DevOps requires a significant departure from the more traditional paradigms of IT, including your information security strategy. Though DevOps involves the melding of development and operations teams, security teams are often left out of the equation. However, there are a number of unique DevOps security challenges that organizations will face if they don’t establish a balanced security strategy.
DevOps Security Challenges and How to Overcome Them
As your organization begins to adopt DevOps practices, you should consider the following DevOps security challenges and the best practices for overcoming them.
Rapid Pace of Change
Security teams need to thoroughly test environments and applications to ensure they don’t miss any vulnerabilities, which frequently puts them at odds with DevOps teams aiming for short development cycles and continuous delivery of code. When teams are pressured to prioritize speed above all else, there can be disastrous consequences. For example:
- The dev team may take security shortcuts to cut down on integration issues and other delays.
- The ops team might make a configuration mistake while provisioning new infrastructure.
- Even worse, the security team could miss critical threats and vulnerabilities in your code, infrastructure, or dependencies because they don’t have enough time for thorough testing.
One of the best tools for overcoming this DevOps security challenge is automation. Automation both mitigates the security risks arising from manual errors and reduces the amount of time spent on provisioning, configuration, and testing. You can use automation tools for a number of DevOps processes, including:
- Configuration management
- Code analysis
- Privileged access control
- Secrets management
- Vulnerability testing
Automation is the only way to ensure that security can keep up with the rapid pace of change required in a DevOps environment.
Poor Secrets Management and Access Controls
Your secrets—which include privileged account credentials, API tokens, SSH keys, and other sensitive information—must be carefully controlled. However, to streamline workflows and move towards fast, automated deployment, many DevOps teams have unfortunately adopted poor secrets management habits. For example, DevOps teams may store privileged account credentials in files in containers, or run processes with root access they don’t need, or share admin account credentials with each other. The push for speed and automation can leave secrets exposed to attackers.
To improve your DevOps secrets management, you should:
- Remove confidential data and credentials from your code, files, accounts, services, and cloud platforms and tools.
- Use privileged password management solutions like HashiCorp Vault with APIs to help you gain control over your code, scripts, files, and embedded keys, and then ensure your scripts and applications can request use of an elevated account from a centralized password safe. Your applications should only be able to request credentials they should be allowed to use, and ideally those credentials should be ephemeral, meaning they are automatically revoked after a set period of time.
In addition, restricting privileged access will significantly reduce your risk. Best practice is to eliminate administrative and privileged accounts on all end-user machines, as well as shared administrative accounts used by multiple people. You should also monitor every privileged account session to ensure they’re legitimate and following access control policies. In addition, developer and tester access should be limited to the specific development, production, and management systems they need for their job. Finally, store your credentials in a centralized password manager or secrets manager, such as LastPass or Azure key vault.
As mentioned above, privileged access control and secrets management can both be automated, using tools such as OpenIAM that can also track the full lifecycle of privileged credentials and secrets.
Lack of Security Culture
One of the biggest information security challenges organizations face is a lack of security culture, and that extends to DevOps environments as well. A large majority of major breaches are caused by human error—a password is exposed through a phishing attack, for example, or someone picks up an infected USB drive and uses it on a machine with an admin account. In addition, business leaders often pressure DevOps teams to constantly pick up the pace and take security shortcuts to achieve unrealistic release goals. A lack of security culture can undermine a DevOps team’s best attempts to keep infrastructure, data, and applications secure.
Developing a security culture is mostly about knowledge. The first place to start is training all your staff—including executives and managers—on the foundations of cybersecurity. When your people understand why they need to use inconvenient security measures like multifactor authentication and non-privileged accounts, they’re much more likely to get onboard. Plus, if your business stakeholders have a solid grasp of why comprehensive security measures are needed, they’re less likely to push back on the necessary delays caused by implementing security controls and testing. This gives both security and DevOps teams more room to breathe so they’re less likely to take shortcuts and make mistakes.
Disconnect Between Development and Security Teams
One of the most fundamental DevOps security challenges is simply that development and security teams are frequently disconnected. Security should be involved as early as possible in the software development life cycle (SDLC), but a lack of communication between security and development teams can prevent that from occurring. Security and development teams may operate in isolated bubbles, duplicating operational effort and information flow that could easily be aggregated in one bucket.
To overcome this major DevOps security challenge, you need to instill a collaborative team culture between DevOps and security. Teams should spend time together sharing information, swapping stories, and seeing how the other side operates day-to-day. This will allow both development and security teams to understand each other’s requirements and challenges, so they can move forward together to come up with solutions.
Overcoming DevOps Security Challenges with DevSecOps
The best practice for overcoming DevOps security challenges is to shift toward DevSecOps, which could be considered the next stage of DevOps culture. In DevSecOps, security joins the collaborative model shared by dev and ops teams. Implementing DevSecOps allows you to shift left, integrating security objectives as early as possible in the SDLC, because all teams are working together to achieve the same goals from the very beginning of a project.