Editor’s Note: This is part three of a blog series on securing privileged access and identities in the cloud.
- Part 1: Five Best Practices for Securing Privileged Access and Identities for the Cloud Management Console
- Part 2: Best Practices for Protecting Your Organization’s Dynamic Cloud Infrastructure
DevOps is transforming how organizations across industries from banking to eCommerce to healthcare build and deliver cloud-native applications. With DevOps, new application functionality can be delivered in rapid iterations and at scale, driving agile innovation to meet increasing customer demands and build competitive advantage.
A recent Harvard Business Review Analytic Services study found that roughly two-thirds of respondents use DevOps, and see benefits that impact their bottom line, including increased speed to market (identified by 70% of respondents), productivity (67%), customer relevance (67%), innovation (66%), and product/service quality (64%).
Using continuous integration methods (CI), developers merge code changes to a repository multiple times a day, which are automatically integrated into builds. Through continuous delivery (CD), code is always in a deployable state so it’s ready for release into production at the touch of a button.
As custom-built cloud applications are built and delivered using these agile DevOps practices, they rely on API access keys for dynamic connection to other applications and resources. Sometimes referred to as “API keys,” these powerful credentials are used to authenticate applications and DevOps automation tools and enable programmatic requests to the cloud environment. API keys can be used for virtually anything, from provisioning a container to copying a database to allowing one service to access data from another. Attackers have used API access keys — stolen from phished endpoints or inadvertently posted to public code repositories and other sources — to steal customer data and valuable intellectual property or destructively delete source code.
Many of the DevOps tools used to orchestrate development and delivery of custom-built cloud applications are also highly privileged. For example, CI/CD tools for configuration management, such as Ansible, and those used to run automated tests and builds, like Jenkins. Since these “tier 0” tools enable full control of the environment, admin access must tightly be controlled and restricted to reduce exposure.
1. Remove all embedded API keys and secrets from source code, scripts, and automation tools. DevOps culture emphasizes collaboration and code sharing. It’s common practice to post-application code to GitHub and other public repositories. Yet too often, this code contains embedded API keys and other credentials and secrets, and attackers troll these repositories to locate and abuse them. Stay a step ahead by removing hard-coded credentials completely. Similarly, never provide human users with direct access to API keys.
2. Proactively secure all API keys and secrets in a secure digital vault that supports strong privileged access controls. Only allow access to authorized, verified users and applications under centralized, corporate-wide access policies.
3. Enforce least privilege access controls for all DevOps tools, including admin consoles as well as highly privileged human users. Follow strong privileged access management best practices, such as rotating privileged credentials and monitoring and recording privileged access activity for human and automated users.
4. Apply consistent, enterprise-wide security policies to the tools and admin consoles used at each specific stage of the DevOps pipeline: plan, code, build, test, release, deploy, operate, monitor.
5. Leverage single sign-on (SSO) and multi-factor authentication (MFA) to solve pervasive password challenges and strengthen Identity Security when granting DevOps access to any highly privileged human user.
6. Perform regular audits to identify gaps and privilege-related risk and to continuously improve overall security posture.
Consistency Is Key
The most effective cybersecurity programs enforce identity and privileged access policies consistently across their entire organization — regardless of infrastructure, application mix, or development philosophy. This must be done at scale to keep pace as the organization and its cloud workloads evolve to support digital transformation and flexible work models. This can only be achieved from a centralized point of control that enables consistent management of privileged credentials, human and non-human identities, devices, and secrets across multi-cloud and hybrid environments.
Learn more in our eBook, “Securing Privileged Access and Identities In 5 Key Cloud Scenarios” and our cloud security resources. The next post in our series will tackle SaaS application security, a top-of-mind concern for nearly every digital business today.