January 2, 2018 | DevOps | Chris Smith
As we kick off 2018, what hopefully is a very promising and secure year for you, it’s a good time to consider how securing secrets in your DevOps pipeline can reduce your risk exposure and attack surface. We recently posted an article on our blog exploring some of the many challenges security teams and enlightened developers face in managing the proliferation of secrets and privileged users throughout the DevOps pipeline. Basically, we addressed how to significantly reduce risk—without impacting velocity or negatively impacting the work of developers.
This can, understandably, seem like a daunting task, particularly when you consider the countless non-human actors—processes, services, containers, hosts and more—that constantly need privileged credentials to do everything from accessing other resources and services to communicating with databases to obtaining encryption keys. While certainly not a brand new phenomenon, organizations’ increasing reliance on automated cloud services, container-based deployments and micro services-based architectures has illuminated a massive gap in how they manage machine identities for non-human actors, or in other words, how they protect the secret information flowing from machine-to-machine with little or no human oversight. Remember—we’re no longer talking about securing a finite number of machines sitting on a rack somewhere, but instead, hundreds upon thousands of virtual machine instances running simultaneously at any given point in time.
For organizations that take advantage of DevOps’s agility without adequately securing the secrets and credentials used in their DevOps environment, there is urgency to take action. DevOps automation not only builds and deploys apps at scale, but it also creates and assigns credentials and secrets at scale. If these secrets aren’t adequately secured and protected, then as the apps scale, the enterprise creates an ever-increasing technical debt of vulnerabilities. Basically, the problem may be getting worse, at scale.
How can organizations get started? Some traditional security solutions for secrets management are simply not a great fit in today’s modern era of clouds, containers and DevOps. As a result, a new wave of “secrets management” platforms is emerging, and it’s changing the way organizations deliver identity, secrets and tokens—as well as the way they validate systems for automated establishment of trust.
The independent analyst firm Securosis has published new research examining the critical need for such modern secrets management tools. The crux of the paper, Understanding and Selecting a Secrets Management Platform, addresses the fact that security around provisioning access rights to services is largely absent today. Far too often, credentials are kept in cleartext within documents of various types, while many companies rely on identity stores’ systems to maintain a central point of control over identity and access rights. Yet, these systems lack a distribution mechanism to consistently support security policies across today’s mixed and increasingly complex cloud and DevOps environments.
Available for free download here, the Securosis research paper outlines:
- The Challenge of Machine Identities: From both the security practitioner’s and the developer’s perspective.
- Principal Customer Use Cases: A diverse set of real-life use cases, including API Gateways and access keys, services, build automation, provisioning machine identities, encrypting data and sharing.
- Features and Functionality: The basic functions every secrets management platform needs to address, as well as advanced feature sets that are emerging, comprising deep log creation and integration options, tighter integration with IAM services, secret generation and secret revocation.
- Deployment Considerations: How these platforms deploy, how they provide scalability and resiliency and how they integrate with the services they supply secrets to.
Effective secrets management is integral in transforming DevOps as we know it to a truly integrated secure DevOps, or DevSecOps model. We encourage you to download this timely piece of research. To learn more about the industry’s only platform-independent secrets management solution specifically architected to protect containerized and cloud-native applications across the DevOps pipeline, visit the CyberArk Conjur page.
Editor’s note: Join CyberArk and Securosis Security Analyst, Adrian Lane, for webinar on January 25, 2018: “Secrets Management – Where Security and DevOps Intersect.”