Applications Are Everything and Everywhere – Does Whack-a-Mole Security Work?

April 2, 2021 Chris Smith

DevOps Cloud Native Application Security

The SolarWinds digital supply chain attack began by compromising the “heart” of the CI/CD pipeline and successfully changing application code. It highlighted the major challenges organizations face in securing their applications across the software development lifecycle and is driving increased attention at the highest levels of enterprise and government. In fact, Reuters recently reported that the Biden administration is preparing an executive order outlining new software security and breach disclosure requirements.

As organizations look to strengthen their digital supply chain and protect the applications they develop and use, many are focusing on application secrets – which are ripe targets for attackers and can provide unrestricted privileged access to sensitive systems.

Cloud-Native Apps Expand Security Needs

Today, many organizations are taking a cloud-native approach to building, testing, and deploying new applications – whether front- or back-office, consumer-facing, web or mobile. And by embracing DevOps methodologies and automation, they’re quickly moving along the digital maturity curve.

As applications are increasingly built using microservices and run in dynamic, short-lived containerized environments, everything needs to interact with each other – sharing secrets and credentials to securely access resources. The result: a lot more secrets that need to be secured.

What’s more, the powerful DevOps and automation tools developers use such as Jenkins and Ansible to build applications store massive amounts of credentials and secrets within them. This allows the projects, playbooks, and scripts managed by these mission-critical “Tier 0” assets to access other tools, services, and platforms. All of these tools also require high levels of privilege.

Whack-a-Mole Security: So Many Applications, So Little Time, No Standard Approach

But, of course, it’s more than just cloud-native apps. Most enterprises have many different application types in their portfolio: some legacy apps, newer apps written using .NET, for example, and even mainframe applications.

It’s becoming clear that building a strong modern IT infrastructure hinges on an organization’s ability to secure all application types – from the back-office mainframe running high volume transactions on zOS, to Kubernetes apps running across multiple cloud regions – at the speed of business, and at scale.

Yet that’s easier said than done. Today’s developer culture emphasizes high velocity, intensive sharing of code, ad-hoc tooling, and full-on automation – all of which can introduce new vulnerabilities such as exposed secrets and code injection. Meanwhile, threat actors are growing in sophistication and precision, targeting applications and development environments and zeroing in on unprotected credentials and secrets with increasing ease to hijack IT resources or steal data or code. Even the most secure RPA workflows and DevOps pipelines have tiny cracks if you know how to find them.

So how can time- and resource-constrained security teams possibly find and secure all of these applications and secrets – let alone protect new ones being created each day in these dynamic environments?

Many end up taking a piecemeal approach, securing secrets in one platform or tool with one secrets management solution, while using a different method to secure secrets in another area. Without a standardized approach to secrets management, teams are left juggling many different moving pieces. The old game of whack-a-mole comes to mind: as soon as one issue is resolved, another one pops up.

Secure All Application Types with CyberArk

At CyberArk, we’ve long been committed to helping organizations secure the broadest range of applications across the broadest range of environments with our privileged access management (PAM) solutions. As our customers move along the digital maturation curve, many are shifting to our PAM-as-a-service offering, CyberArk Privilege Cloud.

In Q1 2021, we introduced a new integration between CyberArk Privilege Cloud and CyberArk Conjur Secrets Manager Enterprise, providing our SaaS customers with a centralized way to secure cloud-native, containerized apps and DevOps environments. This follows our integration with CyberArk Credential Providers, further expanding support across many application types.

Now organizations can centrally secure, manage and audit privileged credentials and secrets used by non-human identities anywhere – including cloud-native applications, CI/CD and DevOps tools, internally developed applications, commercial-off-the-shelf (COTs) apps, RPA software bots and automation platforms – whether they’re running PAM as-a-service or on premises.

With CyberArk, mission-critical applications running at scale can securely access high-value resources, including databases and IT infrastructure. Our flexible SaaS model makes deployment faster and easier, reduces operational complexity, and drives business agility – all while shrinking the attack surface.

The Right Place to Start

Putting a plan in place to secure the ever-expanding number and types of applications across your organization can feel daunting – but it doesn’t have to. Take advantage of tools that help you prioritize and focus on your most important unsecured apps first, achieve “quick wins” in reducing risk, and accelerate your efforts by being more strategic.

Stop playing whack-a-mole. Get consistent about secrets management to keep your applications safe and prevent them from exposing the enterprise to unnecessary vulnerabilities. Get a personalized demo to learn more.

Previous Article
Hard-Coded Credentials: The Not-So-Secret Secret Putting Your Cloud at Risk
Hard-Coded Credentials: The Not-So-Secret Secret Putting Your Cloud at Risk

If you’ve never celebrated the Epiphany (or Mardi Gras in Louisiana), you have likely missed out on the tra...

Next Article
Revelations About Securing Hybrid Cloud Environments Post-SolarWinds
Revelations About Securing Hybrid Cloud Environments Post-SolarWinds

In the early 1960s, J.C.R. Licklider, director of the Pentagon’s Information Processing Techniques Office (...