Story image

Interview: CyberArk tells why DevOps must adopt 'secure innovation by the numbers'

14 May 2018

DevOps is becoming a major force across software development. For various reasons, security can be sidelined until far later in the development process – but there’s also a movement that is putting security rightly where it belongs – at the beginning.

That’s the essence of DevSecOps, which maintains that security by design should be central to any strategy.

Elizabeth Lawler is CyberArk’s vice president of DevOps Security. She was the former CEO of Conjur - a DevOps security startup - before CyberArk acquired the company. She says the two companies made a powerful combination that drew CyberArk closer towards the DevOps space.

Traditionally development and IT teams have been siloed from the rest of an organisation, which led to a multitude of challenges. But the tide is now turning to a more unified approach.

“I think the DevOps train is unstoppable right now. A lot of organisations are thinking about how they can move fast, and deliver value to their customers faster through software delivery,” Lawler says.

Australia is one country that is adopting DevOps, but there is still work to be done. Eighty-two percent of companies don’t have a privileged account security strategy in place for DevOps, according to CyberArk’s Global Advanced Threat Landscape Survey.

 “We work with managing privilege in DevOps environments. You do see developers or DevOps people that understand the principles of good security.”

Enter DevSecOps and the mantra of ‘security by design’. How does that work from a practical perspective like designing an application or a platform that delivers applications?

“We don’t see security getting involved early enough in the process – there’s residue from leftover siloes.”

Does there need to be more awareness across an entire company - from the developers who build integrations to the budgeting team and CEOs who may allocate limited funding?

“It should be coming from the senior levels and even down to the board and management to say DevOps and security teams need to start working together at the earliest possible moment.”

She believes that any board member who deals with governance, cybersecurity or oversight, they should be asking management to present these types of issues.

Lawler also says breaking down communication barriers and removing the historical biases of leaving security later in the process are important ways of giving DevSecOps more prominence. This will help teams deliver projects faster.

“I often talk about ways of achieving this goal. It’s more about pushing down the KPIs and metrics of success, and delivery of security that are visible to DevOps and security teams so that they’re both responsible for it."

“DevOps teams love to run on metrics. If it’s a language and construct they can work in, and then having security teams as part owners of that can allow you to break down organisational barriers.”

“We call it secure by design, but it’s really secure innovation by the numbers. You want to see the whole process, which is also a learning process. It’s one thing to say, ‘I’ve secured this platform’, but there are different tools coming in. It’s an entire process problem where we see breakdowns.”

When teams don’t integrate properly, that’s when security problems – and even breaches can happen.  Take, for example, the case of when Tesla’s Kubernetes platform was used for cryptomining. 

“Someone got into the Kubernetes administrative console, probably by phishing Kubernetes admins. They got on the console and launched a bunch of IT resources to mine cryptocurrency."

“But things like that hit everybody and it happens multiple times a day to all kinds of organisations. Anyone who accidentally uploads an Amazon credential to GitHub – in five minutes a bot will max out your Amazon account and start cryptocurrency mining.”

She says in these cases teams haven’t stepped back and figured out how they want to design a process. Instead, they have pieced something together at the end.

“Kubernetes, configuration management, and orchestration tools are powerful system administrators. They need to be managed or overseen the same as with any person who had that kind of power.  That hasn’t made its way into the workflow of DevOps but there’s an awareness that these are real points of risk and liability. They need to be better managed."

“The thing organisations can’t do is compromise ability to deliver by applying security policies. What companies like CyberArk are doing is to apply security without interrupting workflow.”

CyberArk focuses on privileged access management as a holistic process of managing powerful users or powerful systems that are working inside IT and DevOps environments.

“We counteract an exploding threat surface through our Cyber Hygiene program,” she says.

The program gives organisations a 30-day sprint to clean up the most common privileged access security issues coming from the development or DevOps teams.

CyberArk also helps organisations identify administrators who access DevOps consoles. The company then helps customers come up with ways to code applications in areas such as least privilege or separation of duties in the pipeline.

“If you improve application design by one percent per day every day rather than trying to deal with a pile of problems at the end, you’ll be in a much better position if something happens to go awry - and you’ll have a much smaller threat surface,” Lawler concludes.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.