How Secure is Your Continuous DevOps Pipeline?

February 21, 2018 Chris Smith


Code fast, beat the competition to market and build market share. This is the value of DevOps.  Businesses around the world fuse software development, integration, test and operations practices to accelerate digital transformation and enhance business performance and agility. In fact, research shows that agile firms grow revenue 37 percent faster and generate revenues 30 percent higher than firms that have not embraced DevOps[i].

But, are these organizations missing a critical step?

Many developer and operations teams have “settled their differences” to leverage countless containers, applications and virtual machines in order to move and produce at unprecedented scale and speed.  Now, some organizations struggle to answer critical security-related questions about these new processes, such as:

  • Who—or what—has access to these virtual machines and applications?
  • Where are the secrets and credentials stored?
  • Is our continuous CI/CD pipeline continuously secure?

DevOps Introduces New Security Challenges

As we’ve explored in previous posts, the DevOps pipeline comprises a diverse collection of development, integration, testing and deployment tools, people and resources. The sheer scale and diversity of this ecosystem can make it difficult to secure for three key reasons:

  • Each development and test tool, configuration management platform and service orchestration solution has its own privileged credentials, which typically are separately maintained and administered using different systems, creating islands of security.
  • Secrets (passwords, SSH keys, API keys, etc.) used to authenticate exchanges and encrypt transactions are scattered across machines and applications, making them nearly impossible to track and manage.
  • Developers often hard code secrets into executables, leaving the business vulnerable to malicious attacks and exposure of confidential data, from attackers with stolen secrets.

The proliferation of containers has exacerbated these security challenges by creating “secrets sprawl.” Consider that in any given enterprise, hundreds of VMs can easily give way to thousands or hundreds of thousands of containers—each with its own security attributes.

Secrets Management at the Speed of DevOps

PwC has deep experience in security and DevOps and recently released a new white paper focused on securing DevOps environments.  PWC’s whitepaper illustrates its strong capabilities in working with enterprise clients to identify, design and deploy improved processes and technical solutions for DevOps that are also inclusive of a critical element: secrets management. This whitepaper introduces PwC’s High Velocity IT solution, which is underpinned by the CyberArk Conjur secrets management solution and helps organizations reduce risk without impacting velocity. The joint solution addresses the full spectrum of tasks and activities needed to convert ideas into useful technology-centric functions. For example, outcomes could include lower delivery costs, fewer errors in production, improved agility and metrics-based continuous improvement.

CyberArk + PwC = High Velocity IT

CyberArk has an extensive business relationship with PwC—the global consulting firm has deep experience architecting and implementing CyberArk solutions. In fact, CyberArk named PwC its Global Systems Integrator of the Year Americas in 2017. PwC’s experience in working with CyberArk empowers IT organizations to efficiently manage access and authorization privileges across the DevOps pipeline, helping security teams mitigate risks and improve compliance without hindering workflows. Together, CyberArk and PwC can help organizations build a secure and agile DevOps pipeline to achieve high velocity IT.

For additional best practices from PwC and CyberArk on securing your DevOps pipeline and achieving compliance without adding roadblocks to DevOps workflows, register for our joint February 22 webinar and download the free white paper.

 [i] How business can survive and thrive in turbulent times. The Economist Intelligence Unit Ltd.


Previous Article
Four SSH Vulnerabilities You Should Not Ignore
Four SSH Vulnerabilities You Should Not Ignore

The Secure Shell (SSH) protocol was created in 1995 by a researcher from the University of Helsinki after a...

Next Article
When It Comes to GDPR, Don’t Wait and See
When It Comes to GDPR, Don’t Wait and See

Operational control over who has access to personal data is at the heart of complying with the GDPR. Essent...