Cyber insurance is a relatively young market. Threats increasingly evolve, making risks more difficult to assess than many other forms of insurance.
Insurers are constantly adapting their conditions and approach DevSecOps could be next on your list.
Companies looking to take out or renew a cyber policy face increasingly stringent requirements in terms of cyber security. For example, the list of security checks that have become prerequisites for purchasing affordable insurance has increased several times over in recent years. In the face of increasing cyber threats and the constant increase in damage caused by cybercriminals, insurance companies have also been seriously affected and are constantly striving to protect themselves.
These requirements have always included measures such as multi-factor authentication (MFA), anti-malware software, firewalls and intrusion detection systems. In recent years, privileged access management (PAM) has been added to the technologies required for cyber insurance. Properly deployed, PAM solutions provide essential security controls to protect business systems and data and comply the “cybersecurity” acceleration strategy of the French government.
But the list will likely grow even longer, especially for companies whose businesses require software development and who have adopted the DevOps workflow model.
The challenges of DevOps
Fast, repetitive DevOps workflows often introduce security risks related to privilege management. When competition increases regarding the speed of application distribution, it becomes very tempting to share privileged access to all containers, servers and applications, or use plain-text credentials hard-coded.
It’s no news that hackers are increasingly using hard-coded identifiers, API poor or insecure and sensitive configuration data in code to perpetrate large-scale cyber attacks. For example, the vulnerability of APIs has been questioned by the massive theft of personal data from a service provider Pôle emploi in 2023, potentially affecting 10 million people.
Introduction to DevSecOps
What is DevSecOps? DevSecOps (or DevOps Security) is an innovative approach to software development that integrates security from the beginning and into every phase of the development cycle. DevSecOps ensures application security through continuous and automated processes and can also discover vulnerabilities directly related to the management of access permissions.
However, many companies have delayed implementing DevSecOps because it is a new approach to security with unique challenges. Many people give up for fear of seeing their agile development methods compromised and their competitiveness reduced. Specifically, they fear that the pipelineintegration and the continuous delivery (CI/CD) that produces the code doesn’t slow down.
As DevSecOps becomes a critical component of overall enterprise security and obtaining cyber insurance becomes increasingly expensive, it’s time to calm the fears of this slowdown and find ways to easily integrate these practices into organizations’ security strategies.
Why is extending privileged access management to DevOps a good start?
The important thing is not to rush or invest in new technologies immediately, but to move forward and prioritize step by step.
An interesting starting point would be to expand PAM controls to include effective DevOps secrets management. In fact, fast, repetitive DevOps workflows often introduce security risks related to privileged access to containers, servers, and applications. The challenge is to reconcile fast and dynamic DevOps cycles and robotic process automation (RPA) with security policies.
Modern PAM solutions can overcome these challenges by providing secrets management at DevOps speed – without interrupting the development process – with features such as:
- High-Speed Vault: Modern PAM provides an encrypted, centralized, data-driven vault SaaS that meets the specific speed and agility needs of DevOps teams and stores privileged credentials in minutes.
- Centralized Secrets: Modern PAM eliminates heterogeneous vault instances, strengthens secure access to secrets, and creates a comprehensive audit trail, giving stakeholders visibility into all privileged activity.
- Automation and scope: Modern PAM provides an automated interface (CLI and API) optimized for the speed and scope of DevOps pipelines and RPA implementations and tools.
- Certificate issuance: Modern PAM supports the issuance of X.509 and SSH certificates, as well as their automatic signing and distribution.
- Just-in-time access: Modern PAM removes permanent access to databases like MySQL, PostgreSQL, Oracle, etc., as well as cloud platforms such as AWS, Azure or GCP. Instead, it relies on secure “just-in-time” access.
Cyber insurers today expect their customers to take proactive security measures, especially in terms of identity and access management. If companies use DevOps, it is advisable to implement PAM solutions that also effectively protect DevOps secrets. However, this requires tools that support the speed and agility required for the DevOps team’s workloads.