Story image

Interview: CyberArk tells why DevOps must adopt 'secure innovation by the numbers'

14 May 18

DevOps is becoming a major force across software development. For various reasons, security can be sidelined until far later in the development process – but there’s also a movement that is putting security rightly where it belongs – at the beginning.

That’s the essence of DevSecOps, which maintains that security by design should be central to any strategy.

Elizabeth Lawler is CyberArk’s vice president of DevOps Security. She was the former CEO of Conjur - a DevOps security startup - before CyberArk acquired the company. She says the two companies made a powerful combination that drew CyberArk closer towards the DevOps space.

Traditionally development and IT teams have been siloed from the rest of an organisation, which led to a multitude of challenges. But the tide is now turning to a more unified approach.

“I think the DevOps train is unstoppable right now. A lot of organisations are thinking about how they can move fast, and deliver value to their customers faster through software delivery,” Lawler says.

Australia is one country that is adopting DevOps, but there is still work to be done. Eighty-two percent of companies don’t have a privileged account security strategy in place for DevOps, according to CyberArk’s Global Advanced Threat Landscape Survey.

 “We work with managing privilege in DevOps environments. You do see developers or DevOps people that understand the principles of good security.”

Enter DevSecOps and the mantra of ‘security by design’. How does that work from a practical perspective like designing an application or a platform that delivers applications?

“We don’t see security getting involved early enough in the process – there’s residue from leftover siloes.”

Does there need to be more awareness across an entire company - from the developers who build integrations to the budgeting team and CEOs who may allocate limited funding?

“It should be coming from the senior levels and even down to the board and management to say DevOps and security teams need to start working together at the earliest possible moment.”

She believes that any board member who deals with governance, cybersecurity or oversight, they should be asking management to present these types of issues.

Lawler also says breaking down communication barriers and removing the historical biases of leaving security later in the process are important ways of giving DevSecOps more prominence. This will help teams deliver projects faster.

“I often talk about ways of achieving this goal. It’s more about pushing down the KPIs and metrics of success, and delivery of security that are visible to DevOps and security teams so that they’re both responsible for it."

“DevOps teams love to run on metrics. If it’s a language and construct they can work in, and then having security teams as part owners of that can allow you to break down organisational barriers.”

“We call it secure by design, but it’s really secure innovation by the numbers. You want to see the whole process, which is also a learning process. It’s one thing to say, ‘I’ve secured this platform’, but there are different tools coming in. It’s an entire process problem where we see breakdowns.”

When teams don’t integrate properly, that’s when security problems – and even breaches can happen.  Take, for example, the case of when Tesla’s Kubernetes platform was used for cryptomining. 

“Someone got into the Kubernetes administrative console, probably by phishing Kubernetes admins. They got on the console and launched a bunch of IT resources to mine cryptocurrency."

“But things like that hit everybody and it happens multiple times a day to all kinds of organisations. Anyone who accidentally uploads an Amazon credential to GitHub – in five minutes a bot will max out your Amazon account and start cryptocurrency mining.”

She says in these cases teams haven’t stepped back and figured out how they want to design a process. Instead, they have pieced something together at the end.

“Kubernetes, configuration management, and orchestration tools are powerful system administrators. They need to be managed or overseen the same as with any person who had that kind of power.  That hasn’t made its way into the workflow of DevOps but there’s an awareness that these are real points of risk and liability. They need to be better managed."

“The thing organisations can’t do is compromise ability to deliver by applying security policies. What companies like CyberArk are doing is to apply security without interrupting workflow.”

CyberArk focuses on privileged access management as a holistic process of managing powerful users or powerful systems that are working inside IT and DevOps environments.

“We counteract an exploding threat surface through our Cyber Hygiene program,” she says.

The program gives organisations a 30-day sprint to clean up the most common privileged access security issues coming from the development or DevOps teams.

CyberArk also helps organisations identify administrators who access DevOps consoles. The company then helps customers come up with ways to code applications in areas such as least privilege or separation of duties in the pipeline.

“If you improve application design by one percent per day every day rather than trying to deal with a pile of problems at the end, you’ll be in a much better position if something happens to go awry - and you’ll have a much smaller threat surface,” Lawler concludes.

Comms providers hit by most DDoS attacks in Q3 2018
New data indicates attackers preyed on the large attack surface of ASN-level communications service providers with a ‘bit-and-piece’ approach.
Check Point launches hyperscale network security solution
With Check Point Maestro, organisations can scale up their existing Check Point security gateways on demand.
Should AI technology determine the necessity for cyber attack responses?
Fujitsu has developed an AI that supposedly automatically determines whether action needs to be taken in response to a cyber attack.
Trend Micro’s telecom security solution certified as VMware-ready
Certification by VMware allows communications service providers who prefer or have already adopted VMware vCloud NFV to add network security services from Trend Micro.
Frost & Sullivan honours Honeywell's IIoT value creation
Frost & Sullivan has awarded Honeywell with the 2018 Global Customer Value Leadership Award for its work protecting industrial internet of things (IIoT) customers.
Top cybersecurity threats of 2019 – Carbon Black
Carbon Black chief cybersecurity officer Tom Kellermann combines his thoughts with those of Carbon Black's threat analysts and security strategists.
Google's €50m fine a wake up call for big data analytics
Data analytics are essential to company growth, competitive differentiation, and innovation. But there’s now a huge challenge.
UK security startup Barac sets sights on America
“Malware hidden in encrypted traffic is one of the biggest threats organisations are facing today,” says new EVP global sales.