Children often get excited over invisible ink, a substance that can be used for writing but only becomes visible when under a certain light. The ability to write as much as you want but have these words be hidden unlocks unlimited possibilities in the mind of a mischievous child.
Today, secrets are also invisible, but that’s because they’re transmitted via signals all around us. Protecting secrets in the digital realm is challenging, especially for organisations with many non-human entities at play, like applications, programmes and codes.
CyberArk shares how automating the management of secrets will relieve the burden on cybersecurity teams, making the process faster and saving manpower hours. They also explain how principles of identity are protecting organisations that are using the cloud.
Organisations are increasingly using automation to protect important secrets, such as the passwords used by applications and other non-human identities. For instance, a defense contractor used automation to manage access to 85,000 connected devices, said Mark Hurter, a specialist from CyberArk.
This means access to these devices is automatically rotated, checked, and retrieved with speed. The automated management system also uses multi-factor-authentication, making access to the secrets less reliant on a singular password.
The alternative method of accessing these devices was to manually create “one key to rule them all”, which allows users to control all the devices at once. This was simply too much of a security risk, as it could fall into the wrong hands, highlighted Hurter.
The contractor can now automatically update more than 80,000 networking devices in less than two hours, it was reported. It also found that automation saved hundreds of thousands of work hours by eliminating manual tasks.
Lessons from the SolarWinds attack
The SolarWinds breach earlier this year originated from the cybersecurity software the firm had adopted. This points to the importance of securing software even while it’s built, putting the DevOps process under the spotlight.
DevOps combines software development and IT operations, so tools can be rolled out much more quickly.
Organisations can learn two lessons from the attack, explained Kurt Sand, General Manager of DevSecOps at CyberArk.
Firstly, security needs to be applied throughout the development process. It would not be possible to protect applications “without applying the same security rigor to the tools used to build them”, he said.
Secondly, the attacks demonstrated the importance of DevSecOps, an approach that integrates security into the process of building applications. Previously, Sand noticed that some organisations would often sacrifice security in order to create products faster.
The SolarWinds attacks demonstrated that security “needed to be part of the whole process from Step One”, he said.
Best practices in software development
Hackers are “regularly launching low-level phishing and impersonation attacks” against DevOps teams, said Jeffrey Kok, Vice President, Solution Engineers, Asia Pacific and Japan at CyberArk, in an interview with CyberSecAsia.
DevOps teams are targeted because they possess access privileges that could be used to compromise entire applications in the wrong hands. As these engineers have access to such sensitive resources and face more regular attacks, they require more protections, Kok emphasises.
DevOps engineers already face a heavy workload, so asking them to also manage their security will likely lead to mistakes and vulnerabilities, says Kok. Security will need to be integrated and automated to make it a seamless addition to the development process, he adds.
One way of doing this is by managing privileged access in a centralised platform. CyberArk’s access management tool allows organisations to monitor access activity and ensure that users are only given access to the appropriate systems.
Reversing the hacker’s cloud advantage
As well as securing every step of software development, organisations need to be mindful of how they use the cloud. Vulnerabilities emerge from cloud adoption due to identity misconfigurations, where users’ access permissions are not formatted accurately.
Exploitating these misconfigurations, along with compromised passwords, make up nearly 40 per cent of malicious incidents today, reported the Ponemon Institute. Each of the major cloud platforms deal with thousands of possible permissions, leading to a higher risk of mistakes.
Another common challenge is removing unnecessary permissions. They are not often visible to busy security teams, but represent another vulnerability in the cloud which hackers could take advantage of.
While the cloud might seem overly risky, there are ways of making it secure and reversing the advantage on hackers. Firstly organisations should create a centralised system to manage credentials, such as passwords, across the hybrid cloud environment.
Organisations can also adopt principles of least privilege, limiting the number of users with privileged access to only relevant individuals. Security teams should give privileges only when needed, rather than continuous access.
Governments and individuals would face chaos if every secret came to light. Adopting a convenient system of managing these valuable secrets makes the work of cybersecurity teams easier. Building security into software also helps.