Cyber Defense eMagazine March 2020

More documents

Recommendations

Info

Devops ― Are You Risking Security for Agility?By Morey Haber, CTO & CISO, BeyondTrustBy merging software development and IT operations ― two traditionally mutually exclusive functions ―DevOps has fundamentally transformed how today’s organizations develop, operate and maintainapplications across their environment. It is easy to see the allure of DevOps ― through rapid iterationand automating processes at scale, DevOps teams can bring high-value applications to the organization,giving them the agility that is a critical success factor in today’s fast paced world.But in their haste to adopt DevOps, several organizations gloss over the security challenges that thismethodology of application delivery introduces. As a consequence, DevOps practices often widen theattack surface and increase the enterprise’s risk of data exposure. So why is it so challenging then, forIT teams to secure DevOps environments? What makes DevOps security different from more traditionalIT security?46
Prioritizing speed over securitySpeed and agility lie at the core of DevOps ― DevOps teams work incredibly fast to deliver applicationsin line with compressed, and often unrealistic, timelines. These teams thrive in an environment of ad-hoctooling with an emphasis on intense code sharing and automation at every step. While these practicesdo allow teams to deliver business-critical applications quickly, they do also create a plethora of securityshortcuts. It is a real challenge for security teams to integrate traditional security into the DevOps pipelineas traditional tools force developers to change the way they work and slow down their pipeline, resultingin low tool adoption.Excessive use of privilegesTo expedite the process of delivering code, DevOps teams often circumvent or even override criticalsecurity safeguards. For example, humans and machines within DevOps environments are affordedmuch higher levels of privilege compared to traditional development and operations environments. It'snot unusual — and one might argue, it is even standard practice — for developers to share private keysand credentials with colleagues for quick access. This negligence vastly expands the attack surface ―primarily in the form of insider threats, whether malicious or accidental ― while also complicating theprocess of creating clean audit trails.Within applications, developers may hardcode passwords so they can easily be found locally or onrepositories such as Github, Bitbucket, and others. Some of the other widely used practices for storingcredentials include config files and excel spreadsheets, both of which are highly insecure. These riskypractices have significantly increased secrets sprawl in the enterprise, creating dangerous backdoors forsavvy hackers, and once again, expanding the attack surface.Cultural challengesDon’t get me wrong. My intent is not do dissuade organizations from adoption DevOps ― there's hardlyanything wrong with this highly collaborative, iterative, and open approach to coding. In fact, given itshigh yield of valuable applications and features, I would argue that its certainly a culture that organizationsshould foster.But as the "shift left" practice, at the core of the DevOps philosophy, moves security to be consideredearlier in the process, its painfully evident that traditional security tools are not capable of securing theseDevOps environment. Developers need solutions that adapt to their workflows and highly collaborativeenvironments. Lightweight applications that leverage code to deliver robust security, using developerpreferredUIs such as CLI and APIs, will see more successful adoption as compared to traditionalsecurity-minded GUIs.So, given that most organizations are ramping up investment in DevOps, how can they mitigate thesechallenges?47
Page 1 and 2: Data Protection Day 2020: De-Riskin
Page 3 and 4: Analysing Data Using the Intelligen
Page 5 and 6: @CYBERDEFENSEMAGCYBER DEFENSE eMAGA
Page 7 and 8: 7
Page 9 and 10: 9
Page 11 and 12: 11
Page 13 and 14: 13
Page 15 and 16: Your website could be vulnerable to
Page 17 and 18: 17
Page 19 and 20: 19
Page 21 and 22: 21
Page 23 and 24: happened in response to public conc
Page 25 and 26: How The Cybersecurity Industry Can
Page 27 and 28: Also, headhunting is becoming antiq
Page 29 and 30: Building Your Cyber Talent Pool Ear
Page 31 and 32: The Importance of Cybersecurity Edu
Page 33 and 34: risks, they’ll be less likely to
Page 35 and 36: Cyberattacks have undergone a remar
Page 37 and 38: The Benefits And Risks Of Modernizi
Page 39 and 40: Part of what takes so long during v
Page 41 and 42: Why Zero Trust Isn’t So Trustwort
Page 43 and 44: propagation. Even if an attacker ob
Page 45: Big Organization May Equal Big Budg
Page 49 and 50: About the AuthorWith more than 20 y
Page 51 and 52: Multi-Cloud is HereThe first step t
Page 53 and 54: Time Is of The EssenceCombating Fal
Page 55 and 56: environment, produce up-to-the-minu
Page 57 and 58: Reducing alert fatigue and boosting
Page 59 and 60: Analysing Data Using the Intelligen
Page 61 and 62: The first data you should search fo
Page 63 and 64: • An oral briefing - this enables
Page 65 and 66: With this perspective, try to compa
Page 67 and 68: About the AuthorMilica D. Djekic is
Page 69 and 70: Identity theft, moreover, tax-relat
Page 71 and 72: Predicting the Direction of The PAM
Page 73 and 74: Ransomware on the riseUnfortunately
Page 75 and 76: A data breach is usually seen as th
Page 77 and 78: VPNs - 2020 And BeyondBy Sebastian
Page 79 and 80: outlawing VPN usage, this can backf
Page 81 and 82: • Perpetual - The Department of V
Page 83 and 84: About the AuthorEric Rickard CEO, S
Page 85 and 86: sites employ these days, this sugge
Page 87 and 88: Network Security Must Keep Up with
Page 89 and 90: Shadow Iot Devices A Major Concern
Page 91 and 92: About the AuthorAshraf Sheet is Reg
Page 93 and 94: Among companies that do offer “da
Page 95 and 96: Smart BuildingsUnderstanding the Se
Page 97 and 98:
Finally, it is crucial for organiza
Page 99 and 100:
Shoring up the endpoint is critical
Page 101 and 102:
101
Page 103 and 104:
103
Page 105 and 106:
105
Page 107 and 108:
107
Page 109 and 110:
109
Page 111 and 112:
111
Page 113 and 114:
113
Page 115 and 116:
115
Page 117 and 118:
117
Page 119 and 120:
119
Page 121 and 122:
121
Page 123 and 124:
Meet Our Publisher: Gary S. Miliefs
Page 125 and 126:
Free Monthly Cyber Defense eMagazin
Page 127 and 128:
127
Page 129 and 130:
Nearly 8 Years in The Making…Than
Page 131 and 132:
131
Page 133 and 134:
133
show all

Cyber Defense eMagazine March 2020

Create successful ePaper yourself

Delete template?

Save as template?