KuppingerCole has just released a new report “Security for DevOps and Agile IT: Preventing attacks in highly dynamic environments.” Authored by Martin Kuppinger and published in October 2018, the report addresses many of the key topics that security practitioners, security leaders and development team leads exploring the need for increasing the security of DevOps environments likely need to address.
Expanded Attack Surface
Organizations are discovering that as the use and adoption of DevOps and Agile IT has increased, securing these environments has become an increasingly important priority. In fact, in just a few years DevOps has changed how IT operates, and most importantly for security professionals, the increased use of micro-services, together with the increased number of DevOps tools used in the CI/CD pipeline, has expanded the attack surface relative to more traditional development environments. The four major drivers expanding the attack surface include:
- More secrets
- More components
- Increased volatility
- Increased scale
Top Requirements
The top requirements for securing an organization’s DevOps environment include factors such as the ability to:
- Consistently manage all types of secrets.
- Avoid islands of security or reliance on the native capabilities of standalone tools.
- Focus on simplicity and ease of use for developers.
- Establish a robust tamper-proof audit capability.
- Integrate with the organization’s existing Privileged Access Security (or privileged access management to use KuppingerCole’s terminology) infrastructure.
Mapping DevOps Security Needs with Existing Investments in Privileged Access Security
Security teams wrestling with how DevOps security fits within the organization’s broader Privileged Access Security environment should find the insights particularly interesting. For example, existing solutions alone are likely not adequate for securing Agile IT and DevOps environments. They simply don’t meet the requirements necessary for securing a typical, highly dynamic DevOps environment. Instead specialized security solutions are needed to secure DevOps environments, in addition to the existing privileged access security solutions the organization has deployed. However, rather than two separate systems, some form of integrated solution is required.
Action Plan for Securing Secrets
Most importantly, the report outlines an action plan for securing secrets and credentials in DevOps and Agile IT environments and highlights the importance of:
- Making it easy for developers to secure their applications and code.
- Isolating APIs so that security services can be refreshed and changed without requiring changes to code.
- Providing an integrated view and ability to manage privilege and secrets.
- Capturing and monitoring events by integrating with SIEM and other security systems.
A full copy of the report is available here. For more information on CyberArk solutions, including CyberArk Conjur for securing DevOps environments, visit cyberark.com/conjur. CyberArk Conjur is also available as open source at conjur.org – the open source version enables developers to rapidly gain experience using a powerful secrets management solution.
