DevOps requires a significant departure from the more traditional paradigms of IT, including your information security strategy. Though DevOps involves the melding of development and operations teams, security teams are often left out of the equation. However, there are a number of unique DevOps security challenges that organizations will face if they don’t establish a balanced security strategy.
As your organization begins to adopt DevOps practices, you should consider the following DevOps security challenges and the best practices for overcoming them.
Security teams need to thoroughly test environments and applications to ensure they don’t miss any vulnerabilities, which frequently puts them at odds with DevOps teams aiming for short development cycles and continuous delivery of code. When teams are pressured to prioritize speed above all else, there can be disastrous consequences. For example:
One of the best tools for overcoming this DevOps security challenge is automation. Automation both mitigates the security risks arising from manual errors and reduces the amount of time spent on provisioning, configuration, and testing. You can use automation tools for a number of DevOps processes, including:
Automation is the only way to ensure that security can keep up with the rapid pace of change required in a DevOps environment.
Your secrets—which include privileged account credentials, API tokens, SSH keys, and other sensitive information—must be carefully controlled. However, to streamline workflows and move towards fast, automated deployment, many DevOps teams have unfortunately adopted poor secrets management habits. For example, DevOps teams may store privileged account credentials in files in containers, or run processes with root access they don’t need, or share admin account credentials with each other. The push for speed and automation can leave secrets exposed to attackers.
To improve your DevOps secrets management, you should:
In addition, restricting privileged access will significantly reduce your risk. Best practice is to eliminate administrative and privileged accounts on all end-user machines, as well as shared administrative accounts used by multiple people. You should also monitor every privileged account session to ensure they’re legitimate and following access control policies. In addition, developer and tester access should be limited to the specific development, production, and management systems they need for their job. Finally, store your credentials in a centralized password manager or secrets manager, such as LastPass or Azure key vault.
As mentioned above, privileged access control and secrets management can both be automated, using tools such as OpenIAM that can also track the full lifecycle of privileged credentials and secrets.
One of the biggest information security challenges organizations face is a lack of security culture, and that extends to DevOps environments as well. A large majority of major breaches are caused by human error—a password is exposed through a phishing attack, for example, or someone picks up an infected USB drive and uses it on a machine with an admin account. In addition, business leaders often pressure DevOps teams to constantly pick up the pace and take security shortcuts to achieve unrealistic release goals. A lack of security culture can undermine a DevOps team’s best attempts to keep infrastructure, data, and applications secure.
Developing a security culture is mostly about knowledge. The first place to start is training all your staff—including executives and managers—on the foundations of cybersecurity. When your people understand why they need to use inconvenient security measures like multifactor authentication and non-privileged accounts, they’re much more likely to get onboard. Plus, if your business stakeholders have a solid grasp of why comprehensive security measures are needed, they’re less likely to push back on the necessary delays caused by implementing security controls and testing. This gives both security and DevOps teams more room to breathe so they’re less likely to take shortcuts and make mistakes.
One of the most fundamental DevOps security challenges is simply that development and security teams are frequently disconnected. Security should be involved as early as possible in the software development life cycle (SDLC), but a lack of communication between security and development teams can prevent that from occurring. Security and development teams may operate in isolated bubbles, duplicating operational effort and information flow that could easily be aggregated in one bucket.
To overcome this major DevOps security challenge, you need to instill a collaborative team culture between DevOps and security. Teams should spend time together sharing information, swapping stories, and seeing how the other side operates day-to-day. This will allow both development and security teams to understand each other’s requirements and challenges, so they can move forward together to come up with solutions.
The best practice for overcoming DevOps security challenges is to shift toward DevSecOps, which could be considered the next stage of DevOps culture. In DevSecOps, security joins the collaborative model shared by dev and ops teams. Implementing DevSecOps allows you to shift left, integrating security objectives as early as possible in the SDLC, because all teams are working together to achieve the same goals from the very beginning of a project.