DevOps the forgotten team when it comes to security: CyberArk

Nov. 13, 2017

Due to the dynamic nature of DevOps and the business “secrets” they have access to, security vendor CyberArk has highlighted the importance of ensuring these teams are protected from the threat landscape.

According to Jeffrey Kok, senior director of solution engineering for Asia Pacific and Japan at CyberArk, exposing DevOps to the elements means privileged account credentials—such as SSH keys, API keys, and other credentials—are proliferating throughout IT infrastructure at a rapid-fire pace, creating massive security risks for organisations.

The CyberArk Advanced Threat Landscape 2018 highlights that 75% of security respondents reported their organization has not implemented a privileged account security solution for DevOps.

This is potentially problematic when 60% of the DevOps respondents said they store privileged account or administrative passwords in a document on a company PC or laptop.

Fifty-two percent of DevOps respondents said they rely on the native secrets functionality of their cloud or DevOps vendors to be protected.

“This is potentially a risky approach because it creates separate security silos that are difficult to manage with an overall security policy,” the report says.

As respondents were able to provide more than one answer, 50% also said they employ a paid-for secrets solution; while 37% said they use systems built from open-source software.

Forty-three percent of respondents confirmed that the security team is always brought in at the end of each development cycle, with CyberArk noting this may be adequate only if the length of a sprint averages a week or so.

While Kok said it might seem a “little bit daunting” for organizations to bring the security talent into the development process earlier, once the concept is embraced, he said, the end result is a much better user experience.

The most effective business strategy will demand that security and DevOps work closely, which is why Kok pitched the idea of “SecOps”—where the application is designed with operation, but also with security in mind.

The report said that as DevOps is a relatively new discipline, it is not entirely surprising that respondents report a lack of integration between DevOps and security teams.

CyberArk said that while collaboration varies by industry, it was found the closer partnerships between DevOps and security are most often found in consumer services and technology and telecommunications segments. The financial services organizations reported slightly below-average collaboration, and only 16% of healthcare respondents said their security and DevOps teams were “well integrated”.

Although Kok is focused mostly on the APJ region, he said the issues raised in the report cover DevOps teams globally.

However, as the APJ region is a little bit later to the DevOps game, it’s more imperative for the region to learn from the mistakes of others.

“We have the benefit of hindsight we can avoid the pitfalls,” he said.

ZDNet has the full story