Real Substance on Privileged Access in DevOps and Cloud

January 25, 2019 Edward Amoroso

If you share a generation with me (which is, uh, old), then you likely will remember those great Wendy’s TV commercials from the mid-80’s. In each of those ads, an elderly actress named Clara was handed a huge round bun surrounding a tiny burger patty. Her reaction included the now-famous phrase: “Where’s the beef?” Walter Mondale used the phrase to help win the Democratic primary that year against Gary Hart. It was a good concept, to say the least.

I often find myself wondering where the beef is in many of the cybersecurity reports that cross my desk each year. This is particularly true for technical and marketing documents that focus on popular concepts such as cloud and virtualization – primarily because this is where we are all looking for assistance. Most of these narratives are long on superlatives, and short on details – not unlike Clara’s big bun and tiny patty.

But I found one prominent exception today – one that appears to be filled with useful, accurate details. The topic involves optimizing privileged access in the context of DevOps and Cloud Computing environments. Sponsored by CyberArk, this beefy report includes contributions from thirteen prominent enterprise security executives. Available for download here, it’s details can be summarized below – hopefully without including too much spoiler material.

The report begins with a clear exposition of the typical modern DevOps pipeline with a clear explanation of the support tools used during the various phases of build, code, plan test, release, deploy, operate, monitor, and plan. The overlay diagram of commercial and free tools used during application of the DevOps methodology is especially useful in understanding automation in modern continuous delivery.

The report also includes specific guidance on the most familiar shortcuts that lead to privilege-related security issues in the context of DevOps and Cloud. I’ll let you discover the full list in the report, but I can tell you that it starts with the observation that credentials used in DevOps are prime targets for attackers. This is 100% consistent with my own experience, and such insight is vital to selecting the proper DevOps security controls.

The report concludes with several specific recommendations on immediate actions that can be taken by enterprise security teams to reduce privileged access-related risk in DevOps and Cloud. My favorite recommendation is that companies should transform their security teams into full DevOps partners. This has the benefit of helping software developers make the right decisions in their DevOps tasks.

Now, I know that everyone in our industry is busy, and we all have limited time to go through technical reports. But this one is worth your while: It has substance, it includes specific details, and it includes actionable recommendations that will help you in your day-to-day DevOps and Cloud-related activities. And one thing I can promise: Once you’ve completed the report, you will not be asking: Where’s the beef?

Download the CISO View and start learning best practices for protecting privilege access in cloud environments.

Edward Amoroso is the CEO of TAG Cyber, a global cybersecurity advisory, training and media company. Amoroso is also the former Senior Vice President and Chief Security Officer of AT&T, where he worked for 31 years. Find him on LinkedIn and Twitter.

Previous Article
Data Privacy Day Celebrates a New Era in Privacy
Data Privacy Day Celebrates a New Era in Privacy

The annual international Data Privacy Day recognizes the importance of protecting personal data. Get involv...

Next Article
NIST Guidance for Financial Services: Protecting Privileged Access is a Business Imperative
NIST Guidance for Financial Services: Protecting Privileged Access is a Business Imperative

Unpacking the National Institute of Standards and Technology “Privileged Account Management for the Finacia...