DevOps—Underestimated Security Risks

Digital transformation needs high agility and increasingly promotes the use of DevOps environments. That’s because DevOps offers accelerated innovation, higher flexibility and reduced complexity in application development and deployment. With the implementation of DevOps, companies therefore want to primarily benefit their businesses. More often than not, however, they neglect security. A severe mistake, because DevOps significantly widens the attack surface for cyber criminals.

If companies use DevOps models, they also have to create more privileged accounts and login details and share them automatically via integrated business networks. Those details include service accounts, keys for encryption, API and SSH, secrets of containers or embedded passwords in the code of the program which is often also stored in central repositories.

The additional privileged login details connected to people, services and applications are an ideal target for an external attacker or a malicious insider. After all, they make it possible to control the whole IT infrastructure of a company.

The security risk is even higher if companies use various tools for orchestrating and automating. Tools for CI (continuous integration) and CD (continuous delivery) or source code repositories like GitHub are for example used in DevOps projects. The tools that DevOps Toolchain uses, like Ansible, Chef, Puppet and Jenkins, do not have a common standard, making it challenging for companies to establish individual, specific security measures for each and every tool.

Especially workflows for access management diverge greatly. Consequently, a lot of companies either do not have any strategies for access management, or they do, and they are inconsistent and inefficient. Security vulnerabilities are therefore a given.

How can we combat these developments?

One approach is an own DevOps security stack. Here, the IT security department has to be involved and has to systematically support DevOps teams in realizing a higher level of security. The collaboration of DevOps and security teams is therefore the first step for the successful creation of a scalable security platform and the implementation of a DevSecOps strategy which can keep up with the dynamic and the rapid pace of technology.

All DevOps tools and login details should be managed on such a security platform. Central, automated administration and storing of all login details used in a DevOps pipeline—for example API or encryption keys, data base passwords or transport layer security (TLS) certificates—are essential.

Of course, individual secrets which manage access in a DevOps production are also managed centrally and automatically. A vault—a highly available, secure system storage—should be used for the protection of all login details of machines, systems and people. This vault should essentially be a especially hardened server which can stop unauthorized access through various security layers.