CyberArk, a publicly traded information security company that offers Privileged Account Security, released a new research report, titled ‘The CISO View: Protecting Privileged Access in DevOps and Cloud Environments’ to provide advice for security teams to help effectively analyze and prioritize steps to protect DevOps processes while maintaining developer velocity.
The report is part of CyberArk’s The CISO View industry initiative and features contributions from leading organizations’ executives who are embracing DevOps methodologies and tools. Sponsored by CyberArk, the initiative brings together leading CISOs for peer-to-peer information sharing to assist security teams to develop effective Cybersecurity programs. As security strategies should deal with privileged access and the risk of unsecured secrets and credentials, they should also closely line up with DevOps culture and methods to shun pessimistically impacting developer rate and slowing the release of new services. Albeit, in the 2018 CyberArk Global Advanced Threat Landscape where 73 percent of organizations reported that they have no strategy to deal with privileged access security for DevOps.
CyberArk’s report compiles five key suggestions based on the real-world experiences of participating CISOs, including Transform the security team into DevOps partners – Assure security practitioners and developers have the right skills, make it easy for developers to perform the right thing, support collaboration and embrace agile DevOps methods within security. Prioritize securing DevOps tools and infrastructure – Set and enforce policies for tools selection and configuration, control access to DevOps tools, ensure the least privilege and protect and monitor infrastructure. Establish enterprise requirements for securing credentials and secrets – Mandate the centralized management of secrets, increase auditing and monitoring capabilities, excrete credentials from tools and applications, and build reusable code modules. Adapt processes for application testing – Integrate automated testing of code, compel developers to fix security issues using a break the build approach and consider a bug bounty program. Evaluate the results of DevOps security programs – Test secrets management solution deployments, measure and promote improvements and educate auditors.