DevOps Security Watch: Three Trends to Track in 2018
February 14, 2018 | DevOps | Elizabeth Lawler
In recent weeks, I’ve been on the road traveling with colleagues and visiting with customers and prospects. Collectively, we’ve had interesting conversations about the new and reoccurring risks companies face, and the tough job many face at they manage their security portfolio. I thought I’d share some of my observations and details about what I have my eye on in 2018.
Observation: The Uber breach was just a peek behind the curtain of what’s to come
The Uber breach rocked headlines in 2017, but it shouldn’t have been so surprising. Data of 57 million customers was ultimately exposed because Uber developers used an all too frequent workaround to manage credentials in a software repository, which gave hackers access to their privileged accounts. Those developers aren’t alone, and this is a peek behind the curtain of a common practice amongst developers. There’s no simple way to securely collaborate across tools.
Organizations at large fail to make security easy for DevOps practitioners, and that causes friction and creates opportunity for failure. Developers aren’t—nor should they be expected to be—security practitioners. They are responsible for features and functionality, not figuring out how to manage credential collaboration and security for those key assets. The Global Advanced Threat Landscape Report indicated that most organizations could not identify all the places and “workarounds” where credentials were stored, some of which are highly vulnerable. Also noted in the survey—73 percent of organizations had no strategy to address privilege account security for DevOps at all.
Unfortunately, we’ll continue to see breaches similar to Uber’s in 2018 and beyond. There’s an obvious failure in the developer user experience. Companies ask developers to manage security assets when it shouldn’t be a part of their core job function, nor do they have experience doing so. Automation will play a key role in making security more seamless, and that means making security part of developers’ native experience.
Another reason why the breach perhaps shouldn’t have been so surprising is because new research suggests that Uber might not be alone in its response at attempting to hide the breach from its customers. Part two of the Global Advanced Threat Landscape Report finds that 50 percent of organizations did not fully inform customers when their personal data was compromised in a cyber attack. Alarming, yes; surprising, maybe not so much.
Observation: 2018 will reveal security is a full-time job on the DevOps team, and there will be a new talent gap in DevSecOps
Organizations are turning to DevOps workflows to achieve transformative velocity and innovation, but they’re not prepared or staffed to manage the security of these environments. We’ll see a critical talent gap of DevSecOps practitioners as business leaders increasingly prioritize cyber security.
Many organizations simply task the same DevOps practitioners—often with no security experience—to protect these environments, in addition to the numerous other responsibilities they have to deliver. That’s no longer sufficient, especially considering the increasing threat surface in DevOps workflows and the associated risks in managing the scripts, platforms and systems used in automated workflows.
DevSecOps practitioners are in high demand. They’ll be even harder to find in 2018 as organizations realize that they have the right tools but not necessarily the right people to manage them. Security will become a full-time job focused on DevOps workflows, and there will be few practitioners to fill that role available in the market.
Observation: Least privilege will get a facelift in the world of DevOps in 2018
Organizations are starting to understand that “identity” hasn’t been completely addressed in the full enterprise stack. There’s no common standard for machine identity, access control and management, or audit across a multiplicity of platform components. Organizations are only as safe as their weakest link. The weak link could be a VM, container or any of the dozens of platform layers that now exist across the network. As these matrixes expand, they become substantially harder to control.
As a result, there needs to be a stronger definition of machine identity in highly automated systems that carry increasingly sensitive data. I predict that we’ll start to see a meaningful application of the concepts formerly used in human access management applied to machines. By forcing the DevOps team to consider and apply “Who are you, what are you, what are you asking for?” to machines—including the DevOps environment—organizations can follow security best practices and limit what machines are doing, without compromising operations. This will enable true accountability for the security posture of DevOps environments and the process of continuous delivery of least privilege in DevSecOps can become a reality.
Ultimately, it’s important to understand that DevOps doesn’t have a full picture view of security. They primarily think about software vulnerability and patch management as the “scope of their security function.” To test this, you can ask them which security tools they use. They will likely say, “Terraform, GitHub, Ansible, etc.” They are only looking at patches and vulnerabilities. They aren’t looking at access control and privilege associated with their access to tier zero assets. They aren’t thinking about secrets management.
Sure, DevOps made HeartBleed easier, but it didn’t prevent the Uber breach because the “security tool” that was ultimately compromised was the source of the breach. The rest of the toolchain has the same problem. Think about it: I phish one DevOps tools, and I own your systems.
It’s time to either bring in the security teams to help secure your toolchain or start thinking like an attacker.