Naked in the Cloud: When DevOps Mistakes Risk Gov IT

A movement to merge development and operations, DevOps, to hasten government modernization is not without cybersecurity risks -- or solutions.

Practitioners encourage governments to pursue DevOps, despite security risks, because they can be secured. But cities will need to prove data cybersecurity.

What is DevOps?

DevOps -- development and operations -- is an emerging approach that could help government agencies modernize fast through automation. Developers work with IT operations throughout the development cycle to launch solutions.

A DevOps approach achieves agility and reduces operating costs. It is sometimes prefaced by the CALMS (or CALMSS) framework -- culture, automation, lean, management, sharing and sourcing -- a process that determines if an organization is ready for DevOps.

DevOps are an integral part of digital transformation, and assurance, compliance, governance, risk and security therefore become integral components of this transformation.

When Accidents Breach Cybersecurity, Governments Need to Do Better

The Department of Homeland Security, General Services Administration, Environmental Protection Agency and Veterans Affairs are a few federal agencies deploying DevOps strategies to modernize.

An article in MeriTalk, a public-private partnership focused on Federal IT conversations, said that DevOps doesn’t come without risk. Several federal agencies -- like the National Security Agency (NSA) -- and others have experienced cyber attacks on DevOps environments.

Due to a misconfiguration error, NSA exposed top secret data via a cloud server.

The truth of the matter is DevOps tools often have interfaces designed for human users, and misconfigurations are all too easy and common,” wrote author Elizabeth Lawler, vice president of DevOps security at CyberArk.

Because misconfigurations are common to several breaches, MeriTalk advises security controls be implemented across identities and environments.

Robert Clyde, vice-chair of ISACA’s board of directors and managing director of Clyde Consulting, agreed. Cities, he recently wrote in Cities Must Do More to Modernize Technologic Infrastructure, need to bolster their protection against cybercriminals:

Cities also need to have strong governance and risk management frameworks in place, regardless of whether they are a megacity with more than ten million residents or a small-to-medium municipality.”
Where are the Weaknesses?

When governments implement new cloud and DevOps environments, they increase risk. There are development, integration, testing and deployment tools -- with more people using them.

To mitigate against both internal and external threats, agencies need to continuously monitor privileged account sessions across their networks, advised Lawler.

An increase in privileged account credentials and information shared across platforms means that securing non-human identities is also critical -- but that can be a challenge for the following reasons:

  • Security silos: Each tool usually has privileged credentials, separately maintained and administered.
  • Password plethora: Authentication keys live on individual computers and applications.
  • Coded secrets: To deliver solutions, developers code data into executables.
Secrets Management

According to Lawler, a compliant tool that connects with DevOps and enterprise solutions can help government agencies see where unprotected secrets live, without necessarily looking at them.

By establishing prioritization -- governance -- agencies can secure and manage secrets and still achieve the agility DevOps are designed for.

Developers are not expected to manage credential collaboration, but they can help build a scalable, secure platform, Lawler wrote.

Clyde indicated that with increased digital modernization efforts, more IT audit professionals “who are conversant in cybersecurity practices” are needed.

Serverless CyberOps

While public sector agencies must improve security despite a shortage of cyber professionals, guidance from the NIST Cyber Security Framework -- applying principles from the Cyber Kill Chain Framework -- Serverless Cyber Defense may be possible. Serverless technologies can help fill gaps in the skilled government cybersecurity professionals through automated threat management, according to Amazon Web Services (AWS).

At its upcoming Public Sector Summit, AWS is hosting a session, “Serverless Cyber Ops for Government,” that will discuss how cities can design low-touch, secure DevOps architectures and eliminate capital expenditures.

Andrea Fox is Editor of Gov1.com and Senior Editor at Lexipol. She is based in Massachusetts.