A new survey and report from Forrester commissioned by ThycoticCentrify highlights what IT security and business leaders consider their biggest DevOps security challenges and what they want to see in solutions that will effectively resolve them.
Solutions to what Forrester calls the DevOps “security innovation paradox” are critical for organisations, because sacrificing security in the development process is extremely risky and simply not acceptable any longer.
The report, Secure Innovation Requires Making Secrets Management Invisible, features one statistic to make the point: 57% of respondents said they experienced a security incident related to exposed secrets from insecure DevOps processes in the past two years.
What are the biggest DevOps security challenges?
Forrester surveyed 227 identity and access management (IAM) decision-makers and 160 members of development teams to get a handle on the state of privileged access management (PAM) for DevOps. Perhaps not surprisingly there are a lot of folks in DevOps struggling with the complexity of the development environment today.
As one consultant put it, “It has never been more difficult to be a software developer than it is today. While we’ve seen an up-levelling of capabilities that enable developers to do more by using high-level frameworks for application development and machine learning, this comes at a cost. The explosion of choice and the pace of development make it challenging for developers to keep up with the zeitgeist, with many developers getting caught in the headlights.”
Maintaining security in such a complex DevOps environment can be particularly difficult, especially when trying to protect passwords and secrets from being exploited or abused. That’s because most companies lack a standardised approach to secrets management. The survey revealed, for example, that more than half of firms engage in risky practices like hardcoding passwords directly into applications. Only 5% said that most of their development teams use the same secrets management processes and tools.
Lack of DevOps security standardisation increases risks
It’s this lack of a secure, standardised approach to DevOps secrets management that poses increasing risks for the immediate future. Nearly two out of three, or 62% of survey respondents, expected security incidents related to DevOps to occur more often in the next two years.
At the same time, DevOps teams are growing in numbers across all industries to build and manage digital services, cyber criminals and malicious attackers are becoming more aware of how poorly guarded or managed the process can be, greatly expanding the attack surface.
Almost everyone agrees that better DevOps security controls are needed to safeguard the development process, but DevOps teams along with security teams are struggling to introduce them effectively. Typical security access controls don’t integrate well into the development process, which can easily throw up roadblocks to productivity and progress.
Too many security control processes and tools require a heavy manual lift and are rife with complexities. Manual steps in a security process also have the potential for errors and leave no audit trail to prove that access controls were implemented correctly.
How are organisations wanting to manage their “security innovation paradox”?
What both DevOps and security want — and need — are solutions that enable them to automate DevOps secrets management without causing more friction in the CI/CD process. According to survey respondents, 71% want to centralise their DevOps secrets management and 76% really want to embed automated secrets management solutions into the existing tools that developers already use. 97% fully agree that having a modern PAM solution with flexible deployment options and a flexible licensing model would be very valuable in serving our company’s evolving infrastructure and architecture needs.
Download the free report here.
The good news is there is a purpose-built PAM for DevOps secrets management solution available in ThycoticCentrify DevOps Secrets Vault. You can centrally manage, control, and audit secrets for automated processes that operate without human oversight.
Embedding automated secure access controls into your DevOps process allows you to improve productivity for both teams by reducing friction besides gaining confidence that an emerging threat surface is better protected.
Share