The option where the highest levels of unawareness existed was source code repositories such as GitHub, with 84% of survey respondents unaware that privileged accounts or secrets are found here, followed by microservices (80%), cloud environments (78%) and CI/CD tools used by DevOps teams (76%). In reality, privileged accounts and secrets are found in all these entities. No privileged account security strategy for DevOps
A Gartner survey in mid-2016 found that 50% of enterprises would be using DevOps by the end of 2016[1]. Despite this, further compounding this lack of awareness, 75% of security professionals reported that they had no privileged account security strategy for DevOps, creating significant weak points for attackers to target.
“As organisations employ DevOps, more privileged account credentials and secrets are being created and shared across interconnected business ecosystems,” said Elizabeth Lawler, vice president, DevOps security, CyberArk. “Even though dedicated technology exists, with few organisations managing and securing secrets, they become prime targets for attacks. In the hands of an external attacker or malicious insider, compromised credentials and secrets can allow attackers to take full control of an organisation’s entire IT infrastructure. So it’s worrying that the rush to achieve IT and business advantages through DevOps is outpacing awareness of an expanded - and unmanaged - privileged attack surface.”
Fragmented teams struggling with fragmented security
While many DevOps teams underestimate the volume of secrets being spread across the IT infrastructure, they are aware of the need to improve security. Over a third (37%) of DevOps professionals storing or deploying information in the cloud say compromised DevOps tools and environments represents one of their organisation’s greatest security vulnerabilities – but many are acting alone to tackle the issue.
With just a quarter of security teams reporting that they have a privileged account security strategy for DevOps, and integration between teams lacking for nearly two thirds of respondents (65%), many DevOps professionals are taking matters into their own hands. In fact, nearly a quarter (22%) of them have built their own security solution to protect and manage secrets for DevOps projects.
Lawler continued: “Building your own security solutions is arguably OK up to a point, but is not a scalable way forward. From Jenkins to Puppet to Chef, there are no common standards between different tools, which means you must figure out every single tool to know how to secure it. DevOps really needs its own security stack, and security teams must bring something to the table here. They can provide a systemised approach that helps the DevOps teams maintain security while accelerating application delivery and boosting productivity.”
Cloudy security strategy heightening the risk
Enterprises are increasingly using cloud orchestration and automation tools to drive DevOps initiatives, and nearly half (49%) of respondents reported using the cloud for internal development. However, the study shows that the lack of a DevOps security strategy extends to the cloud. Nearly two thirds (74%) rely on their cloud vendor’s built-in security, meaning privileged account security is not fully integrated into DevOps processes when spinning up new environments.
Lawler concludes: “Taken together, this year’s survey findings indicate that many organisations do not understand the need - or the mechanisms - to secure privileged account credentials and secrets, whether that’s in the cloud or on-premises. DevOps and security tools and practices must fuse in order to effectively protect privileged information. Building awareness and enabling collaboration between DevOps and security teams is the first step to help businesses build a scalable security platform that is constantly improved as new iterations of tools are developed, tested and released.”