The emergence of DevSecOps
Companies are beginning to recognise the value of the Internet of things (IOT) in improving operational efficiencies and creating new lines of revenue. Sensors are being used to measure energy consumption, monitor asset health, predict asset failure, give users remote control over the environment, provide visibility into personal vitals, and more.
A traditional approach to gaining visibility and control simply won't scale.
With the adoption of IOT, access to privileged information is no longer limited to individuals or administrative users. The sensors themselves may be treated as privileged identities as they act on behalf of the user and collect privileged information from various endpoints. As a result, the digital identities in devices and sensors have access to a wealth of data that can be a competitive differentiator for a company, but also an attractive target to an attacker.
It's important to note: I'm not talking about one or two sensors. The number of privileged access accounts in the IOT can grow at an exponential rate - much faster than IT can manage. Gartner predicts that, worldwide, 8.4 billion devices will be connected to the IOT in 2017. IT can't manually control privileged access and achieve visibility as the number of devices and endpoints increase.
Most companies are moving to application programming interfaces (APIs) to achieve economies of scale, ease of development and cost efficiencies. However, companies are challenged by the need to manage the privileged credentials embedded in APIs that often provide connection to highly sensitive corporate data. Companies must ensure the right users, apps and devices have the right levels of access. To further complicate matters, the number of credentials embedded in APIs can be significant, and access levels can be varied.
In order to get more out of their APIs, companies need mechanisms in place to ensure APIs have the right level of access and are making the right calls on behalf of users.
Companies need assurance that the credentials embedded in an API are tied back to the user and the request being made. Until businesses have these assurances, the value companies realise from the API economy will come with increasing risk.
By integrating development and operations, companies can potentially reduce the cost and increase the speed of development while improving the quality of deliverables. Thus the business gets better, and software becomes faster and cheaper.
This is where DevSecOps comes in, as it seeks to integrate security within the development process to prevent security from becoming a roadblock. However, the automation and orchestration inherent to DevOps make this difficult.
Companies today are increasingly building applications on cloud-based infrastructure. Once developers check in their code, an automated process compiles the code, runs tests and moves code from one environment to another. These steps are automated using scripts with embedded privileged identity and access credentials. Without visibility into the privileged identities, IT doesn't know who initiated the scripts.
The lack of visibility becomes particularly problematic when it comes to demonstrating compliance with laws and regulations. Regulations like the Sarbanes-Oxley Act were established for a waterfall environment. In a DevSecOps environment, it is difficult to know who has access to what and to highlight the segregation of duties as required by regulations.
So, how are privileged identities monitored in the application economy?
The IOT, API economy and DevSecOps have at least one thing in common - they present the company with rapidly growing sets of privileged identities that have access to sensitive and/or large datasets. These identities must be protected and monitored so breaches can be detected and stopped. But this can't be achieved manually.
A traditional approach to gaining visibility and control simply won't scale. It is necessary to move to an automated mechanism in order to gain visibility. That mechanism is user behaviour analytics (UBA) that monitors identities to establish baseline behaviour and identify anomalous activity.
The use of machine learning algorithms helps to reduce false positives. While legitimate user behaviour is subject to change, it usually does so gradually. Machine learning algorithms adapt by learning from changes and emerging patterns. Thus, a UBA tool uses automated analytics to continuously monitor identities and quickly detect attacks, high-risk activities and breaches.
To deliver the most value, a UBA tool must also incorporate automated mitigation strategies. Reporting is also critical for reducing the risk of privileged identities. When anomalous behaviour is flagged as risky, the tool should automatically generate a report that allows the company to quickly respond. Ideally, these reports enable IT to quickly inspect both the context and full background associated with the identity.
As businesses become involved in the application economy, their security landscape grows. The IOT, API economy and DevSecOps increase the number of privileged identities that have access to sensitive or large datasets. That means an increased risk of breach. Companies need solutions that will scale with the environment they're operating in to ensure they can realise present-day benefits, but also be positioned to take advantage of future use cases.