The transition to cloud computing infrastructure has resulted in a distributed software development landscape, which has aided in the growth and size of software development. DevOps enables teams to create, test, and deploy software faster by leveraging various services throughout the development lifecycle. However, doing so has introduced new cybersecurity vulnerabilities that traditional information security silos are ill-equipped to manage. The DevSecOps sector – a field whose central pillar is secret management – was designed to secure the DevOps environment. Therefore, cloud security has become part of the DevOps team’s duties. Being proactive about cloud security management (CSM) is critical.
Cloud Security: Secrets and How to Keep Them Safe
In addition to generating software, developers must now protect their organizations’ secrets from unauthorized or unauthenticated access during development. But what exactly is a secret? Secrets are digital credentials that enable access control, whether human-to-application or application-to-application. Passwords, encryption, certificates, and API keys are examples of “secrets.”
To safeguard code from data leaks caused by secret leaks, DevOps must first be aware of the many ways secrets spread in their environment. Secrets snowball via seven drivers: Cloud-native development, multi-cloud infrastructure, microservices architecture, transitions from user to machine identity, AL/ML/data analytics, IoT/embedded devices, and DevOps. These drivers create vulnerabilities because they provide more potential for errors, such as hardcoding secrets to accelerate testing, using non-secure open-source libraries, or neglecting to consider the cloud’s security versus security on the cloud.
While various commercial and open-source technologies help manage secrets, consider your organization’s budget and requirements and the technologies you currently use. Your DevOps team’s experience with secret management and the opportunities to implement and keep those technologies current and up to date.
8 Ways DevOps Teams Can Help Secure Cloud Infrastructure
1. Determine the Essential Needs.
Because forewarned is forearmed, the sooner this process begins, the better. Most companies already use the cloud somehow, so it can be hard to step back and see the big picture.
Don’t forget that AWS, Azure, and Google Cloud aren’t the only cloud services. These SaaS apps, from the accounting stack to Zoom, are part of cloud services.
Access to the CI/CD pipeline must be defined and managed transparently.
With a majority of data breaches caused by human error that leads to misconfiguration, secrets leakage, and poor digital hygiene, it falls to DevOps and DevSecOps to manage who has access to what – a basic requirement of every connected security system.
The DBA needs different data access than the development team, for example. You can reduce risk by following the least access privilege policy with a properly designed stack.
All IaaS, PaaS, or XaaS must be secured at the most fundamental credential level. Google sends regular alerts to its corporate clients, informing them of suspected credential leaks.
Whatever you do, don’t forget ShadowIT – make sure that everyone in the organization is aware that their credential leak could be the weakest link to the crown jewels. ShadowIT raises the risk of a credential leak simply because IT isn’t aware of the many external platforms suddenly connected to controlled internal systems.
Lastly, learn from other people’s mistakes. Intel has a handy security checklist you can use as a basis for identifying cloud security requirements.
2. Define the Architecture
Once you’ve established your organization’s cloud security needs, you’ll have a clearer view of the cloud services you already use and those you need to add.
Security on the cloud vs. cloud security should always be prioritized. Remember that you are responsible for the security of your programs, data, operating system, user access, and virtual network traffic. Aside from that, brush up on your configuration fundamentals. More than 5% of AWS S3 buckets are incorrectly configured to be publicly accessible. A simple misconfiguration in Kafdrop recently exposed the Apache Kafka stacks of some of the world’s major corporations.
While the top three clouds have spent millions of dollars safeguarding their stacks, PaaS companies do not have those resources, so check, check, and double-check. There’s a reason it’s referred to as “zero trust.”
Again, credential protection is critical in SaaS and web security.
Each architecture type necessitates its form of security – use caution. A hybrid cloud infrastructure, for example, requires a “triple whammy” of protection: on-premises security with all ports closed, surface area tracking, and a highly active Security Operations Center (SOC). The public cloud element must be secured using the most up-to-date security technology available with that public cloud stack. The connectivity between them must also be protected against attacks.
3. Analyze Existing Controls and Identify Gaps.
Building the security stack piecemeal does not work; building from the ground up is a more complete and sound strategy. Here are a few options that allow you to do so:
- Broker of cloud access security (CASB)
- Platforms for Cloud Workload Protection (CWPP)
- Management of cloud security posture (CSPM)
- Security testing of static applications (SAST)
- Preventing data loss (DLP)
A CASB serves as a go-between for the company and the cloud service provider, providing configuration auditing, data loss protection, governance, and monitoring services. Broadcom, Palo Alto, and Forcepoint are examples of common CASBs.
CWPPs protect against system overloads such as DDoS or poor programming that could result in memory overruns. They monitor your cloud’s compute resources placed on the cloud infrastructure. CWPPs are available from CheckPoint, Trend Micro, and Carbon Black.
CSPMs, such as Spectral, help detect human errors (one of the leading causes of security breaches) by offering continuous auditing to detect misconfiguration.
To prevent secrets from being exposed to the world due to human error/omission, SAST examines source code for potential vulnerabilities, such as hard-coded database access passwords forgotten after testing.
DLPs can be a component of a CASB or a standalone solution that provides tools and rules to secure sensitive data by reducing/eliminating the risk of data exfiltration, whether by malicious actors or internal resources.
These tools can be used separately or as part of a broader security stack. They can be used throughout the organization or in specific areas, such as SAST, for development.
4. Concentrate on Safeguarding your Cloud Secrets
Firstly, no secrets will ever leak in an ideal world due to education, a security-focused culture, and adequate technologies. However, human error will inevitably triumph. So, although the adage is “faster, cheaper, better, pick two,” the new one must include “more secure.” Of course, early money is generated during “faster” and “cheaper” – but the consequences of disregarding “more secure” might have far-reaching consequences for the firm.
Developers are pressured to get code out the door as soon as possible. They may take shortcuts or simplify access across tools using a single easy-to-remember password or rotating passwords in an easy-to-guess pattern.
As a result, the emphasis must be on credential protection. Where possible, keys and passwords should be rotated automatically, eliminating the need for human intervention. They must be capable of withstanding brute-force attacks.
Don’t forget to train personnel to recognize “normal” dangers like phishing, smishing, poisoned URLs, etc.
We all make mistakes, no matter how meticulous a team is.
5. Scan for Misconfigurations
As previously said, developers have been focused on getting code out the door in the race for faster, quicker, and better. One method for speeding up the process is to code secrets into the setups, such as database access. Occasionally, they cut corners by setting “read access rights” to “public” for QA and testing.
The problem is that developers are often so preoccupied with other tasks that they forget to remove these access privileges, exposing the entire system. Because no one has the time to analyze every line of configuration code, automated configuration scanning is the key to detecting these problems.
6. Emphasize Least-access Principles
Everyone is wholly competent and honest in an ideal world, never making mistakes or considering wrongdoing.
In the real world, enforcing the principle of least access privilege – restricting access to those who need it – would allow for better access management by lowering the chance of errors, limiting the extent of harm, and increasing security. For example, such a procedure may have considerably decreased the damage done at Sage when a single accounting staffer went rogue. True, least access privilege is not a complete solution and must be supplemented with continual monitoring, but it can be strengthened by:
- End-user machine administrator credentials are being removed.
- Improved account credential security
- Keeping an eye on privileged sessions to ensure proper usage
- Unless there is a special requirement, restricting developer access
- Restricting access to manufacturing systems
Once again, a technological answer is available. Monitoring, auditing, and compliance enforcement are all provided by privileged access management systems. A good privilege access solution enables on-the-fly assignment or denial, assuring just as-needed access.
7. Secure your CI/CD Pipeline Thoroughly and Regularly
Shifting left is critical. Security should begin with the first line of code and not be relegated to testing or QA. Proactive security decreases the possibility of problems across the SDLC, from preventing noncompliance and misconfiguration to limiting secret leaking and credential vulnerabilities.
Proactive and reactive security must coexist at every stage of development to keep everything handy while increasing response. Every developer must consider security and new and old code must be inspected for vulnerabilities. The best place to begin is simple: write new code securely and look for problems when reviewing old code.
8. Keep it Simple
Automation is the simplest and quickest way to assure security across the SDLC. Important solutions include configuration inspection, secret scanners, identity access control, governance, compliance, masking, and synthetic data. The key is to find the right combination of cloud security, false positives, and getting good code out the door quickly and cheaply.
The ideal solution is the simplest: create a secure stack with the fewest tools, offering the highest level of security – and the fewest false positives. Unfortunately, getting it is a bit difficult. Many organizations provide all-in-one solutions or compatible suites that may simplify the process, but you can’t always count on that. As with any project, the best strategy is to take it one step at a time.
Never forget security on the cloud vs. security of the cloud, even though shared accountability is rarely fully realized. Examine your service agreements to identify and remedy any gaps your cloud provider has left for you.