisation, but when you look closely, it can be a quite frightening picture, made up of different elements brought together to make a whole. Test automation, containers, orchestration, deployment, measurement… the list goes on. Each likely has different levels of control and access (and privileged credentials more often than not) and hackers are looking to exploit the gaps which emerge between them.
Moreover, DevOps teams are always looking for new ways to innovate and complete their jobs faster – something of great value to businesses when conducted properly.
However, downloading tools from the internet to help speed things up could be compromising company data and IP even further. The frequency of changes in these environments, once they’ve been pushed out to the edges of organisations, can also make it difficult to unpick processes and tools.
So, what can they do now to tackle this disconnect and close the increasingly open door which is being left for hackers? There are three key elements to consider:
Bring DevOps and security together, fast – integration between teams is lacking for nearly two thirds of DevOps and security teams. Consequently, many DevOps professionals are taking matters into their own hands.
In fact, the Threat Landscape report found that nearly a quarter of them have built their own security solution to protect and manage secrets for DevOps projects. Though this is a step in the right direction, further cooperation is required to ensure businesses are adequately protected, and create consistency between the development of new tools and their rollout across the organisation.
Take control of credentials – With different tools in place, it’s essential organisations abstract out credentials from these tools and have a centralised set of secrets. By taking these out of the workload, it’s far more straightforward to manage access to these secrets.
Automate – Organisations must consider how automation can help them respond to the ever-changing internal processes and external threat landscape. By creating consistent, repeatable and reportable processes, which can be implemented to maintain a security standard each time a new tool, process or application is spun up, it is possible to vastly improve the protection offered to organisations as new innovations are rolled out.
But it’s not just down to DevOps and security teams – all business leaders need to put in place clear guidelines that capture anyone who could be opening the door to hackers but failing to put in place adequate security measures. Added to this, all relevant groups within the business – be they DevOps, security, broader IT and (increasingly) legal and compliance teams – to come together and plot a cohesive strategy.
This is easier said than done, as teams are often focused on different priorities, but essential in tackling the threat. It’s time for businesses to wake up to the threat and put in place safeguards now, before the rush to innovate is undermined.
Sourced by Elizabeth Lawler, vice president, DevOps security at CyberArk