Are Your Secrets Out? Three in Five (61%) Singapore Organisations Report No Security Strategy for DevOps

Singapore – November 9, 2017: CyberArk (NASDAQ: CYBR), the undisputed leader in privileged account security and company that protects organizations from cyber attacks across the enterprise, into the cloud and throughout the DevOps pipeline, today announced that DevOps and security professionals have worrying knowledge gaps about where privileged accounts and secrets exist across the IT infrastructure, according to the first findings to be released from CyberArk’s Advanced Threat Landscape 2018 report. When offered several options ranging from PCs / laptops to containers, cloud environments and containers, nearly all (99%) failed to identify at least one place where privileged accounts or secrets exist.

In Singapore, 95% of organisations have adopted DevOps, but only around one third (35%) have fully integrated teams and processes throughout the application development process. This disparity further reinforces the need for greater awareness around DevOps security, where 72% of respondents are unaware that privileged accounts or secrets are found in Continuous Integration and Continuous Delivery (CI/CD) tools. Other areas that Singapore security professionals think that privilege accounts and secrets are not found are microservices (70%), containers (69%) and source code repositories such as GitHub (68%).

Further compounding this lack of awareness, 61% of Singapore’s security professionals reported that they had no privileged account security strategy for DevOps, despite Gartner reporting that 50% of enterprises would be using DevOps by the end of 2016[i], creating significant weak points for attackers to target. 

“As organizations employ DevOps, more privileged account credentials and secrets are being created and shared across interconnected business ecosystems,” said Elizabeth Lawler vice president, DevOps security, CyberArk. “Even though dedicated technology exists, with few organizations managing and securing secrets, they become prime targets for attacks. In the hands of an external attacker or malicious insider, compromised credentials and secrets can allow attackers to take full control of an organization’s entire IT infrastructure. So it’s worrying that the rush to achieve IT and business advantages through DevOps is outpacing awareness of an expanded – and unmanaged – privileged attack surface.”

While many DevOps teams underestimate the volume of secrets being spread across the IT infrastructure, they are aware of the need to improve security. Over a third (37%) of DevOps professionals say compromised DevOps tools and environments represents one of their organisation’s greatest security vulnerabilities – but many are acting alone to tackle the issue.

With just a quarter of security teams reporting that they have a privileged account security strategy for DevOps, and integration between teams a problem for nearly two thirds of respondents (65%), many DevOps professionals are taking matters into their own hands. In fact, a quarter (27%) of Singapore respondents have built their own security solution to protect and manage secrets for DevOps projects.

Lawler continued: “Building your own security solutions is arguably OK up to a point, but is not a scalable way forward. From Jenkins to Puppet to Chef, there are no common standards between different tools, which means you must figure out every single tool to know how to secure it. DevOps really needs its own security stack, and security teams must bring something to the table here. They can provide a systemised approach to helps the DevOps teams maintain security while accelerating application delivery and boosting productivity.”

Enterprises in Singapore are increasingly using cloud orchestration and automation tools to drive DevOps initiatives, and half (49%) of respondents reported using the cloud for internal development.

However, the study shows that the lack of a DevOps security strategy in Singapore extends to the cloud. Three fifths (59%) of Singapore enterprises rely on their cloud vendor’s built-in security, meaning privileged account security is not fully integrated into DevOps processes when spinning up new environments.

Lawler concludes: “Taken together, this year’s survey findings indicate that many organizations do not understand the need – or the mechanisms – to secure privileged account credentials and secrets, whether that’s in the cloud or on-premises. DevOps and security tools and practices must fuse in order to effectively protect privileged information. Building awareness and enabling collaboration between DevOps and security teams is the first step to help businesses build a scalable security platform that is constantly improved as new iterations of tools are developed, tested and released.”