Cyber insurance is a relatively young line of business. Since threats are more dynamic, and therefore, risks are more difficult to calculate than many other forms of insurance, providers are constantly adjusting their conditions. And DevSecOps could be next on their lists.
Companies wanting to take out or renew a cyber policy are confronted with increasingly stringent cybersecurity requirements. For example, the range of security checks that have become prerequisites for taking out affordable insurance has repeatedly expanded in recent years. The intensifying threat landscape and the ever-increasing damage caused by cybercriminals have also seriously affected insurers, who are constantly moving to protect themselves.
These requirements have historically included measures such as MFA, anti-malware software, firewalls and intrusion detection systems. In recent years, we have seen Privileged Access Management (PAM) added to the technologies required for cyber insurance. Deployed correctly, PAM provides key security controls to protect organisations' systems and data and comply with the Australian Government's Essential Eight Maturity Model.
But the list will likely be expanded further, especially for companies whose business requires developing software and have adopted the Development-Operations (DevOps) workflow model.
The issues around DevOps
Fast, iterative DevOps workflows are often accompanied by security risks associated with privileged management. When there's increasing competitive pressure for faster software delivery, sharing privileged access to all containers, servers and applications or using plaintext credentials embedded in code is very tempting.
Unsurprisingly, hackers have been increasingly using hard-coded credentials, poorly secured or unsecured APIs, and sensitive configuration data in code to perpetrate large-scale cyberattacks. For example, vulnerable APIs were blamed for last year's Optus data breach, one of the largest ever in Australia, and the theft of personal information of 37 million U.S. customers from T-Mobile.
Enter DevSecOps
So, what is DevSecOps? DevSecOps (or DevOps Security) is an innovative approach to software development that integrates security from the outset and throughout all stages of the development lifecycle. DevSecOps ensures application security through continuous and automated processes and can also uncover vulnerabilities directly related to the management of access permissions.
However, many organisations have pushed back on implementing DevSecOps because it is a new security discipline with unique challenges. This includes organisations that have deployed PAM elsewhere in the business. Many shy away from it because they fear their agile development operations will be impaired and their competitiveness reduced. Specifically, they worry that the continuous integration and continuous delivery (CI/CD) pipeline that produces code could be slowed down.
However, as DevSecOps becomes increasingly essential for comprehensive enterprise security and obtaining cyber insurance becomes more onerous, it's time to dispel these doubts and find ways to integrate the practices into organisations' security strategies smoothly.
Why extending PAM to DevOps is a good start
The important thing is not to rush or invest in new technologies immediately but to proceed and prioritise step by step.
A sensible start can be extending your PAM controls to include effective management of DevOps secrets. This is because fast, iterative DevOps workflows are often accompanied by security risks associated with privileged access to containers, servers and applications. The challenge is reconciling fast, dynamic DevOps cycles and Robotic Process Automation (RPA) with security policies.
Modern PAM solutions can overcome these challenges by providing secrets management at DevOps speed – without disrupting the development process – with features such as:
- High-speed vault: Modern PAM provides an encrypted, centralised, SaaS-based vault that meets DevOps teams' specific speed and agility needs and stores privileged credentials in minutes.
- Centralised Secrets: Modern PAM eliminates heterogeneous vault instances, enforces secure access to secrets, and creates a complete audit trail that gives stakeholders visibility into all privileged activity.
- Automation and scale: Modern PAM provides an automated interface (CLI and API) optimised for the speed and scale of DevOps pipelines and RPA implementations and tools.
- Issuing certificates: Modern PAM supports the issuance of X.509 and SSH certificates and their automatic signing and distribution.
- Just-in-time access: Modern PAM removes permanent access to databases such as MySQL, PostgreSQL, Oracle, etc., as well as cloud platforms such as AWS, Azure or GCP and instead relies on secure just-in-time access.
Result
Cyber insurers today expect their customers to take proactive security measures, including identity and access management. If companies use DevOps, it is advisable to implement PAM solutions that also effectively secure DevOps secrets. However, this requires tools that support the speed and agility necessary for DevOps team workloads.