The global and independent platform for the SAP community.
DevOps column, The opinion of the SAP community, MAG 18-11

DevOps - risks are underestimated

Companies are increasingly using DevOps for efficient application delivery. DevOps promises shorter time-to-market, improved product quality and higher customer satisfaction, but also brings new security risks.
Michael Kleist, CyberArk
November 29, 2018
Content:
DevOps column
avatar
This text has been automatically translated from German to English.

Digital transformation requires a high level of agility and is driving the use of DevOps environments because DevOps offers accelerated innovation, greater flexibility and reduced complexity in application development and deployment.

With DevOps implementations, companies therefore primarily want to realize business benefits. However, they all too often neglect security in the process - a serious mistake, as DevOps in particular significantly expands the attack surface for cyber attacks.

When companies use DevOps models, more privileged accounts and access data are generated and shared automatically across networked business ecosystems.

Such access data - which has often been insufficiently considered and secured to date - includes service accounts, encryption, API and SSH keys, container secrets or embedded passwords in program code, which is often also stored in central repositories.

The additional privileged access data used, which is linked to people, services or applications, inevitably represents a lucrative target for an external attacker or malicious insider. After all, they allow complete control over a company's entire IT infrastructure.

The security risk for companies is further increased by the use of numerous orchestration and automation tools, such as CI (Continuous Integration) and CD (Continuous Delivery) tools or source code repositories such as GitHub in DevOps projects.

The challenge here is that the tools used in the DevOps toolchain, such as Ansible, Chef, Puppet or Jenkins, do not offer any common standards and companies therefore have to take individual, specific security measures for each tool.

In particular, the workflows for access control to privileged access data vary considerably. As a result, many companies have no, inconsistent or manual strategies for access control - security gaps are therefore pre-programmed and are sought out by attackers just as automatically as code is generated in the DevOps pipeline.

Successful countermeasures can only be taken with a dedicated DevOps security stack, and this is where IT security comes in. It must take a systematic approach to support DevOps teams in achieving a high level of security.

DevOps and security tools and practices must be integrated to establish efficient protection for privileged data. Close collaboration between DevOps and security teams is therefore the first step in successfully building a scalable security platform and implementing a DevSecOps strategy that can keep pace with the dynamic environment and rapidly evolving technology.

The administration of all DevOps tools and access data should take place under the umbrella of such a security platform. The central, automatic management and securing of all confidential access data used in a DevOps pipeline - such as encryption and API keys, database passwords or transport layer security (TLS) certificates - is of essential importance.

Of course, individual secrets are also managed here automatically and dynamically to secure access in DevOps production.

All access data used by machines, systems and people should be protected in a highly available and secure storage system (vault), a specially "hardened" server that offers reliable protection against unauthorized access with several different security layers.

avatar
Michael Kleist, CyberArk

Michael Kleist is Regional Director DACH at CyberArk in Düsseldorf.


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.