Culture is everything

The secret to DevOps secrets management

Brian Kelly
© Shutterstock / durantelallera  

Speed, velocity, resiliency – all three are crucial elements in DevOps and they do not need to be sacrificed in order to be secure. Regardless, a cultural foundation needs to be stabilized by breaking down certain silos. In this article, Brian Kelly explains how you can achieve that.

Organizations are in a race to create and launch revolutionary applications and services to differentiate themselves from the competition and deliver an exceptional customer experience. The adoption of transformative approaches like DevOps makes this possible – and slowing down is not an option in the competitive landscape.

As faster code delivery at scale becomes the new norm in software development and continuous delivery (CD) pipelines enable DevOps teams to build and deploy applications at scale, secrets get proliferated. Passwords, keys, and credentials are being created and distributed more and more, and they all must be protected.

The cultural disconnect

A recent independent survey commissioned by CyberArk finds that while DevOps professionals recognize the importance of secrets management, there’s a disconnect between DevOps and security teams that makes standardizing secrets management challenging.

Sixty percent of respondents feel their security team “lacks technical expertise to engage meaningfully with their developer and DevOps counterparts.” Interestingly, almost as many security/IT respondents feel that security needs more technical expertise as DevOps respondents. Previous research also found that only 41 percent of security and DevOps teams are well integrated throughout the application development process. This is leading to fragmented decision-making, not to mention the construction of an IT language barrier.

Without aligning goals and tightening communication between DevOps and security, an organization opens itself up to unchecked security issues that leave the company at risk.

SEE ALSO: Turn DevOps into DevSecOps without sacrificing automation

Laying the cultural foundation

Speed, velocity, and resiliency do not need to be sacrificed in order to be secure, but a cultural foundation needs to be stabilized by breaking down silos. Here’s how:

  • Transform Security and DevOps Teams into Partners

Developers should embrace that security teams have something important to offer in terms of best practices and know-how, and security teams should embrace new ways of working in the often rapid-fire realities of modern software engineering. 

Train developers to “think like attackers,” and set up formal systems to ensure DevOps teams understand security risks and implement good security practices. Embrace the Rugged Manifesto.

Security teams need to understand the challenges developers face in securing secrets and the approaches they use to address them. Even if the actual coding of applications is done by developers, the security team will need to be able to credibly communicate with them. Building empathy between the teams worked to bring Dev and Ops together into DevOps, and the same approach can work with security.

  • Move Security “Left”

Security needs to be built into development processes early on, and that can only happen when security and development teams collaborate. DevOps leaders should include representation from security early on in key initiatives and decisions, and security teams need to get their minds around incremental, small-batch continuous delivery as a method for improving security that will reap better results over the longer term.

By collaborating earlier in the development processes, security can be improved without impacting business velocity.

  • Measure and Evaluate, Constantly

Security, development and operations teams can build consensus by sharing objectives and metrics (e.g. are secrets being found in code in public repositories? What percent of application secrets have been secured? Once secrets are secured, how frequently are they being accessed?). This helps DevOps and security teams align around shared goals and build a common vocabulary.

In most cases, improving security happens through incremental advances. Teams should highlight each success and then build on and expand from them. For example, organizations can use metrics to show how much of the attack surface has been addressed or how well each DevOps team complies with security requirements. Aim to have some initial successes to demonstrate security and efficiency gains and branch out from there. 

The rise of DevOps is fundamentally changing conversations around cybersecurity risks and secrets management. But perhaps the most important takeaway from our survey is that both DevOps and security respondents recognize secrets management should be a collaborative, enterprise-wide process. This consensus provides the common ground needed to build tighter collaboration between the teams and make enterprises more innovative than they ever thought possible – without sacrificing security.


Brian Kelly

Brian Kelly is head of Conjur engineering at CyberArk, where he creates products that add much-needed security and identity management to the landscape of DevOps tools and cloud systems. Brian is passionate about software, building teams, cybersecurity and DevOps.

Inline Feedbacks
View all comments