Thanks to the rise of automation and cloud-based sandboxing, DevOps has become the norm in virtually every organization working with agile workflows for continuous rollouts. While DevOps offers tremendous advantages from a release and GTM perspective, security often lags. This is because many organizations still rely on Waterfall-based security workflows that are out of step with modern DevOps processes.
To fully realize the potential of DevOps, organizations must extend it further and embrace DevSecOps. While DevSecOps requires broad cultural buy-in, it also relies on a set of automated processes that continuously validate access credentials to ensure optimal security.
In short, DevSecOps is the easiest way to install zero trust security in your organization’s apps. A mindset that ideally informs every aspect of your cybersecurity posture, zero trust calls for providing both humans and machine “non-person entity” (NPE) identities access to resources only when needed and only to those who can verify that they need it.
With this in mind, zero trust represents the gold standard when it comes to contending with the DevOps-led app production landscape in today’s enterprise.
The Rise of Machine IDs
Security practices in many enterprises currently adhere to a bygone world where human beings were the primary entities accessing systems. The modern enterprise environment is very different from what it was a decade ago.
DevOps has pushed companies to embrace automation, and the number of tools used in the pipeline has increased exponentially. As a result, machines and NPEs access systems far more than humans. Add to this mix the rise of cloud storage and containerization, and the result is a sprawl of systems, secrets, and processes intermingling.
Manual cybersecurity practices have no hope of managing this landscape. Instead, as with DevOps principles, security teams must adopt automation wholeheartedly to deal with this sprawl. Rene Paap of Akeyless, a SaaS-based secrets management platform, notes that while machine IDs are numerous, their numbers fluctuate, creating even more challenges.
“Secrets are one of the most sensitive assets for an organization,” he writes. “To keep control over the ever-fluctuating amount of machine secrets, organizations must automate their lifecycle management — from creation to storage, to rotation, and eventually, to revocation.”
Paap notes that most organizations store and manage NPE credentials and other secrets with a variety of solutions. For instance, some secrets might be buried in CSP vaults while others are hardcoded into production code to ease microservice access.
Given the complex interactions that fall under the scope of a modern DevOps pipeline, automating zero trust by accessing secrets dynamically makes the most sense. Organizations that continuously validate access credentials and generate certificates on an on-demand basis can rest assured their systems are protected against unauthorized breaches.
Just-in-Time (JIT) Security
Zero trust is a philosophy that informs several cybersecurity practices. At its core, zero trust assumes every entity asking for system access deserves suspicion, and most prove itself before entering your boundaries. Thanks to the rapid advances in attack methods, however, verifying access before entry doesn’t cut it.
A compromised entity might use fake credentials obtained via a vulnerability, compromising your system. Or worse, you might grant access to a genuine entity, only for its credentials to lapse, giving malicious actors an entry point into your systems.
The solution to these problems is just-in-time or JIT security. JIT offers entities access based on how often they use your system and how long they need to access information. At its core, JIT embodies zero trust principles by giving entities only the access they need and nothing else.
For instance, a microservice that retrieves data from a database container during an end-of-day batch process does not need continuous access. JIT access systems help you create credentials that are active for short periods, limiting the possibility of major damage or lapsed credentials.
You might argue that such a process adopts a highly cynical view of our digital world. David Holmes, Senior Research Analyst at Forrester, points out that this view is reality, as cynical as it might seem. “The internet was designed without security in mind,” he says. “We’ve allowed it to become a toxic, malicious hive of scum and villainy.”
Holmes argues that patching band-aids on top of every security concern has to stop, and organizations must rethink their security philosophy from the ground up.
Seamless System Linkages
Configuration errors and system endpoints offer malicious entities an entry point into enterprise systems. For instance, one system in the network might receive an upgrade that puts it out of sync with the rest of your network. This situation creates configuration errors that malicious actors can leverage.
The zero trust philosophy aligns with DevOps’s streamlined vision of development workflows. Thanks to automation and APIs, zero trust tools can often integrate with your existing infrastructure seamlessly, minimizing infrastructure changes and disruption.
Writing for Aberdeen Research, Thomas MacIsaac, a VP for SSH Communications Security, explains that “Fortunately, frictionless privileged access solutions have been developed that balance both the need for speed and the need to be secure.”
What’s more, he continues, “The only way forward is to permanently remove unmanaged keys and get rid of passwords from SysAdmin access to cloud and server environments. Monitoring, provisioning, and maintenance must all be simplified, and everything access-related should be automated.”
This streamlined secrets management vision minimizes the possibility of systems falling out of sync and creating new attack vectors. The result is seamless security integration into your DevOps pipeline.
Zero Trust Is the Way Forward
Zero trust might seem complex to install at first due to its radically different approach from prevalent security protocols. However, zero trust aligns with modern DevOps cycles, giving you a robust DevSecOps posture that helps you combat and counter threats.
While organizations must install a culture of DevSecOps to realize all of zero trust’s benefits, technology and automation do not pose any hurdles to implementing these principles.