DevOps may be the new paradigm in app development, but a report out from CyberArk reveals that widespread adoption of that approach has become a security nightmare.
Successful implementation of DevOps requires a lot of sharing of confidential business information, and that information is rarely kept properly secured, survey results from cybersecurity firm CyberArk reveal.
The report (registration required) offered some startling figures about DevOps security, and if the numbers are accurate most organizations that use DevOps are guilty of at least some potentially severe security oversights.
DevOps works wonders when well implemented, but it ultimately requires the distribution of confidential information like API keys, SSH keys, and privileged account status to lots of users.
As CyberArk said, those necessities aren't met with a proper understanding of securing privileged account credentials and company secrets. What's worse, the report concludes, traditional security solutions aren't going to solve the problem either.
DevOps security: Startling statistics
Let's start with the most shocking, but not unexpected, claim in the entire report: 99% of those surveyed can't identify all the places where privileged accounts and secret information exist. That means sensitive data is living on, or accessed from, machines that may be unsecured.
And with 60% of DevOps respondents saying they store privileged account and user credentials in a document on a company computer, it's a safe bet that sensitive data is leaving the building with a few employees at the end of the day.
SEE: Top 10 challenges to DevOps implementation (TechRepublic)
DevOps security, the report said, is a new and immature field that hasn't kept pace with the explosive growth of DevOps. This has left it as more of an afterthought than a part of the entire process that is implemented along with the rest of the DevOps system, as evidenced by another figure from the report: Only 46% of respondents say that security teams are integrated throughout the entire DevOps process.
43% bring in the security team at the end of the DevOps workflow, which CyberArk said is only adequate if the length of a sprint is about one week. Sprints are typically two to four weeks, which means that most teams bringing on security teams at the end are cutting themselves short on an essential part of the process.
SEE: Vagrant Essentials: Learn DevOps Using Vagrant (TechRepublic Academy)
Three-quarters of respondents report that their organization has not implemented a security solution for privileged DevOps accounts. CyberArk concludes that it's simply a lack of awareness of the threat posed by unsecured DevOps credentials—if just one password or piece of data is stolen it can be disastrous.
Solving the DevOps security disconnect
In the key takeaways, CyberArk said that the risks being taken are largely unnecessary, and that the solutions to control DevOps security holes are already available. Aside from simply buying into the right security solution, the following things should be considered in making your DevOps project a successful, secure one:
- Integrate security from the very beginning. It can be difficult to do this if you've started down a different path, but the initial speed bumps will be worth the outcomes.
- Commit to using a single security tool—don't rely on cloud solutions to pick up the slack. This leads to siloing that fragments your DevOps system.
- Confronting your DevOps problems can look daunting—perhaps just as daunting as DevOps was in the beginning. Now is the best time to step back and rethink your security strategy. Don't wait for the worst to happen.
- 10 steps to DevOps success in the enterprise (TechRepublic)
- DevOps the forgotten team when it comes to security: CyberArk (ZDNET)
- 10 critical skills that every DevOps engineer needs for success (TechRepublic)
- Four (ZDNET)
- Research: DevOps adoption rates, associated hiring and retraining, and outcomes after implementation (Tech Pro Research)
- Special report: Riding the DevOps revolution (free PDF) (TechRepublic)