Story image

"Alarming" lack of privileged account security awareness in DevOps

09 Nov 17

DevOps environments are facing an ‘alarming’ lack of security planning and potentially serious gaps around privileged accounts and secret awareness, a new report from CyberArk warns.

DevOps and security professionals around the world, including Australia, have major knowledge gaps about where privileged accounts and secrets exist across their own IT infrastructure, according to CyberArk’s Advanced Global Threat Landscape survey.

The survey offered a range of options in which secrets and privileged accounts exist (PCs/laptops, microservices, cloud environments and containers), however 99% of respondents were unable to identify all places.

84% were unaware that privileged accounts are found on source code repositories such as GitHub. 80% were unaware privileges also exist in microservices; 78% were unaware about privileges in cloud environments and 76% were unaware of privileged accounts in CI/CD tools used by DevOps teams.

DevOps remains a priority for enterprises according to Gartner, however 75% of survey respondents admitted they have no privileged account strategy (PAS). In Australia, the percentage is even higher (82%). This creates significant weak points that attackers can target, CyberArk says.

37% of DevOps professionals also believe that compromised DevOps environments are but one of their organisation’s biggest security vulnerabilities.

CyberArk’s VP of DevOps Security Elizabeth Lawler says that as DevOps uptake increases, the amount of privileged account credentials are being created and shared in interconnected business ecosystems.

 “Even though dedicated technology exists, with few organisations managing and securing secrets, they become prime targets for attacks. In the hands of an external attacker or malicious insider, compromised credentials and secrets can allow attackers to take full control of an organisation’s entire IT infrastructure.”

78% of Australian security teams say there is a problem for security and DevOps teams, compared to 65% worldwide.

“So it’s worrying that the rush to achieve IT and business advantages through DevOps is outpacing awareness of an expanded – and unmanaged – privileged attack surface.”

The report suggests that 23% of Australian DevOps teams are now taking things into their own hands by building their own security solutions.

Lawler says that building custom security solutions works to a point, but it is not scalable.

“Jenkins to Puppet to Chef, there are no common standards between different tools, which means you must figure out every single tool to know how to secure it. DevOps really needs its own security stack, and security teams must bring something to the table here. They can provide a systemised approach that helps the DevOps teams maintain security while accelerating application delivery and boosting productivity,” Lawler says.

74% of respondents said they use cloud vendor’s built-in security, which means privileged account security isn’t fully integrated into DevOps processes in new environments.

Lawler says the survey findings demonstrate the lack of understanding around security

“DevOps and security tools and practices must fuse in order to effectively protect privileged information. Building awareness and enabling collaboration between DevOps and security teams is the first step to help businesses build a scalable security platform that is constantly improved as new iterations of tools are developed, tested and released,” Lawler concludes.

Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
NBN Co rolls out 'optimised' wholesale business bundles for ISPs
“We recognise some businesses are on nbn powered plans that have not been optimised for their needs," says Paul Tyler.
How Schneider Electric aims to simplify IT management
With IT Expert, Schneider Electric aims to ensure secure, vendor agnostic, wherever-you-go monitoring and visibility of all IoT-enabled physical infrastructure assets.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
Preparing for the future of work – growing big ideas from small spaces
We’ve all seen it: our offices are changing from the traditional four walls - to no walls. A need to reduce real estate costs is a key driver, as is enabling a more diverse and agile workforce.
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.