Security professionals worry where secrets exist across IT infrastructure

CyberArk: DevOps and security teams ‘must collaborate’

According to the first findings to be released from CyberArk’s Advanced Threat Landscape 2018 report, DevOps and security professionals have “worrying knowledge gaps” about where privileged accounts and secrets exist across the IT infrastructure.

Nearly all respondents (99%) failed to identify all places where privileged accounts or secrets exist when offered several options from PCs/laptops to microservices, cloud environments and containers.

The option where the highest levels of unawareness existed was source code repositories such as GitHub, with 84% of survey respondents unaware that privileged accounts or secrets are found here, followed by microservices (80%), cloud environments (78%) and CI/CD tools used by DevOps teams (76%).

‘Secrets are being created’

Elizabeth Lawler, vice president for DevOps security at CyberArk, said: “As organisations employ DevOps, more privileged account credentials and secrets are being created and shared across interconnected business ecosystems.

“Even though the dedicated technology exists, with few organisations managing and securing secrets, they become prime targets for attacks. In the hands of an external attacker or malicious insider, compromised credentials and secrets can allow attackers to take full control of an organisation’s entire IT infrastructure.

”So it’s worrying that the rush to achieve IT and business advantages through DevOps is outpacing awareness of an expanded – and unmanaged – privileged attack surface.”

With just a quarter of security teams reporting that they have a privileged account security strategy for DevOps, and integration between teams lacking for nearly two-thirds of respondents (65%), many DevOps professionals are taking matters into their own hands. Nearly 22% of them have built their own security solution.

‘You must figure out every single tool’

Lawler continued: “Building your own security solutions is arguably OK up to a point, but is not a scalable way forward. From Jenkins to Puppet to Chef, there are no common standards between different tools, which means you must figure out every single tool to know how to secure it.

“DevOps really needs its own security stack, and security teams must bring something to the table here. They can provide a systemised approach that helps the DevOps teams maintain security while accelerating application delivery and boosting productivity.”

Enterprises are increasingly using cloud orchestration and automation tools to drive DevOps initiatives, and nearly half (49%) of respondents reported using the cloud for internal development.

‘Lack of a DevOps security’

However, the study shows that the lack of a DevOps security strategy extends to the cloud. Nearly two thirds (74%) rely on their cloud vendor’s built-in security, meaning privileged account security is not fully integrated into DevOps processes when spinning up new environments.

Lawler concludes: “Taken together, this year’s survey findings indicate that many organisations do not understand the need – or the mechanisms – to secure privileged account credentials and secrets, whether that’s in the cloud or on-premises. DevOps and security tools and practices must fuse in order to effectively protect privileged information.

“Building awareness and enabling collaboration between DevOps and security teams is the first step to help businesses build a scalable security platform that is constantly improved as new iterations of tools are developed, tested and released.”