Progress announced the early-access release of Progress® MarkLogic® Server 12.
Over time, applications have evolved from simple lines of code to a universe full of interconnected machines and systems powering continuous integration and continuous delivery. Software-defined data centers where "infrastructure as code" models are being used to deploy virtualized systems hosted on-premises as well as in cloud IaaS service environments have created challenges for DevOps and security teams.
The increased use of containers, microservices architectures and other connected services to develop applications has made it increasingly difficult for security teams to monitor who is accessing sensitive information. With deadlines and agility paramount for developers and operations teams, security teams need to prevent an attacker from infiltrating an organization through this exponential expansion of the attack surface.
Week one of National Cyber Security Awareness Month's theme is, "If You Connect It, Protect It." It is important for DevOps and security teams to work together to secure access to (and between) the containers, microservices architectures and other connected services used to build applications. Connecting services and workloads is also equally as important. Below we discuss the role privileged access management (PAM) plays in putting the security — or the "sec" — in DevSecOps, and why security teams should look beyond traditional PAM methods for the best results for their organizations.
Digital Transformation Changes Everything We Know About PAM
Developers do not want to waste time when deadlines are looming in the background. Because of this, DevOps teams will have a tendency of bypassing PAM - which could cost businesses. Avoiding PAM could lead to an increased risk of a cyberattack, a waste of money spent invested in PAM, and fines from violating industry regulations.
The goal of PAM for application developers is to simplify and centralize credential management (also commonly referred to as application-to-application password management, or AAPM). Unfortunately, traditional PAM methods tend to be complicated to deploy and manage, and require lots of manual care and feeding with the new technologies used to build applications.
However, developers have grown accustomed to putting static passwords and secrets in code as part of the development process. When an application is running, it authenticates using the static embedded password. Stop and think about it for a second, static passwords in code… this is a bad practice. Threat actors can simply use a password sniffer to discover and use the password, posing as a legitimate account and evading security teams. PAM is necessary to protect organizations, but with traditional methods comes some challenges such as not accounting for machine identities.
Furthermore, now there is a significant expansion in the number of identities that need to be created and managed. Human identities are now limited in the DevOps process compared to non-human identities such as other applications, virtual machines, services and workloads in the cloud — causing complexity in the PAM process.
Luckily, just as the way developers have built applications over time has evolved, PAM methods have too.
How to Seamlessly Incorporate AAPM into the DevOps Process
The best way for AAPM and PAM to integrate into the modern DevOps process is to use a combination of more modern methods: ephemeral tokens and delegated machine credentials.
Ephemeral tokens offer temporary, time-based access with automatic expirations. These tokens are created automatically by a password vault, eliminating the need for DevOps teams to utilize static passwords or secrets as part of the development process. Once the accessor — whether human or machine — is authenticated and after a set period of time, the token will disappear. If a threat actor were to compromise a server, there would be no static credential to steal, which would greatly reduce the risk of a full-scale attack or lateral movement.
The next layer to an effective modern PAM solution is something we call Delegated Machine Credentials. If a container, virtual machine or other connected device were to be enrolled into a PAM service, it receives its own temporary credentials so it can authenticate and establish a mutual trust relationship with a password vault. Now any applications or workloads running on the particular machine are able to use its credential as well, leveraging the binded trust granted by the DevOps team. Using a combination of the ephemeral tokens and delegated machine credentials, security becomes automated, and the number of service accounts is significantly reduced, also greatly reducing risk.
Keeping Connected and Secure
We live in a virtualized world, so it is no wonder application development has turned into a sea of connections with both human and non-human identities. Organizations must strive to modernize PAM in order to create a seamless, secure DevSecOps experience.
Industry News
Red Hat announced the general availability of Red Hat Enterprise Linux (RHEL) AI across the hybrid cloud.
Jitterbit announced its unified AI-infused, low-code Harmony platform.
Akuity announced the launch of KubeVision, a feature within the Akuity Platform.
Couchbase announced Capella Free Tier, a free developer environment designed to empower developers to evaluate and explore products and test new features without time constraints.
Amazon Web Services, Inc. (AWS), an Amazon.com, Inc. company, announced the general availability of AWS Parallel Computing Service, a new managed service that helps customers easily set up and manage high performance computing (HPC) clusters so they can run scientific and engineering workloads at virtually any scale on AWS.
Dell Technologies and Red Hat are bringing Red Hat Enterprise Linux AI (RHEL AI), a foundation model platform built on an AI-optimized operating system that enables users to more seamlessly develop, test and deploy artificial intelligence (AI) and generative AI (gen AI) models, to Dell PowerEdge servers.
Couchbase announced that Couchbase Mobile is generally available with vector search, which makes it possible for customers to offer similarity and hybrid search in their applications on mobile and at the edge.
Seekr announced the launch of SeekrFlow as a complete end-to-end AI platform for training, validating, deploying, and scaling trusted enterprise AI applications through an intuitive and simple to use web user interface (UI).
Check Point® Software Technologies Ltd. unveiled its innovative Portal designed for both managed security service providers (MSSPs) and distributors.
Couchbase officially launched Capella™ Columnar on AWS, which helps organizations streamline the development of adaptive applications by enabling real-time data analysis alongside operational workloads within a single database platform.
Mend.io unveiled the Mend AppSec Platform, a solution designed to help businesses transform application security programs into proactive programs that reduce application risk.
Elastic announced that it is adding the GNU Affero General Public License v3 (AGPL) as an option for users to license the free part of the Elasticsearch and Kibana source code that is available under Server Side Public License 1.0 (SSPL 1.0) and Elastic License 2.0 (ELv2).
Progress announced the latest release of Progress® Semaphore™, its metadata management and semantic AI platform.
Elastic, the Search AI Company, announced the Elasticsearch Open Inference API now integrates with Anthropic, providing developers with seamless access to Anthropic’s Claude, including Claude 3.5 Sonnet, Claude 3 Haiku and Claude 3 Opus, directly from their Anthropic account.