DevOps Security: 3 Challenges Facing the Enterprise
While DevSecOps can help remedy the lack of coordination between developers and security teams, companies must dig deeper to install better processes before seeing dividends.
As cloud-based cyberattacks have grown in volume and sophistication, there has been a commensurate rise in pressure for software teams to code with security best practices in mind from the get-go. As a result, in recent years, the DevSecOps approach has become the standard within enterprises. (Also read: DataSecOps: Prioritizing Data Security in the Cloud.)
Red Hat's recent State of Kubernetes Security report highlights 78% of respondents already have a DevSecOps initiative in progress. Even more, 27% of respondents integrate and automate security throughout their entire product development lifecycles, which means that they’ve achieved full DevSecOps maturity.
Despite rapid DevSecOps adoption, security concerns still linger, pointing to the difficulty of installing an agile security posture in most companies. Red Hat's report reveals 93% of respondents have experienced at least one security incident in their Kubernetes environments over the past year. A further 55% have delayed app rollouts due to security concerns.
While DevSecOps is the answer to marrying security with DevOps pipelines, enterprises face numerous challenges in practice.
Here are three of the most prominent challenges facing DevOps security:
1. Machine ID Management
The “shift left” movement is in full swing within most organizations as DevSecOps has pushed security further up development timelines. However, there’s a big difference between prescribing that security concerns be addressed earlier on and actually ensuring that happens.
Often, the shift left is not accompanied by the right culture shifts and workflow processes -- leading to merely cosmetic changes. Today, one of the most glaring gaps in security postures is the assumption that human IDs dominate the access management landscape.
In reality, a byproduct of DevOps and the rise of containerization is the subsequent increase in machine IDs. Modern dev environments involve complex webs of microservices, cloud containers, and one-time processes accessing systems and data constantly. Manual security access approvals stand no chance in such an environment.
"Machine identities are scattered across hybrid multi-cloud environments, and need to be able to connect to other workloads or services to fulfill their task,” notes Rene Paap in a recent article for Akeyless, a secrets management platform. “But the access policies that control access privilege levels should be consistent, no matter which cloud a workload runs on."
Companies need centralized control through an application programming interface (API)-based platform. Paap points out that inconsistent policies enforced through disjointed access management will bear negative consequences:
"Inconsistent access policies will eventually lead to security blind spots," he says. "For example, an AWS-based policy could be left with a default permission profile by mistake. Centralized policy configuration and enforcement avoid this risk by simplifying operations."
In short, DevSecOps needs more than a surface-level shift to the left. It needs infrastructural and process changes to the actual working processes. In today’s practice, policies such as just-in-time credential access and installing zero-trust principles offer powerful solutions to this problem. (Also read: A Zero Trust Model is Better Than a VPN. Here's Why.)
2. Container Abstraction
Automation is everywhere in the DevOps pipeline. Many security policies still run on manual execution assumptions, with security admins validating every access request in real time. The result is a blizzard of access requests teams struggle to keep pace with.
Aside from security teams spending less time analyzing root causes, the biggest problem with this picture is the inability to monitor ad-hoc access requests. Chief Strategy Officer at NeuVector, Fei Huang, explains the problem, saying:
"This containerized environment is hyper-dynamic, as it could be scaling and/or changing frequently and quickly; this makes it hard for traditional tools to catch up. For example, a Kubernetes pod may only run for a few minutes before it goes away automatically so that all the resources can be reused."
The other issue is that Kubernetes itself presents a significant attack surface to malicious actors. Security teams often struggle to keep pace with open-source changes, even as attackers constantly probe them. Lengthy ramp-up times create potential security issues.
Traditional firewall tools cannot help in this situation since they lack visibility into real-time breaches in multi-cloud containerized environments. Again, installing the right tools and automating more portions of the security process may be the right answer. (Also read: How to Prepare for the Next Generation of Cloud Security.)
While security teams face a learning curve, the payoff is well worth the effort.
3. Lack of Top-Down Security Processes
Generally, developers want to deliver high-quality code, but a lack of security knowledge hampers them. As every CISO has discovered by now, development ability and security skills are separate worlds with little crossover.
Most organizations have installed the shift left through DevSecOps, which places the onus of security onto product teams. Instead of making surface-level changes, companies must prioritize training developers in security best practices and boosting collaboration.
Simon Leech, senior security and risk management advisor at HPE PointNext Services, offers a few other insights into how companies can redesign their training and awareness programs:
"It's also important to identify internal champions as a way of promoting the importance of DevSecOps," he says. "Senior people on the development team can coach and mentor junior developers and at same time act as an interface to the executive team.”
What’s more, Leech asserts, “Executives need to know the money they've invested in enabling a culture change toward DevSecOps is generating a return -- in terms of, perhaps, achieving a lower defect rate or releasing higher quality software."
In addition, companies can conduct live data breach drills with security teams and include developers in security-specific exercises such as penetration tests. By giving both worlds a look at each other's environments, companies can merge development with security more closely.
Security Best Practices for a Successful DevSecOps Program
- Adhere to the SDLC and change management. Making sure your development team follows best practices as applied to the software development life cycle (SDLC) and that they employ proper change management can ensure developed code is rigorously checked to prevent bugs and defects from being released into your production environment.
- Automate security testing. Code security is vital, and automated security testing -- when integrated with the build process -- can spot and fix defects before code goes live.
- Configure access permissions. Allow team members just enough rights to perform a role. This can include just-in-time (JIT) access. Moreover, using identity and access management (IAM) tools to enforce strong access controls keeps DevOps platforms secure. Essentially, you want to guarantee that only authorized personnel can access DevSecOps environments.
- Maintain appropriate segregation. Keep the development and production environments as autonomous as possible.
- Train your team. Developers and administrators should have a working knowledge of secure software development practices.
- Track, audit and log all actions across your DevSecOps environments. This helps security analysts investigate potential breaches quickly and identify attack vectors. (Also read: Data Breach Response: 5 Essential Steps to Recovery.)
- Employ comprehensive code-level security analysis. This will help you automate and secure your software development, identify vulnerabilities early and fix them before they cause problems.
- Limit continuous integration to the most critical changes. Also, limit its time and frequency to reduce the attack surface.
The Solution: An Incremental Approach
Multi-cloud security management involves maintaining control of who does what, when and how across your DevSecOps cloud environments via a single management interface (or "Single Pane of Glass").
Multi-cloud management tools can help you keep track of your resources across multiple public and private clouds, enabling you to stay in control of your applications and workloads from a single interface. Migrating workloads from one cloud environment to another becomes much more manageable, for example, when moving Kubernetes clusters.
With so many cloud environments in circulation nowadays, companies need robust and agile security systems very rapidly. But there are no quick fixes to the lack of coordination between developers and security teams. DevSecOps is a great start, but companies must dig deeper to install better processes before seeing dividends.
A steady, incremental approach to implementing DevSecOps is the best approach, rather than an overhaul. This will yield longer-lasting results that future-proof security postures.