Enable a Secure DevOps Environment

The fast-growing DevOps movement provides a tremendous opportunity to deliver solutions with faster time-to-market by relying on this dynamic, automated, collaborative process. While this container ecosystem focuses on continuous integration, it was not fundamentally designed with security in mind. As a result, organizations are often forced to make difficult trade-offs between speed, efficiency and security.

This is particularly evident when it comes to privileged accounts. Due to the dynamic nature of the DevOps environment, new privileged accounts are proliferating within the IT infrastructure at a rapid-fire pace, resulting in an extensive attack surface. Highly desired by attackers because of the extensive access they grant, privileged credentials can be found embedded within many DevOps solutions, such as automation, configuration and orchestration tools running within the environment. These embedded, shared credentials are difficult to secure and rotate without risking disruption to the Continuous Integration and Continuous Deployment (CI/CD) workflow. And since developers require this quick, easy CI/CD workflow to do their jobs effectively, “heartbeat” users (e.g., developers, IT operations and admins) often end up with far more privileges than needed. As a result, virtually every user can potentially manage systems, develop code and access the full production environment.

The active, rapidly changing DevOps environment makes maintaining visibility and control of all accounts a major challenge for organizations today.

To secure the DevOps environment, lock down privileged accounts, and ultimately help to prevent data breaches and other compromises, organizations must proactively implement security controls that can:

  • Manage, secure and control access to privileged accounts. All privileged accounts in the DevOps environment must be managed and secured. As part of this, credentials should be centrally stored and regularly rotated. To maintain segregation of duties, access to credentials should be controlled so only authorized users have access to privileged accounts.
  • Secure credentials used by applications and scripts. Credentials used by DevOps solutions to authenticate to and access sensitive resources should be managed and secured. They should be removed from codes and configuration files, securely stored in a central repository and regularly rotated. Additionally, each application instance should have its own unique account and credential. These credentials should be retired as soon as they are no longer needed.
  • Authenticate and authorize apps and container access to sensitive DevOps resources. To keep malicious apps out of the DevOps ecosystem, access requests to different DevOps resources, as well as web requests between application and services, should be granted only after the authentication of the requestor entity (apps and containers) is validated.
  • Enforce Least Privilege. To reduce the risk of mistakes and privilege abuse without affecting productivity, organizations should limit privilege access and centrally manage privilege escalation. This is particularly important for service accounts: every one that is used by COTS or CI/CD tools should be provisioned or de-provisioned through an automated process while maintaining the least privilege principle and complying with the organization’s access policies.
  • Monitor User Activity. Tracking developers’ activity throughout the software development lifecycle, knowing who built an image and added it to the Registry, and who made changes to privileges, namespaces, processes, and policies is necessary to maintain control of the environment.

The DevOps environment is only as secure as the privileged credentials required to access the sensitive resources. Motivated attackers recognize the explosive growth of privileged accounts throughout the container ecosystem, and as a result, often target them specifically as part of the critical path to a successful cyber attack. That’s why privileged credentials used as part of the deployment lifecycle must be properly protected—not as an afterthought, but at the beginning when a new user or asset is created

The CyberArk Privileged Account Security Solution is built into the DevOps pipeline, ensuring that every privileged account is protected from the time it is created.

Key benefits:

  • Centralized credential protection and management. Automatically secures and manages privileged credentials (passwords, SSH keys and API keys) of users, applications and DevOps tools from the instant they are created
  • Protection, management and auditing of credentials used by applications and DevOps resources. Centrally stores, secures and controls access to credentials embedded in applications, tools and scripts.
  • Granular “least privilege” access control. Implements “least privilege” policies by controlling which DevOps resources privileged users can access and do based on their roles and tasks.
  • Secure and controlled user access to sensitive DevOps resources. Centralizes access to DevOps resources through a single access control point to maximize control and visibility.
  • Continuous monitoring of all privileged user activity and alerting on suspicious behavior. Monitors and analyzes activity to quickly detect unauthorized and suspicious activity to reduce negative impact to the environment.

To learn how you can protect your privileged accounts in a DevOps environment, contact us.