Securing DevOps

Manisha Rai, IAM Consulant, SecureITsource, Inc.

With business demanding faster delivery of quality applications, the interest in Devops is growing. Many organizations have adopted DevOps methodologies to accelerate the pace of innovation. According to a survey published in January 2016 by the SaaS cloud-computing company RightScale, DevOps adoption increased from 66 percent in 2015 to 74 percent in 2016. Companies like Netflix, Etsy, Flickr that adopted Devops methodology have seen several early benefits in terms of boost in customer relations, increase in revenue and productivity. It has been adopted by banks, insurance companies, governments, and plenty of organizations in highly regulated industries.

DevOps is an approach to software development that focuses on collaboration between an organization’s operations, development, testing, and support teams while automating the process required to release and change the software. DevOps does this by establishing a continuous loop where teams across the business work together to plan, code, build, test, deploy, operate and monitor. By doing this, releasing software can happen rapidly, frequently and more reliably.

Since DevOps pipelines are fully automated and contain many different tools, platforms and resources, there are many secrets hidden in various locations throughout the pipeline. As businesses adopt adhoc infrastructure the way in which services and applications are being built and deployed led to exponentially increase in number of identities that needs to be managed. Attackers know where to look for secrets in these systems and how to exploit them. These secrets represent one of the largest security vulnerabilities that an organization faces today. This is a huge threat with many potential open-doors for attackers. Secrets can be easily exposed since there is no audit or control over who’s accessing them. In the hands of an external attacker or malicious insider, secrets allow attackers to take full control of an organization’s IT infrastructure, disable security controls, steal confidential information, commit financial fraud and disrupt operations. Additional risks lie within the configuration management and used in the DevOps pipeline. As high consumers of secrets, these tools have become the new targets for attackers.

It’s critical to secure this underlying infrastructure of the Devops pipeline and group of DevOps persons who interactively access the different tools, to administer, maintain or make changes in break-glass scenarios. Controlling and monitoring the interactive access of these privileged users has also become a critical means to protect the DevOps pipeline. There are various strategies taken by security professionals to secure these secrets, such as encrypted data bags, docker images, disks, github repositories and configuration files. But all these examples are mechanisms that make the secrets harder to access for legitimate users.

CyberArk Conjur is secrets management solution that meets the unique infrastructure requirements of native cloud and DevOps environments. Cyberark Conjur creates the machine identities, manages their access privileges and is only secret management solution specifically architected for containerized environment. It provides automation- the ability to create policies that automatically manages machine identities and access rights. With a single place to manage security policies for machine identities, access to secrets and machine to machine communication across the infrastructure, we can easily see who has access to protected resources for auditing and compliance purposes.

Conjur operates as a highly available web service running in your own infrastructure, it is extensible and built with simple API which integrates with everything from Puppet to AWS meaning no vendor login, no matter how often your environment changes, it is flexible and work in any environment including private, public and hybrid environment, it is seamless providing security without disrupting developers and operations team. Multiple replicated Conjur servers work together to provide high availability and low latency. Security rules are written in files, checked into source control and loaded into the Conjur server cluster adding transparency and collaboration to organization’s security requirements. Apart from secret management other Key features of Conjur includes: role based access Control, centralized audit records, integration with DevOps toolchain like Ansible, Jenkins, Chef and Puppet and easy to use GUI. Conjur is easily programmable by interacting with the REST API. This capability can be used to provide custom authentication and authorization for popular DevOps tools.