Survey data from Qualia suggests that as DevOps becomes mainstream, both organizational resources and budget allocation tied to measurable business outcomes will be attached to this method of rapid application development. DevOps enables a faster iterative process that drives innovation while doing more with less and increasing efficiency.
It’s all a productive, well-oiled machine—until the security or auditing team arrives.
When that happens, the challenging yet manageable pace is bogged down with additional (perceived unnecessary) impediments to getting the job done. As a frame of reference, imagine being tasked with pulling the oars to move the ship. After moving along at a nice clip, you are suddenly told that before every oar stroke, you now need to obtain approval from someone on the top deck.
This new process requires you to drop your oar, run upstairs, obtain the necessary approval, run back downstairs, take your seat, position the oar and pull. The salt in the wound? You’re only measured, and either rewarded or punished, on the basis of how far the ship has moved.
Given this frustrating, start-and-stop work environment, how long would it take before you said “forget it” and simply pulled the oar a few times without performing the necessary checks? Eventually, the trips upstairs grow scarce as more and more attention goes to the business of moving the ship.
This example may seem hyperbolic, but if so, just have a chat with your DevOps team. John Willis, VP of DevOps and Digital Practice at SJ Technologies and coauthor of The DevOps Handbook, summed it up this way: “Most modern-day DevOps teams are all about continuously removing obstacles and are maniacal about streamlining automation—as it should be. However, that’s not to diminish the fact that there is a very legitimate need to incorporate security into DevOps, so much so that the term DevOps has expanded to DevSecOps (for security). To be successful, businesses need to incorporate security into DevOps during the development and planning stage, rather than treating security as an afterthought.”
Case in Point: Vaulting Keys
Vaulting keys for privileged access is one such afterthought. The whole process of checking keys in and out is anathema to streamlining DevOps. First, registering keys into a vault is a time-consuming and tedious process. Second, the whole process of vaulting adds friction to an otherwise fluid DevOps process, similar to the example mentioned above of going above deck before rowing.
What ends up happening is that DevOps team members eventually work around the process by placing new SSH keys on target systems, bypassing security controls and creating what’s effectively just the appearance of security rather than actual security. In other words, what sounds good in theory is generally unworkable in practice and, therefore, is most often ignored or bypassed.
A mindset shift is necessary to overcome this insecure situation. Instead of viewing security as an afterthought, creating additional layers of friction, the flow of DevOps should incorporate security. Moreover, to the greatest extent possible, security should enhance DevOps productivity. For example, rather than storing authentication credentials on each end point and vaulting private keys, how about facilitating authentication using ephemeral (short-lived) role-based access control in real time?
Moreover, why not provide DevOps with an actionable list of servers and devices rather than burdening the team with the task of asset inventory and key management? That way, a simple hyperlink click will allow the user to connect right to that system or device with no additional hoops to jump through. This new paradigm will eliminate security burdens from DevOps as well as mask security checks and controls from end users, freeing them to focus solely on their primary task of pulling the oars to move the ship.
Today, privileged-access solutions are available that balance both the need for speed and the need to be secure, but they require moving past the legacy vaulting mindset to a more streamlined security model. The only way forward is to permanently remove unmanaged keys and get rid of passwords from sysadmin access to cloud and server environments. Monitoring, provisioning and maintenance must all be simplified, and everything access related should be automated.
The Wind Shifts Toward DevOps
The survey data noted above also points to enterprises embracing “a shift in culture as a conscious effort and as a foundational element of their DevOps rollout.” As executives buy into this model, the culture shift will happen throughout the organization, “breaking cultural barriers and improving collaboration between functional teams.” This shift will afford DevOps the instant, secure access to cloud and on-premises assets it needs to innovate rapidly without being penalized by security measures that slow the works. That’s the beauty of dynamic, role-based, short-lived, on-demand SSH certificates.
About the Author
Thomas MacIsaac is a cybersecurity strategist and currently serves as VP of Eastern U.S., Canada and Federal Markets for SSH Communications Security. Thomas has spent over 22 years in the high-tech industry representing many foundational and cutting-edge technologies. He regularly consults with Fortune 500 businesses and government agencies on security topics of data at rest and in transit, identity and access management, APIs, and SIEMS, and he’s a sought-after speaker for audit, compliance and security events.