Manage Secrets With Invisible PAM
There’s a security innovation paradox in DevOps environments, according to new research from ThycoticCentrify and Forrester. Organizations want developers to innovate faster without sacrificing security in the process.
“As security leaders seek to mitigate risks associated with insecure DevOps processes, half (50%) struggle to do so because security and development processes are not integrated,” the report stated. “From a developer’s perspective, leadership’s prioritization of security over shipping dates (68%) and existing security protocols (59%) sometimes forces them to subvert access controls in order to meet their delivery deadlines.”
The report also found that 57% of organizations have experienced security incidents related to exposed secrets in the past two years, creating a situation in which only 5% say that most of their development teams use the same secrets management processes and tools.
“The reason why we see so many security incidents related to exposed secrets in DevOps is because using hardcoded passwords and keys is the easy path to getting things to work,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, in an email comment. “We need to make it just as easy for DevOps teams to use secrets vaults so even when secrets get compromised, they are no longer usable, valid or expired.”
The Vulnerability of Secrets
DevOps secrets are credentials for authentication used for applications by human and non-human identities. Secrets are the fine line between keeping data safe or allowing an organization to fall victim to a data breach. Secrets move through four phases: Creation, storage, rotation and revocation. During each phase, secrets can be violated due to unauthorized access, a lack of visibility into current and changing secrets or manual management that slows down the entire process.
Managing secrets is tough, yet remains one of the most common elements in configuration strategies. Secrets management, explained Carson, is the ability to move away from hardcoded passwords or static keys to just-in-time privileges or one-time-use passwords so that, even if compromised, they cannot be used. Yet, there are plenty of challenges involved in secrets management, including:
• The unwieldy spread of secrets. There are too many secrets and too much decentralization of secrets over time; that leads to privacy and security issues.
• Too many tools. Nearly every phase of the DevOps process has its own set of tools and no good way to integrate them all.
• Poor tracking of secrets. Do you know where your secrets are? Do you know what your secrets are? Do you know what identities have permissions for these secrets? If you can’t answer yes to all of those questions, you’ve added more risk to your DevOps process.
Using Privileged Access Management (PAM) for Secrets Management
Gartner predicts that by 2025, more than 75% of global organizations will be running containerized applications in production. The research firm also predicts that by the end of this year, half of organizations will use privileged access management (PAM) as a way to protect these applications and provide secrets management solutions.
Enterprises are rapidly acquiring PAM solutions that manage passwords and other digital credentials. PAM continues to be the number-one priority for CISOs seeking to reduce cybersecurity risk and meet security compliance requirements.
“Many privileged access management solutions that have been protecting privileged access for years have extended functionality to developers to help move the value into DevOps so they can manage credentials for applications, databases, CI/CD tools and services without causing friction in the development process,” Carson said.
Unfortunately, many organizations struggle to maximize their PAM investment because traditional solutions are so complex. Traditional PAM solutions require people to interrupt their workflow to access credentials, Carson explained.
“As a result, people find ways to skirt security policies so they can stay productive. Their PAM investment sits on the shelf collecting dust. We believe PAM complexity isn’t just a pain, it’s also downright dangerous. Usability and security go hand-in-hand to increase adoption and decrease risk.”
Invisible PAM
“To realize the promise of enterprise PAM, solutions must be easy to use, embedded in people’s daily workflow and orchestrated behind the scenes. For the average privileged user, PAM must be virtually invisible,” said Carson.
Invisible PAM addresses the demand for usable security. Privileged users work securely within the same IT and business productivity systems they already know and use every day. Security policies are followed consistently, regardless of geography, business unit or technology.
“In fact,” Carson said, “invisible PAM can operate automatically without any human intervention, enabling interoperability and security access orchestration.” Instead, organizations are able to seamlessly access and manage all types of secrets without friction or disruption.
Cybersecurity fatigue also decreases with invisible PAM. “Orchestration is key to invisible PAM,” said Carson. “With orchestration, PAM can scale across a complex, growing enterprise by integrating privileged security and IT functions across multiple disparate systems. Identities, roles, permissions and activities are all synced and security policies are followed consistently regardless of geography, business unit or technology.”
DevOps is all about automation and fast production times. Security too often takes a back seat in the process. Adding more focus to secrets management via invisible PAM should help to address the security innovation paradox problem.
