DevSecOps is an organizational software engineering culture and practice that aims at unifying software development (Dev), application security (Sec), and operations (Ops). The main characteristic of DevSecOps is to monitor and apply security at all phases of the software lifecycle: Planning, development, integration, delivery, deployment and production.
Looking at DevSecOps through an IT professional’s lens, the ecosystem is a diverse set of people, processes and technologies interdependent and interwoven with assembly line-like automation to manage the application lifecycle. We refer to this type of application construction as pipelines. Pipelines consist of a proliferation of tools where each comes with a unique set of challenges for granting access (access controls are unique to each platform). Therefore, it is a priority to implement secure practices to the DevSecOps toolchain by defining an efficient and secure Identity and Access Management (IAM) program.
It is important to note that the terms DevOps and DevSecOps are often used interchangeably. In this blog, we exclusively use the term DevSecOps.
We live on the internet now
Digitalization and innovation opened new challenges with the way we operate today. We are in an interconnected world with an explosion of access requirements ranging from data centers, public cloud, bring your own device (BYOD), remote employees, IoT devices, SaaS Apps, partners, personal devices, etc. Traditional network trust is no longer applicable and implies the importance of zero trust capabilities, which implement controls to verify and authorize access through every layer of DevSecOps including identities, networks, endpoints, applications, data, etc.
Within DevSecOps, this means that, instead of relying on a single platform or cloud provider, we now have a multitude of tool chains exposed to the internet such as source code management, build tools, container hubs, testing software, deployment tools and release management, etc. Without proper IAM controls in place, the privilege creep within pipelines exposes significant risk as access requests move fast and are often unseen deep within code.
Threat actors are after credentials
Privileged credentials are generally any identities (human or non-human) that have elevated permission to affect change in critical workloads, databases/data lakes, applications and services. Any identities such as domain admins, local admins, service accounts, database administrators, endpoints, bots, root in Unix, sudo users, API tokens, privileged cloud IAM identities, etc. are often referred as ‘keys to the kingdom accounts’ that protect the organization’s assets. Based on the diversity of DevSecOps, we expose a credentials sprawl, as each tool chain needs to authenticate and authorize to complete the workflows. One of the ways that automation is achieved is by using secrets, which allows the credentials to pass the authentication step. Not only are threat actors after credentials, but they are also after the organization’s secrets. Therefore, ‘secret sprawl’ is a huge challenge to combat in DevSecOps.
Here are our three solutions to resolving these challenges.
Solution 1: Adopt zero trust principles
Zero trust principles ensure that any access requests are verified and valid regardless of where they occur. At a macro level (identities, data, network, applications, endpoint, etc.) this is straightforward. At a micro level, it is not always clear but understanding the principles of how access requests move through pipelines is critical.
Putting zero trust principles into practice may require different techniques such as segmenting development platforms and implementation of automated validation and blocking capabilities, etc.
Solution 2: Respect the speed in automation of DevSecOps
Agility and velocity are some of the critical characteristics of a DevSecOps pipeline that plans, builds and deploys applications at scale. Adopting better security practices should not be an impediment to the pace at which the DevSecOps ecosystem operates.
In order to contain the risks of the secret sprawl, an optimal approach is to implement a solution that can manage secrets at scale in a secured centralized vault with fine-grained access controls (least privilege) and auditing. It is preferable to enable that solution to remove standing privileges and implement dynamic privileged access (just in time) that shrinks the privilege creep from months or years to a few minutes or hours, reducing the threat landscape.
Solution 3: Always work towards a mature IAM framework
Regardless of how diverse an organization’s platforms or tools are, with a mature IAM framework it is possible to control the multitude of threats related to the privileged access that surrounds this ecosystem. As multi-factor authentication works well for human identities, the non-human identities in the DevSecOps ecosystem requires a unique control. By implementing modern secrets management solution with least privilege and json web token (JWT) authentication, we can improve the security posture of non-human identities on how they authenticate and authorize for fetching the secrets from the solution.
There are next-gen tools that can support and govern cloud entitlements and provide secrets management capabilities that traditional IAM teams and technologies may not currently support.
What we recommend
While the solution landscape continues to evolve, we have over a decade of experience working with organizations on these types of DevSecOps pipeline challenges, which has given us solid experience in helping clients enable IAM, aligned with DevSecOps. Through discussions with our clients, we have learned that the first challenge they often have is not knowing where to start. Protecting credentials and secrets in the DevSecOps pipeline can involve multiple teams including IT, information security and Cloud SMEs, as well as multiple technologies including identity technologies, cloud security technologies and native cloud platform capabilities.
As Protiviti brainstormed internally to determine the best approach to help our clients solve these problems, we realized we had many of the same challenges as our clients, including where to start and who to involve. As a result, we developed our own approach and tips to come up with a comprehensive method for secrets management for DevSecOps pipelines:
- Strategic approach – Understand the organization’s landscape to look at the bigger picture and not just address operational challenges. Security policies and standard operating procedures for DevSecOps need to be defined.
- Inventory and discovery – Maintain an inventory system for all the continuous integration and continuous delivery (CI/CD) tools and implement scheduled discoveries for the secrets that will be incorporated into the DevSecOps tools chain.
- Strong collaboration – To come to an understanding of the problem and the solution, engage with three teams: Cloud, DevSecOps and Identity. Each team has different disciplines: Developers do not prefer “identity” work, and the identity team does not engage in writing code but working together yields better results. Too often, these three teams are siloed but collaboration and communication are key so that a comprehensive solution approach may be defined, rather than continuing to work independently.
- Next-generation identity – An organization’s identity team has a great foundation showcasing standard processes and workflows that have long been successful in more static environments. However, this needs to be adapted to deal with the dynamic nature of DevSecOps environments.
- Paradigm shift – The Identity team does not need to understand a developer’s code but must be able to guide the DevSecOps and cloud developers on best security practices, working with them to implement identity security requirements for their code.
- Threat detection and response – Implement a cohesive detection and response process for any unusual pattern of secrets retrieval from baseline policies. This includes a thorough integration of SIEM/XSOAR and endpoint detection and response (EDR) with the DevSecOps toolchain and the development of policies for any unintended activity within the secret retrieval processes. User behavior analytics (UBA) complement the detection of any unauthorized operations within the DevSecOps ecosystem made by admins and privileged users.
Protiviti also offers DevSecOps process and governance optimization solutions that enable clients to take an outcomes-focused approach to balance the needs of compliance and control without sacrificing speed and innovation in DevSecOps. Our teams help design optimized DevSecOps future state operating models and roadmaps that help clients enable those process and governance solutions.
Andrea Themistou – Senior Manager, Jeff Conner – Director, Eli Hajjar – Director and Dusty Anderson – Managing Director, Security and Privacy also contributed to this post.