Modern software development processes enable and empower developers to quickly develop and release their applications by deploying them to the cloud. Keeping up with the growth and speed of continuous integration and continuous deployment cycles and their dynamic components is an important challenge for security teams.
When organizations incorporate security early in the development cycle, they reduce risk and accelerate product development using DevSecOps as part of a shift-left mentality. Enterprise Strategy Group research found that 98% of decision-makers said securing DevOps environments is critical or important in securing the software supply chain.1
However, securing DevOps teams in the cloud era has become more complex than ever, with 43% of decision-makers saying that DevOps requires more security in the cloud.2 In particular, code secrets and application and developer identities remain among the most challenging to secure.
With an Identity Security model, IT and security teams can take a huge step toward improving DevOps security through secrets management and intelligent privilege controls across humans and machines. For example, secrets management allows organizations to securely store credentials, removing credentials from code and protecting APIs and programmatic access to data. This can enable security teams to take ownership of secrets rotation and other day-to-day security operations, ensuring developers can focus on implementation.
With an Identity Security platform, when a developer creates a software bot to support activities such as automation of repetitive tasks, that machine identity is covered by intelligent privilege controls. So, if the developer moves on to another project, the bot has separate privileges enabling it to be used securely by other team members in the development pipeline.
When considering an Identity Security platform model, key characteristics to look for include:
- Centralized, single-pane-of-glass visibility, control and management over secrets across all projects and accounts.
- Ability to automatically orchestrate access and permissions, including automatic rotation of secrets.
- Simplified and seamless management of secrets to avoid placing an additional burden on developers, which can slow down their work.
- Cloud portability, to give developers the flexibility to work on their cloud platform of choice with the ability to move applications across multiple clouds as well as on-premises environments.
It is also helpful to have an embedded, dedicated DevSecOps practice within your development team, a structure already in place at 42% of organizations surveyed by ESG.3 This team can leverage the benefits of an Identity Security platform to take some of the burden off developers while ensuring that security protections are incorporated at all steps of the development cycle.
The research firm found that organizations that have been more strategic in deploying Identity Security and leveraging DevSecOps have typically done a better job than others in focusing on their most important security priorities in DevOps and software supply chains. These priorities include:
- Meeting corporate security mandates when applications are put into production, cited by 50% of Identity Security leaders.
- Higher visibility of security threats, 47%.
- Greater flexibility in managing sudden changes in development cycles, 44%.
- Greater automation to more effectively use the security team’s time and effort, 38%.
- A more secure supply chain in cloud computing, 34%.
Taking the next step
Modern development processes have been a boon to organizations and the teams responsible for creating new products and services in the cloud. They have dramatically accelerated development cycles and enabled organizations to respond with greater speed to the needs of customers, employees and supply chains.
However, as some organizations have learned the hard way, such increases in speed, agility and innovation cannot come at the cost of increased security risks. DevSecOps and a shift-left mentality are the only way forward, and an Identity Security platform is an essential element in a modern DevOps tool set.
For more information on how your organization can empower DevOps with an Identity Security platform, please visit CyberArk.
1”The Holistic Identity Security Maturity Model,” CyberArk and Enterprise Strategy Group, February 2023
2“Identity Security Maturity Model Survey,” CyberArk and Enterprise Strategy Group, September 2022
3Ibid.