DevOps in Government: Balancing Velocity and Security
The Federal government isn’t known for its progressive approach to IT infrastructure, and agencies aren’t usually early tech adopters. Yet, agencies are increasingly deploying cutting-edge DevOps methodologies to achieve agility and reduce operating costs.
The Department of Homeland Security, General Services Administration, Environmental Protection Agency and Veterans Affairs are among those breaking the mold. They’re modernizing IT infrastructures, and taking strong steps forward in the digital transformation journey.
But that doesn’t come without risk. Several government agencies and organizations–including the National Security Agency (NSA), Pentagon, Republican National Committee and others–have experienced firsthand what can go wrong when environments aren’t properly secured.
The NSA, for example, rocked headlines late last year when it made top secret data publicly accessible to the world on an Amazon Web Services (AWS) bucket. A simple misconfiguration credited to human error was to blame.
The truth of the matter is DevOps tools often have interfaces designed for human users, and misconfigurations are all too easy and common. Some of the most notable breaches can be traced back to misconfigurations of the perimeter, making it all the more important that security controls are implemented across identities and environments.
Introducing Risk Through An Expanded Attack Surface
As agencies adopt new cloud and DevOps environments, they expand their attack surfaces, creating heightened levels of risk. To mitigate risk against internal and external threats, agencies need to continuously monitor privileged account sessions across every aspect of their network–including DevOps.
The DevOps pipeline comprises a broad set of development, integration, testing and deployment tools, people and resources, so it only makes sense that the attack surface grows alongside IT network expansion. This expanded attack surface is primarily propagated by the increase in privileged account credentials and secrets that are created and shared across interconnected access points. Agencies need to secure these non-human identities just like they would a human identity. Robotic actors can be compromised, and they need access controls just like their human counterparts.
That’s not always such an easy feat, however. The sheer scale and diversity of the DevOps ecosystem can make security challenging for three main reasons:
- Each development and test tool, configuration management platform and service orchestration solution has its own privileged credentials, which are usually separately maintained and administered using different systems, creating islands of security.
- Secrets (passwords, SSH keys, API keys, etc.) used to authenticate exchanges and encrypt transactions are scattered across machines and applications, making them nearly impossible to track and manage.
- Developers often hard code secrets into executables, leaving the Federal government vulnerable to attacks and exposure of confidential data from attackers with stolen secrets.
Although security can be a major pain point when it comes to DevOps implementation, not all is lost. Government agencies have the potential to achieve both velocity and security. The answer lies in secrets management and collaboration.
Lifting the Curtain on Secrets Management
Secrets are integral to the DevOps workflow, but their proliferation across IT environments can have unintended, potentially catastrophic consequences if exploited by attackers.
A secrets management solution can help prevent that from happening. By implementing a tool that can seamlessly connect with DevOps tools and other enterprise security solutions, Federal agencies can get a better view of unmanaged, unprotected secrets across their networks, while still meeting important compliance regulations.
With a prioritization on secrets management, Federal agencies can secure and manage secrets used across human and non-human identities and still achieve superior DevOps agility and velocity.
Eliminating Friction and Prioritizing Collaboration
Agencies and organizations alike often fail to make security easy for DevOps practitioners. Not only does that cause friction, it creates opportunity for failure.
Developers aren’t–nor should they be expected to be–security practitioners. They’re responsible for features and functionality–not figuring out how to manage credential collaboration and security for those key assets.
With that being said, it’s essential that DevOps and security teams be tightly integrated from the outset. This collaborative approach will help build a scalable security platform that is constantly improved as new iterations of tools are developed, tested and released.
Implementing and securing DevOps processes can seem daunting, but it’s no reason to adhere to business as usual and avoid change. When it comes to DevOps, the benefits far outweigh the risk if risk is managed properly.
That’s why it’s so important that agencies prioritize secrets management and collaboration to protect every aspect of their network. Only then will they be able to achieve security and velocity.
Elizabeth Lawler is vice president of DevOps security at CyberArk. She co-founded and served as CEO of Conjur, a DevOps security company acquired by CyberArk in May 2017. Elizabeth has more than 20 years of experience working in highly regulated and sensitive data environments. Prior to founding Conjur, she was chief data officer of Generation Health and held a leadership position in research at the Department of Veterans Affairs.