We are now firmly in the era of agile software methodology and cloud hosting. New incarnations of the agile methodology continue to emerge regularly, promising greater flexibility and economy for the IT department as well as greater strategic agility for the business. But these processes also introduce new risks...
Summary: Most corporate software is developed using the agile methodology, which confers benefits but increases risk. Privileged Access Management (PAM) can help secure the process.
It’s not your father’s software development. Heck, it isn’t even your older brother’s software development. The way software is created and deployed has changed significantly over the last few years. We are now firmly in the era of agile software methodology and cloud hosting. New incarnations of the agile methodology continue to emerge regularly. Examples include DevOps and Continuous Integration (CI). Each promises greater flexibility and economy for the IT department as well as greater strategic agility for the business. These processes also introduce new risks. This article probes ways that IT organizations can reap the benefits of agile methodologies while retaining the level of security they require.
Understanding the Promises and Risks of Agile Methodologies
Agile software development offers an attractive alternative to the traditional “waterfall” process. The waterfall meant going through the laborious, step by step process of gathering requirements, writing code, testing, and deployment. With agile, you have “scrums” where developers “sprint” to complete code for a narrow set of requirements and rapidly push the code into production. The process compresses the release cycle for new software features. With agile, a new feature might be requested, executed in a scrum, and put into production in a matter of days. In contrast, with the waterfall approach, a new feature may be delayed for months until an entire requirements-code-test-correct-retest-deploy cycle is completed.
Agile is popular, and increasingly dominant. TechBeacon reports that two-thirds of IT organizations consider themselves as either "pure agile" or "leaning towards agile.” It has its detractors, of course. For one thing, agile tends to result in a code base that’s riddled with problems. The agile philosophy calls for creating “good enough” code that meets the majority of user concerns even if bugs exist in other functional areas of an application. For this reason, waterfall is still popular in highly exacting application tasks like nuclear power plant control systems. There, you want everything to be perfect.
Faults aside, the agile train does not appear to be slowing down anytime soon. The methodology has begotten a host of related development techniques. These include DevOps, which merges the traditionally separate teams and process of development and operations. With DevOps, the dev team collaborates with the ops team to deploy working code rather than “throwing it over the wall.” DevOps usually means faster release cycles and fewer communication issues between teams. In some cases, there is just one team. Everyone does it all. Developers do ops and ops people are involved in development.
Continuous Integration (CI) is another variant on agile that has developers and ops people pushing out new code into a production application whenever a new feature is ready. This might mean updating a working application with new code a couple of times a day! For certain kinds of fast-moving consumer applications, CI is essential to staying competitive. CI works because of new tooling that enables a cloud-based application to be updated without stopping its operation. The uninstall/reinstall process is no longer necessary for code updates. As soon as users request a new feature, it can be developed and integrated within a very short period of time. It’s sort of like changing Indy Car tires in the middle of a race without a pit stop.
Agile methodologies open up organizations to a number of new security risks:
- The fast pace of development sometimes results in secure coding practices being cast aside.
- There may be people getting involved in the scrums who are not versed in an organization’s development security policies.
- Many of the tools are open source and cloud-based.
- Security parameters may not be thoroughly understood by all parties in the process.
- Agile methodologies frequently involve spinning up new virtual machines in the cloud with infrastructure automation tools — a practice that can accidentally expose the application to threats.
Agile also creates access control risks.
Access Control Risks in Agile Software Development
Who did what… and when? This is one the most basic questions information security managers and auditors want to know. When it came to software development, the waterfall process made answering this question relatively simple. Developers coded. Testers tested. Operations people deployed code and installed patches. Policy dictated that production systems were verboten to developers and testers.
It’s been a few years since things were anywhere near this simple.
In the agile/DevOps/CI world, a lot of individuals have access to production systems. With CI in particular, there is literally no switching off the application when it’s being changed. Agile methodologies expand the depth of access control risk exposure. They put more pressure than ever on security managers to monitor, log, and control access to affected systems.
Privileged Access Management and Agile Methodologies
A privileged user is a person who has back end administrative access to a system. With agile methodologies, almost everyone in the process has some level of privilege. Perhaps not everyone has complete privileged user status. They may not be able to create, update or delete user accounts or reset system configuration. But, if they can log in and change production code, they should be considered a privileged user, bound by privileged user access control policies. They need to be subject to privileged access management (PAM).
PAM solutions are designed to ensure that only administrators with proper access rights can log into back-end systems. They provide a secure and streamlined way to authorize, monitor and control the activities of all privileged users. In an agile environment, the PAM solution can centrally and efficiently manage developer and IT ops team member access across the systems they manage. The PAM solution enforces policies that restrict these users from bypassing security systems. It grants privileges to developers and IT ops people only for systems on which they are authorized. Access is only granted when it’s needed. Access is revoked when the need expires.
PAM reduces the risk of privileged access by former developers or by people who no longer require access. In the agile world, this might mean people who got moved to a different scrum. Agile teams are known for switching people around. Thus, if John was on the general ledger app dev scrum last month, but no longer is, he should not be allowed to sign in to the cloud-based infrastructure that supports the general ledger. PAM can make that cutoff a reality.
PAM Tools to Address Third Party Application Maintenance Risks
WALLIX offers a comprehensive PAM solution to address the privileged access risks inherent in agile development methodologies. It enables pervasive, sustainable deployment across development, cloud infrastructure, and CI toolsets. The WALLIX Bastion sets up a single gateway with single sign-on for access by developers and IT ops people regardless of their location or corporate affiliation.
WALLIX works for systems in the public cloud, private cloud, hybrid cloud and on-premises environments. WALLIX also supports security controls over third parties by precluding privileged users from having or needing local/direct system passwords. This reduces the risk of manual system overrides, which can be an issue if the third party has access to the physical hardware running the applications.
WALLIX offers several components that each play a role in addressing the access control risks in agile methodologies. The Access Manager lets users connect to resources with a single click. Access Manager lets users immediately connect to the Bastion from any device without the need to install remote access tools. Today’s agile developers are a mobile lot. They might easily be slinging code from the beach on a laptop as sitting in a cubicle. They can connect through native RDP and SSH clients. All passwords are stored in a secure and certified Password Vault.
The WALLIX Session Manager monitors privileged users’ session activity in real time in order to manage access and provide a comprehensive audit trail. The tool can be configured to intervene automatically when user access policies are breached. By assigning each access to an actual identity, the WALLIX Session Manager ensures that all users are accountable for their actions. Then, by creating an unalterable audit trail for any privileged operation, WALLIX speeds up the process of interpreting what might have gone wrong in an incident. In compliance-heavy businesses, PAM helps enforce controls that govern the deployment of new code.
The WALLIX solution features an agent-less architecture. This approach eliminates the risk that changes in protected systems will require extensive revamping of the PAM solution. In contrast, many other PAM solutions require a dedicated software agent on each administered device or workstation. Dedicated agents can delay PAM implementation and create difficulties when applications get upgraded.