Remote work and distributed environments have disrupted long established security models and workflows. Security architects had to re-adapt, re-architect, and rebuild security for remote workers, with the rapid de-perimeterization we witnessed over the months. A multi-layered approach had to be deployed with a mix of security solutions, ranging from identity management, privilege access management, encryption, data-level authentication, data loss prevention, network security, security protocols – and of course, zero trust architecture. In a rush to accede to business demands for cloud adoption and digital transformation, established frameworks and models like security by design and DevSecOps or DevOps security were often neglected.
In an interview, Brian Pereira, Editor-in-Chief, CISO MAG, and Jeffrey Kok, Vice President of Solution Engineers, Asia Pacific and Japan at CyberArk, exchange notes on current challenges posed to organizations for DevOps security, adopting security by design, and in integrating security into the CI/CD pipeline. Kok reveals strategies employed by his organization to work around these challenges. The interview concludes with a discussion on privileged access management and how PAM secures remote work environments that have questionable security defenses.
Kok has more than 17 years of experience in the cybersecurity industry. At CyberArk, he is responsible for working with various internal teams to qualify leads, identify business issues and drivers in any particular sales opportunity, and manage the entire presales and solution process of the business cycle.
Prior to joining CyberArk, Kok was Technical Consultant Director, Asia Pacific and Japan for RSA, managing a team of senior pre-sales engineers and technicians. While in this role, he built a strong and high-performing cross-regional pre-sales practice.
During his career he served in companies and institutions, including RSA, Cisco Systems, Nera Telecommunications, and the National University of Singapore (NUS). He holds a Bachelor of Applied Science in Computer Engineering from the Nanyang Technological University and a CISSP certification.
Edited excerpts from the interview follow:
Implementing DevOps requires close collaboration between various teams. But with most teams and people working from different locations during the pandemic, has this posed a challenge to the development process?
During the initial onset of the pandemic, development teams working in different locations were affected as many organizations, especially those in the Asia Pacific, were not prepared to work in remote settings. Most organizations needed time to adapt to this new change as, prior to the pandemic, developers would gather in a physical room and discuss ideas using a large whiteboard with colourful post-its. Now, organizations would need to provide access for remote workers to ensure the same level of collaboration.
Within a couple of months, most organizations successfully adapted. This is evident from the development of new apps and updates during the pandemic. For instance, the Singapore government made significant progress throughout the pandemic on its contact-tracing application, Trace Together, having released numerous updates and added functions to improve the user experience, as well as to reflect the latest vaccination status.
There has been much talk about “security by design.” But not many organizations are following this practice. Your comments please.
I believe that the challenges with adopting security by design are global. The concept requires additional time and effort, which all adds to the cost for companies.
This is a common issue, especially for start-ups that tend to skirt around security needs in exchange for speed. These companies tend to introduce security during the later stage of the development to gain the competitive edge of launching solutions or updates before their competitors.
On the other hand, larger and more mature organizations tend to adopt security by design at the outset, as they understand the importance of securing their applications. For instance, the public sector and banks tend to put a big focus on this approach.
As for organizations that have been operating with legacy applications and systems designed decades ago, it does require an enormous amount of effort (and sometimes it is impossible) to re-architect and rebuild with an added layer of security. Companies looking for a refresh often adopt and partner with a proper security platform that can help them implement modern security practices. In this way, they have something that equates to security by design.
What is the biggest challenge with DevOps security? Is this challenge seen only in APAC or elsewhere in the world too?
Recurring low-level phishing and impersonation attacks set up by cybercriminals target developers who have high levels of access to credentials. Developers are preyed-on as they build critical software and are frequently given administrative privileges, which provide a valuable entry point to the rest of the organization, if compromised. Cyberattackers know this, and they aim to misappropriate admin privileges that could jeopardize the whole application environment. While enabling organizations to become more efficient and faster, the growth of DevOps has significantly expanded the attack surface.
CyberArk’s CISO View research shows that high-level DevOps engineers are constantly being hunted by cybercriminals due to having access to sensitive company assets. This illustrates that the credentials that DevOps teams use must be managed and secured in a centralized and controlled way.
When attackers are able to access privileged credentials, unrestricted access to DevOps pipelines, sensitive databases, and cloud systems become targets for abuse. This can result in data breaches and intellectual property theft.
What would be the way to get round this challenge? And how?
Firstly, the development team should start with securing the DevOps pipeline. If the pipeline is not secured, this means that companies have not put the correct security building blocks in place. On the other hand, if companies have security-as-code alongside infrastructure code — as part of the entire pipeline — they have a strong foundation.
Secondly, do not leave hardcoded credentials everywhere. Always make it dynamic, so that it reduces the risk of someone in the DevOps team stumbling onto an SSH key somewhere, effectively allowing them the keys to the kingdom.
Finally, use existing industry best practices, which are talked about frequently in conferences and events around the world.
There is also a challenge of integrating security into the CI/CD pipeline. Security teams are slow to secure every part of the code and cannot keep up with the pace of DevOps. And this raises security risks during the integration stage. How are organizations getting past this challenge?
For companies with a CI/CD pipeline, it makes it easier for them to embed security best practices into their pipeline. Think of the pipeline as a train. If this train is being created, and this train goes through different stations, a company can break down problems into many parts and address the security aspect in each of those stages of the pipeline, or each of those train stations. Companies should follow best practices on securing codes and validate them against the automated validation of the codes. Security must be integrated into CI/CD pipeline before DevOps move on to their operations.
Can you give us some recommendations for DevOps security?
Automatic rotations for secrets, passwords, keys, and certificates hinder cybercriminals from accessing DevOps tools and access keys. Moreover, this automation reactively informs security teams if and when a breach happens. Taking a proactive method to protection, using automation and programmability, will encourage collaboration throughout teams, accelerating innovation amidst companies’ evolving needs.
Here are some tips for DevOps security:
- Tightly working with Software Engineering and IT/DevOps will be beneficial for developers to protect their applications. Supporting the idea and understanding the importance of security should be the priority, and instilled early into Software Architects, Developers, and DevOps/IT Operations. Acknowledging that the extra process is not to decelerate the development work, rather it is to accelerate via simple integration points. Identifying security breaches before it becomes critical requires security teams to focus early in the development cycle.
- Remove all hard-coded secrets in code, DevOps tools, configuration files and scripts. It’s also important to never use default passwords. For example, some tools establish a developer default user to create projects.
- To bring most value, Privileged Access Management and secrets management for DevOps infrastructure should be integrated cohesively; one system to centralize all privileged accounts, secrets, and other credentials.
- The development, security, and operations teams could utilize security-policy-as-code for efficient and unambiguous communication. Security tests and scans are integrated in the CI/CD pipeline to routinely and continuously identify potential risks and security gaps. Thus, organizations can improve their security posture, at the same time maintaining DevOps velocity and scalability.
- Securing credentials used in DevOps tools and processes is not always straightforward, but one aspect that is a must is to automate this effort. Minimal human hands-on and manual work allows administrative overhead reduction and a reduction in errors.
How does PAM help in securing remote environments, with workers at home using personal devices?
With the rise in remote work, securing employee workstations is more important than ever. Employees are working from home offices with insecure “BYOD” devices on insecure home networks. Every single endpoint (laptop, smartphone, tablet, desktop, server, etc.) contains privilege by default. Built-in administrator accounts enable IT teams to fix issues locally, but they also introduce great risk. Attackers can exploit admin accounts, then jump from workstation to workstation, steal additional credentials, elevate privileges, and move laterally through the network until they reach what they’re looking for. Thus, companies need to adopt privileged access management (PAM) as privileged accounts, credentials and secrets exist across the remote workforce and need to be secured. Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major data breach.
Privileged access management solutions can also offer insider threat protection, helping to ensure activities occurring across the distributed network aren’t malicious and, if they are, enable security operations teams to take quick action. From internal privileged users abusing their level of access, or external cyber attackers targeting and stealing privileges from users to operate stealthily as “privileged insiders,” humans are almost always the weakest link in the cybersecurity chain. PAM helps organizations make sure that people have only the necessary levels of access to do their jobs and enables security teams to identify malicious activities linked to privilege abuse and take swift action to remediate risk.
A proactive PAM program could account for the comprehensive removal of local administrative rights on workstations to reduce risk. Implementing a comprehensive privileged access management program will allow organizations to effectively monitor where privileged access exists at every layer, understand which users (both human and non-human) have access to what, detect and alert on malicious or high-risk activity, and enhance overall cybersecurity.
About the Interviewer
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).