BR +55 11 3069 3925 | USA +1 469 620 7643

How to integrate PAM with DevOps

by | Feb 13, 2020 | BLOG

With the digital transformation, much has been said about reducing costs and increasing the speed of software development. In this context, the software delivery pipeline is focused on delivering high-quality products and services to the market, in an increasingly faster and more efficient way, being one of the ways by using DevOps (Development and Operations) methodologies. Thus, the practices associated with DevOps have been transforming the Software Development Lifecycle (SDLC), bringing lessons from manufacturing to application development. 

But what is DevOps and why is it important? What is the relationship between DevOps and Information Security? And how can a Privileged Access Management solution integrate with SDLC to improve security in application development?

DevOps is a word used to describe a set of practices that aim to connect the Development and Operations teams to work on a project in a collaborative way. The goal is that, by bringing these teams together in the software development lifecycle, organizations can reduce the time and effort involved in deploying new versions. Therefore, it is possible to achieve shorter cycles and obtain lower development costs, resulting in a greater capacity to respond to customer needs, increasing confidence in the applications built and fulfilling business goals more quickly.

The introduction of DevOps practices, with greater interaction between the Development and Operation teams, was considered a revolution in the way the teams work together in the development of software. Although DevOps solves a number of challenges in the SDLC process, it also introduces other problems. With the increase and cost of security incidents across the market, the need for including the security aspect in this concept was identified. In addition, the boost in the development process meant that application security was present not only in the initial development phase but throughout the software lifecycle. Thus, DevSecOps was born, which is the junction of Development, Operations, and Security.

DevSecOps then means integrating information security across the application cycle and levels. Furthermore, it means automating security work so as not to affect the workflow speed, selecting the right tools and building this new strand on the DevOps culture within an organization. Therefore, everyone involved in the SDLC is responsible for ensuring that the security aspect is present in the development cycle and is implemented at the same scale and speed as the actions related to operations and development.

The main benefit of DevSecOps is automation throughout the software delivery pipeline, which eliminates errors and reduces attacks and downtime. In this sense, for teams that want to integrate security into the DevOps framework, the process can be achieved by using the right DevSecOps tools and processes. When the inappropriate use of these tools and processes causes violations, most of the time, it comes down to the poor protection of privileged accounts. As a result, one of the tools and processes that can bring benefits to the SDLC is related to Privileged Access Management or PAM.

PAM is clearly a very important element for cybersecurity. This is so true that it was considered #1 in the top 10 Gartner security projects for two consecutive years, in addition to being one of the 20 Critical Security Controls from CIS. In this context, if organizations want to get the full benefits from DevOps without jeopardizing their IT infrastructure and data, they will be required to think more strategically about how they handle PAM. 

The following are some of the best practices related to PAM, which can be integrated by the teams in the software development lifecycle:

I. Discover and inventory all privileged credentials, in addition to the associated devices

It is impossible to manage what is not known. Therefore, this step is essential for the entire PAM process. Since the DevOps toolchain can contain numerous scripts and automation across all layers, this can be a very difficult task. However, there needs to be clear visibility into exactly which tools are running the automation and what privileges are assigned to them. It is necessary to know, for example, what is actually being done, who is doing it and when. In addition, organizations need to understand where automation is stored and, consequently, where this incorporated credential information is being stored, so that its security can be assessed. Finally, they need to understand the entire process, and privileged credentials are being incorporated for editing, storing, operating, and creating scripts.

II. Manage shared secrets and hard-coded passwords

Hard-coded passwords are one of the biggest issues in credential management. Unfortunately, even when application security teams remove encrypted passwords from their applications, they usually leave them within the IT infrastructure. This goes for account sharing, which is a frequent mistake that organizations make to keep automation working properly. The problem is that this prevents any traceability of activities in the environment. Thus, there needs to be control in the combination that can track individual users and script or automation accounts that affect environments in order to track each process or activity with unique credentials. This is essential for both the compliance and the overall integrity of the DevOps team’s software factory.

III. Apply the principle of least privilege

Finally, the concepts related to PAM depend only on providing individual users or specific automation accounts with the exact amount of privileges they need to perform their activities. In an environment where credentials are provided to DevOps teams at all times, very privileged, the model adopted must be based on the least privilege. Thus, it is possible to provide enough privileges for the DevOps process to work, to ensure that, in the event that any process or account is compromised, the rest of the environment is not.

An Overview of Saudi Arabia’s Personal Data Protection Act (PDPL)

Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (September 16, 2021), which approved Resolution No. 98 of 7/2/1443 H (September 14, 2021). It was published in the Republic Journal on September 24, 2021. The Saudi...

The 5 Biggest Data Leaks of 2021

During the pandemic, cyberattacks grew more than ever. Theft, hijacks, and data leaks are increasingly popular practices in cybercrime. The lock and hijack for ransom (ransomware) category has stood out a lot, as data is a highly valuable resource and most companies...

HIPAA: Five Tips for Complying with The Certificate

What is HIPAA? Currently, this is one of the most frequently asked questions by many professionals working in the healthcare industry, especially in times of the Covid-19 pandemic. But why is it so important and what are its benefits for healthcare companies? First,...

How Does The LGPD Impact Companies?

Due to the growing technological development in the market, we can clearly see how much how consumers tend to buy products and services has changed. Through more practical technologies, such as cellphones, laptops, and tablets, for example, they are just a click away...

What Is the Difference Between IAM and PAM?

It is important to know the differences between IAM (Identity & Access Management) and PAM (Privileged Access Management). However, this theme still raises doubts for some people. First, it is necessary to understand that the need to obtain an identity is...
Copy link
Powered by Social Snap