Since its first conference in Belgium in 2009, DevOps has gained mainstream acceptance. Organizations have caught on to its ability to create optimization on a whole new scale. This approach to development yields greater efficiency and faster innovation—who doesn’t want that? Organizations have set their DevOps teams to work, aligning them with the pace and goals of the business. Then the security or auditing team arrives on scene and throws a monkey wrench in the works.
Of course, security is a necessary aspect of development, but it does slow down what is known to be a rapid iterative process. Think of it this way: you are a quarterback on a winning football team. Your passing game has never been better. Suddenly, the coach tells you that before every throw, you’re going to have to get approval from the owner. You’ll have to stop the clock in the midst of play, run off-field and find the owner and get approval. Then you get back on the field, ask the referee to start the clock again, and make your throw. And even with all these interruptions, you’re still expected to deliver the same number of winning performances.
This is an unworkable scenario. No one wants to work under these conditions. With that kind of pressure, how long do you suppose it would take before you would say “Forget it” and simply throw the ball a few times without stopping for approval? Eventually, the trips to the owner’s box grow scarce as more and more attention is paid to finishing the game.
It may seem that this example is preposterous, but run it past your DevOps team and see what they say. Still, security must be a part of the process. John Willis, VP DevOps and Digital practice at SJ Technologies and co-author of “The DevOps Handbook,” said this: “There is a very legitimate need to incorporate security into DevOps, so much so that the term DevOps has expanded to DevSecOps (for security). To be successful, businesses need to incorporate security into DevOps during the development and planning stage, rather than treating security as an afterthought.”
Slow Security Becomes No Security
Among the security afterthoughts of DevOps is the practice of vaulting keys for privileged access. The whole process of checking keys in and out is anathema to streamlining DevOps. First of all, registering keys into a vault is a time-consuming and tedious process. Secondly, the whole process of vaulting adds friction to an otherwise fluid DevOps process, similar to the example mentioned above of checking with the owner prior to throwing the football.
What ends up happening, like the quarterback who stops asking permission to do his job, is that DevOps eventually circumvents the process by placing new SSH keys on target systems. This bypasses security controls, creating what is effectively just the appearance of security versus actual security. This state is the “Sounds Good, No Good Security Syndrome”: what sounds good in theory is generally unworkable in practice and, therefore, is most often ignored or bypassed.
Putting the ‘Sec’ in DevOps
Practices like this can get ingrained into a work culture and become difficult to change. But change is possible. Instead of viewing security as an afterthought, creating additional layers of friction, security should be incorporated into the flow of DevOps. Moreover, to the greatest extent possible, security should enhance DevOps productivity. For example, rather than storing authentication credentials on each end point, and vaulting private keys, how about facilitating authentication using ephemeral (short-lived) role-based access control in real time?
Or, even better, instead of making it DevOps’ responsibility to deal with asset inventory and key management, instead provide them with an actionable list of servers and devices. That way, a simple hyperlink click will allow the user to connect right to that system or device with no additional hoops to jump through. This new paradigm will eliminate security burdens from DevOps, and mask security checks and controls from the end user, freeing them to focus solely on their primary task of pulling the oars to move the ship.
To everyone’s benefit, there are frictionless privileged access solutions available now that balance both the need for speed and the need to be secure, but it means moving past the legacy vaulting mindset to a more streamlined security model. The only way forward is to permanently remove unmanaged keys and get rid of passwords from sysadmin access to cloud and server environments. Monitoring, provisioning and maintenance must all be simplified, and everything access-related should be automated.
Security on Demand
Rapid innovation and iteration are what DevOps is all about. But their process needs to be secure, too. This team needs instant, secure access to cloud and on-premises assets without getting dinged for it. They need to keep production on schedule and get rid of passwords and vaults. There are now on-demand SSH certificates that are dynamic, role-based and short-lived, which free up DevOps to focus on doing what they do best while still maintaining a high level of security for the business.