More businesses are looking to create their own apps and software using the power of the cloud in the form of infrastructure-as-a-service (IaaS)
Gartner estimates that IaaS is the fastest growing cloud market, forecast to grow 24 percent year over year in 2020.
Yet sensitive data or secrets such as API keys, encryption keys and login credentials stored in IaaS can, all too often, be exposed as a result of misconfigurations and vulnerabilities. Barely a week goes by without media reports of, yet another data breach caused by an unsecure open data bucket.
Centralised management of credentials and privileged access across on-premise and cloud networks is essential for ensuring users and applications can securely access DevOps tools and databases. Such security is further improved when credentials and access have a pre-set scope and duration, known as dynamic secrets.
Developer shortcuts slicing through security
The DevOps process is designed to be fast paced. Anything that slows this down is unwelcome. The overriding aim is to produce an app or piece of software as efficiently and as rapidly as possible. Research from DevOps Research and Assessment (DORA) and Google Cloud shows that elite DevOps teams can deploy an app up to 2,555 times faster than traditional methods.
With such pressure to roll out apps as quickly as possible it’s understandable that developers may be tempted to take short cuts. Several tools are needed in the DevOps process, with each one requiring access credentials. Having to remember a username and password for each one is inconvenient and impractical. To make life easy developers repeatedly use the same credentials. This clearly has security implications. If a threat actor has access to one tool, it gives them access to all, including those data buckets that contain sensitive information.
Where developers do use a different set of credentials for each tool, a popular short cut is to embed access information within the programme configuration they are working on to save time. The problem with this is a threat actor only needs to gain access to the programme to instantly uncover all the details they need. It has been known for developers to forget all about the embedded credentials, so they remain in the final release. All a threat actor then needs to do is exploit the code to uncover the credentials.
Another factor is that developers may share credentials with each other. The issue here is that the security team loses control over who has access, leaving the door open to the credentials falling into the wrong hands and being abused.
Automated tools also have credentials
To help improve time to deployment, much of the DevOps process is automated. They are given tools to access one another as well as databases. As with human developers, they have their own set of credentials.
Many of these tools are commercial and open source. They use a range of plugins and have library dependencies that are susceptible to misconfigurations and vulnerabilities. This can result in secrets being stored incorrectly, sent to logging systems, or leaked, particularly from data buckets.
How long can you keep a secret?
Privilege Access Management (PAM) is an alternative technique favoured by a growing number of organisations. PAM provides centralised, granular control over how users and applications can access tools and databases. It generates unique credentials for each developer and for each tool they use auto-generated tokens. As a result, the user doesn’t have to remember their login details or, indeed, even know what they are.
To provide extra security across more vulnerable cloud-based infrastructures, it is now possible to use dynamic secrets or one-time credentials. These are secrets that are automatically generated when a user or application requests them and are given a specific time to live (TTL) after which they will cease to be valid. Creating secrets with such tight parameters means that, should a threat actor ever manage to gain access, their options will be severely limited.
Time has always been critical in DevOps – the quicker an app can be released the better. Now time is just as essential at keeping secrets secure and prevent buckets from leaking data to the wrong people and applications.
About the Author
Joseph Carson is Chief Scientist and Advisory CISO, Thycotic. Thycotic prevents cyberattacks by securing passwords, protecting endpoints, and controlling application access. Thycotic is one of the world’s fastest-growing IT security companies because we provide customers with the freedom to choose cloud or on-premise software solutions that are the easiest to implement and use in the industry.
Featured image: ©Africa Studio