The DevOps revolution has led to a greater adoption of tools such as Kubernetes. Modern software development tools allow developers to build, distribute and scale applications in a simple and consistent way, keeping a record of all configurations as code.
On the other hand, we have reached the point where, as a result of some significant data breaches, we recognise that security cannot and should not be a rethinking, but is an important consideration in itself and in the integrated perspective of the entire development cycle. This has led to greater attention to how the development of cloud safe and native software should be.
Since data loss was frequent at the beginning of DevOps, often due to poor credentials management, many of the tools that were created later have secret management systems.
When you use multiple tools to build, distribute, configure and maintain applications and each of them has its own mechanisms for managing security policies and access control, you end up having what Cyberark calls a security island.
According to the cybersecuirty specialist, a security island is a tool or platform with its own integrated security components (which manage secrets, access control, audit, compliance), but which does not facilitate interoperability with other instruments and
Therefore, an isolated subsystem is an island which makes the safety management of the system as a whole more difficult. This is when an instrument does not have well-designed protective features, such as fine granularity access control or detailed transaction audit. It may not safely store the resting data or be designed for interoperability.
Whatever the cause, the result is the same: the implementation of the protection for the suite of instruments associated with the safety islands must take place in a fragmentary way and without any centralised supervision.
When systems are set up with security islands, there is a lack of consolidated audit and access control and it is difficult to delegate the right to manage subsystems in a standardised manner.
There is also a lack of centralized vision of the entire security landscape, which makes large-scale management difficult and/or complex scenarios and architectures (or even heterogeneous ones, which nowadays are the norm).
The pipeline we created is designed to improve flow and speed and allow us to release our code, but not always keeping in mind security. The advantages of these interconnected systems are real and it is common and understandable that we end up with suites of different instruments. However, we can improve the experience of their management if we adopt a technology that allows us to connect them to each other.
Eliminate the safety islands
So how do we eliminate the safety islands and integrate the tools so that they can be connected with the established systems?
When a centralised and homogeneous approach (without security islands) is applied, the advantage of a single audit, access control and a consistent consolidated administration is achieved. It is easier to delegate roles and privileges and manage them on a large scale with the benefit of a centralized vision of security and how individual machines and services interact with each other.
To manage privileged access for applications throughout the life cycle of software development, a system is needed to serve and protect the entire infrastructure, to declare who and what can access what resources, to control all connections that are made and to monitor unusual behavior
In practice, according to Cyberark, the system used for centralized management of privileged access to applications must allow: