DevOps strives for continuous software development and upgrades — which is great and all, but it magnifies the potential for security mishaps, as was pointed out in an RSA Conference session Wednesday.
The problem stems from DevOps‘ goal of continuous software development. Machines are creating and destroying other machines; chunks of code become your systems and security administrators. It’s a Skynet of privileged users.
“It’s a different landscape in terms of identity, and it’s all moving a lot faster,” said Elizabeth Lawler, CEO and a founder of startup Conjur.
One way to address this would be to give identities to all these machines, treating them like users. “Every server, every container, every service should have its own identity if it’s operating within the DevOps workflow,” she said.
That way, you could apply automated access management to apply security policies to all this DevOps activity. (Yes, Conjur plays into that infrastructure; the startup offers a virtual appliance for automated authorization management.)
The approach could be augmented by dividing identities into groups depending on the level of security risk presented, Lawler said. Grouping by function or company department is possible, too; it all depends on the company’s organization and workflow.
The end result, in addition to having some automated security, is that you could draw up a map of interactions — finding out which machines or users are handing work to each other, for instance. By knowing who’s talking to whom, you could get some insight into where the security weak links are.
Check out our full RSA Conference 2015 coverage.
Most of Lawler’s talk was devoted to the ways in which DevOps expands the security problem and why traditional approaches won’t cut it.
The underlying theme was that older techniques weren’t made for the scale or speed afforded by DevOps. “One of the companies that we worked with was using Puppet for managing SSH into all their nodes. It added 30 percent to their code base, just to have those user management manifests,” Lawler said. “It added 90 seconds to the boot time.”
A separate problem, hardly unique to DevOps, is that any new security process can create annoyances in a typical workflow. This is why an automated process is preferable. “If you bring in a security workflow that doesn’t fit the way people are actually working, they’ll just work around it,” Lawler said.