Securing privileged access in DevOps environments

Not infrequently, especially in the DevOps-service accounts, encryption, API and SSH keys, container secrets or embedded passwords in program code are often unsecured. CyberArk's "Global Advanced Threat Landscape Report 2018" also revealed that more than 70 percent of the companies surveyed do not yet have a "privileged access security" strategy for DevOps environments.

Five recommendations

CyberArk's new CISO View Report now provides five key recommendations for implementing such a strategy, based on real-world experience of participating information security leaders:

1. Integrate security teams into DevOps processes: Encourage collaboration between security and DevOps teams and integrate DevOps and security tools and practices into standard operating procedures.
2. Prioritize securing DevOps tools and infrastructures: design and implement policies for tool selection and configuration, controlling access to DevOps tools, implementing least privileges concepts, and securing and monitoring infrastructures.
3. Establishment of company-wide requirements for securing access data and secrets: Establishment of central access data management, expansion of audit and monitoring systems, elimination of fixed access data in tools and applications, and development of reusable code modules.
4. Introduce processes for testing applications: Integrate automated code testing, continuously address security issues in the development process, and possibly set up a "bug bounty" program.
5. Evaluation of the results of the DevOps security program: regular review of the Secrets Management-solution and identification of optimization potentials.

The new report is part of the CISO View-Industry Initiative. The initiative conducts research and develops guidance to help security teams design and implement effective cyber security programs.

Source: CyberArk