Accounts, access, permissions, and privileges have become a popular target for cyberattacks. This reality has forced organizations in the cloud to reckon with the need for security in their development process. Buzz words like ‘Shift Left’ and ‘DevSecOps’ have been flying around for some time now, but the main message is: security must be considered at the beginning of an application’s lifecycle.
Working out the kinks for actually building security into the DevOps process is an industry-wide challenge uniting us all. This blog will focus on DevOps security best practices specifically around identity, as it is a major foothold in compromising the cloud today. While it is just a piece of the solution, a well-established IAM governance policy meeting security best practices will significantly reduce the risks of data breaches on the cloud from unauthorized access.
Regardless of the complexity of your operations, the aim of our best practice recommendations is to make whatever you are doing work out better, faster, and more efficiently with fewer problems and mistakes. Here are just a few best practices to be aware of when working in the cloud.
10 Tips to Achieve DevOps Security Best Practices
Categorize User Management
Systematic user management will help enterprises optimize account and access controls. DevOps can manage this by sorting users into groups and roles according to their linked permissions. Through grouped categorization, system administrations can effectively manage similar permissions, roles, and privileges without tediously sorting through individual accounts. The more you can optimize efficiency the closer you are to working at the scale of the cloud.
A major point of caution, you must have complete visibility into all the permissions, roles and privileges for all identities in these groups. Without this visibility, an identity may receive more access than needed, or excessive permissions, only exacerbating the potential damage if the identity is compromised.
Due Diligence of Admin Credentials
We can only emphasize so much how precious Administrator credentials are. Admin credentials should strictly belong to administrator accounts. If anyone in your environment has admin credentials, your organization needs to continuously monitor them, to detect inappropriate or unusual behavior. As a best practice, enterprises should restrict administrator accounts to only the most necessary functions and discourage daily usage.
It is vital for enterprises to protect the powerful set of permissions linked to administrator credentials. Cloud users should consider additional security measures, such as implementing separate account logins and enforcing encryption, which minimizes the risks of malicious infiltration.
Enforce Password Hygiene
This one seems obvious, but it is easy to slip into complacency with such basic precautions. Enterprises must ensure that all person identities maintain proper password hygiene, to eliminate weak authentications. The NIST SP 800-63-3 Policy provides a comprehensive list of password guidelines for optimized digital data security. Some key suggestions include skipping character composition rules (which burden malicious parties) and only changing passwords in the event of compromised account login.
MFA Activation
MFA (multifactor) authentication provides accounts added security by complicating the hacking process. Fundamental access controls, including Role-Based Access Control (RBAC) and Multifactored Authorizations (MFAs), can prevent intrusions by criminals. These controls verify identity and then monitor their usage to ensure it remains within the security parameters mandated by their work. The best practice is mandating this for all your accounts. Period.
In the case of access keys, which provide long-lived access to your environment programmatically as opposed to traditionally logging in via the Console, it is best to use temporary credentials as much as possible. Long-lived access only exacerbates potential risk. This can be achieved by using IAM roles.
Rotate Access Tokens
Accounts should regularly rotate access tokens to minimize the risk of compromised credentials. The process involves creating new tokens, switching applications that use the new token, and deleting the old token. Like passwords, regularly changing an API token limits the potential damage of a leaked or misplaced API token.
Centralize Your IAM Program
The more visibility your organization has, the better, when it comes to managing identities in your environment. Establishing a centralized management of all identities offers your organization this oversight. With this view of Centralized IAM, your organization can enforce policies much easier. Tools exist today that can provide this centralized approach and ensure that privileges are issued in accordance with the policies and controls within your organization’s governance framework.
Enforce Least Privilege
The Principle of Least Privilege ensures that users receive the minimum permissions required to fulfill their roles. Through least privilege, DevOps can significantly reduce the blast radius of an event before it even happens. Living by least privilege restricts malicious threats to only the specific permissions granted to an identity.
Ultimately, the best practice can be summarized as only giving individual identities (person and non-person) the exact amount of privileges they need to get their job done, and no more.
Discover and Inventory All Identities
You can only protect what you know about. That means inventorying all accounts, identities, roles, or assets in your environment. Unfortunately, with so many scripts and so much automation layered all over the DevOps toolchain, it can be tremendously difficult to achieve this. Some identities are embedded in runtimes or hard-coded into compiled executables making visibility a challenge, but it must be done. Consider solution platforms created for this exact need, to provide your organization the visibility into what tools are executing automation and what their permissions are.
Manage Shared Secrets and Hard-Coded Passwords
Unfortunately, even when teams are meticulous about rooting hard-coded passwords out of their finished applications, they often leave them within the IT infrastructure that helps support the development of that software for the sake of expediency. The same goes for account sharing, which is a frequent mistake organizations make to just get the app working. The problem is, this habit makes it difficult to trace or audit activity within the affected environment.
What’s the best practice? For shared secrets, you must continuously monitor identities and manage the present risks on an ongoing basis. This reveals all potential access paths to your data, serverless functions, containers, VMs, and identities are uncovered and categorized by privilege.
This additional layer of oversight over your environment and documented record of change control and validation will improve ongoing compliance and reduce auditing workloads. You should always be able to answer: What are the changes in my environment? Who made the changes? When did the changes occur? What information was accessed?
End-to-End Visibility
If you haven’t picked up on it yet, visibility is a key and recurring theme in security best practices. Identity is a major player in the cloud, but a potentially risky one if you do not always know the effective permissions for all identities in your organization. You can get true visibility into data and access trust relationships by graphing, classifying, and mapping identities. With end-to-end visibility, your organization can detect misconfigurations and changes — and respond effectively.
Achieving Visibility for DevOps
DevOps practices typically allow for incremental implementation so enterprises do not need to make required changes and updates from the beginning. If you work to achieve our DevOps security best practices, your organization can ensure developing and delivering robust software solutions without additional security risks.
Sonrai Dig was developed to help address these exact concerns. Dig helps organizations improve security, ensure compliance and increase operational efficiencies in AWS, Azure, GCP and other platforms. Core to the Dig platform is providing this critical visibility, specifically, promising a centralized and consistent view into all cloud identity and data relationships, activity, and data movement through graphing technologies.