Painful Lessons Breaches Teach Us About DevOps and Security

November 28, 2017 Elizabeth Lawler

Cloud and DevOps are critical technology engines helping to power transformational advances across many businesses. Most of us in IT, security and development know that there are secrets and credentials in cloud and DevOps environments that must be protected. Despite this knowledge, we continue to see incidents that expose private data. The recent Uber breach serves as a timely reminder of the need to protect credentials and the damage that happens when they are not protected.

Incidents Exposing Private Data Are Becoming Regular Occurrences

Unfortunately, breaches continue to occur with an alarming frequency and with damaging and potentially devastating results. This is especially true for consumer-facing businesses where trust is an important ingredient. Last week, Uber revealed that an attacker had gained access to some 57 million driver records and other data. This breach is far from being an isolated example. Last summer, it was reported that millions of customer and personnel records were exposed inadvertently in three separate instances. In these cases, third-party contractors misconfigured S3 storage buckets for public access – this happened at a military contractor, a leading wireless provider, and a top cable TV provider, and like the Uber breach, each made the news.

We don’t know the details, but reportedly the Uber data was exposed because the AWS access keys were embedded in code that was stored in an enterprise code repository by a third party contractor. A clear takeaway is that no code repository is a safe storage place for credentials.

Cloud and DevOps Raise the Stakes Significantly

In today’s fast-paced, agile world, it’s dangerous, and increasingly, consumers, regulators and markets find the resulting breaches to be costly and unacceptable. As a result of breaches, you can see hundreds of millions potentially lost in market capital, a dip in consumer trust—which is a critical enabler of the sharing economy—and careers can in some cases be over or stalled. Maybe it’s an exaggeration to say that some digital businesses put their entire business at risk by inadvertently publishing a single key to their critical data, but it certainly hurts and opens up opportunities for competitors.

By Enforcing Least Privilege, Many of These Incidents Are Potentially Preventable

The frustration is that many of these problems are predictable and could be mitigated with effective and available solutions. While no solution can be 100% effective, secrets management solutions are used by some very large and security savvy organizations. These businesses want the velocity benefits provided by DevOps and cloud computing, and they take extra measures to ensure they do not expose their organizations to increased risk. These enterprises are achieving agility AND security.

It is becoming a cyber security best practice to eliminate secrets, such as AWS root credentials and access keys from any public or private source control system and other plaintext locations where they could be misappropriated by a malicious actor. Some organizations mistakenly think that source control will protect them, but it simply won’t. Source control is not a security tool nor is it an appropriate location for storing sensitive passwords, secrets and access keys.

Take Control and Prevent Incidents

CyberArk products, including CyberArk Conjur which is specifically designed to help secure DevOps pipeline, provide secure credential vaulting for AWS, Azure, and other public clouds, and an access controlled workflow for delivery of secrets “just in time” to the application run time environment via automation. Automation is a key element because it takes developers and other humans out of the role of being the responsible party for deciding where and how to store sensitive secrets and credentials used by CI/CD tools, applications and other IT systems.

With CyberArk Conjur, secrets and credentials, including cloud root credentials and access keys, can be secure, controlled and managed—and removed from the software development and delivery systems, including public and private repositories such as GitHub. Developers, including third-party contractors, can easily integrate and deploy Conjur into the code that they write to access secrets and credentials when they are required. This enables organizations to almost completely avoid exposing the actual secrets, keys and credentials to any human or code and reduce risk. The CyberArk solution enables security and IT organizations to control and manage the secrets and keys which give access to the corporate and customer data that organizations don’t want to expose.

There are lots of other benefits from deploying a secrets management solution for DevOps and cloud. These benefits include usage monitoring, automated key rotation, tracking of identification of suspicious activity, audit and establishing compliance controls.  All of these are very powerful and designed to prevent the types of event that Uber experienced and ensure safe application development and deployment environments in the cloud.

It’s Easy to Get Started

Attend a CyberArk DevOps workshop, talk to one of our DevOps experts, schedule a demo, or start using CyberArk DevOps Solutions. Integrated with many of the leading DevOps tools, CyberArk Conjur is available in several versions, including a free and open source solution for developers. CyberArk Conjur Enterprise offers a highly scalable enterprise product that extends the open source version to include many additional features, including integration with the CyberArk Vault. Additionally, CyberArk Professional Services can be used to jump start securing cloud and DevOps environments with 30 Day Sprint methodologies. Our goal is to help organizations secure their DevOps and cloud environments. For more information contact CyberArk.


Previous Article
Protecting Cross-border Data Transfers for GDPR
Protecting Cross-border Data Transfers for GDPR

Corporate legal counsels, technology providers, IT professionals – and anyone else paying attention to the ...

Next Article
Turning up the Heat on “FallChill”
Turning up the Heat on “FallChill”

US-CERT, in coordination with the FBI and Department of Homeland Security, recently released technical deta...