How to Secure DevOps Environments: Exploring Best Practices

By Yuki Arbel. February 25, 2020

Hard to believe, but it’s been more than a decade since the concept of DevOps was introduced. By eliminating the silos separating software development and operations teams, and fostering a more agile, collaborative environment, DevOps promised to help organizations deliver better software faster. By using automation to manage many of the tasks of building, testing, and deploying software, it now promises to improve consistency and reduce human error.

IT organizations have certainly taken note. A recent survey found 45% of IT decision-makers have instituted DevOps practices at their companies, and 78% expect enterprises to use DevOps to deliver applications and services at scale within the next three years.  

DevSecOps Role in Addressing Security Risks 

As DevOps becomes more ingrained, the security issues associated with it have become more critical. Much of this is due to the natural friction between DevOps and InfoSec. 

DevOps is not designed with security in mind. It focuses on pushing code quickly — sometimes faster than security teams can keep up with code review. This can lead to weaknesses in application security that can be exploited by attackers, resulting in everything from data breaches to downed systems. 

To help combat this, many organizations are adopting DevSecOps, which promises better security with less time required to achieve and maintain it. DevSecOps best practices include performing code analysis, security testing, and reviews much earlier in, and throughout, the software development lifecycle, and often necessitate using application security tools.

Proliferation Breeds Cybersecurity Risk

Vulnerabilities within software code aren’t the only security issues that DevOps faces, however. 

As DevOps processes become more commonplace, the number of developers and IT operations staff granted permission to access mission-critical production servers and IT systems, such as cloud infrastructure, continuous integration / continuous delivery (CI/CD) services, and customer data, has grown substantially. They need this access in order to quickly improve applications and cloud services, support customers, troubleshoot issues, and more. 

Problems arise when, to expedite productivity and continuous deployment, companies allow DevOps teams to access these servers and systems from the same laptops they use to build code, do email, and browse the web. Doing so exacerbates security risks because any malware that infiltrates laptops via websites, email downloads and the like, can easily reach those sensitive resources. 

That’s why best practice is to separate access to sensitive resources from the rest of the end-user’s laptop. And the way to achieve this is by splitting each laptop into two completely isolated virtual operating systems.

How OS Isolation Delivers DevOps Security and Productivity

Many security professionals rely on operating system isolation to mitigate security risks related to access and enable the performance DevOps workers need and expect. With OS isolation, end-users can access, install, and work with websites, apps, USBs, and cloud services as they need, without endangering or compromising their company’s production servers.  

The technology splits each user’s device into multiple, local virtual machines, each with its own operating system. Everything a DevOps member does happens in prescribed operating systems, which run side-by-side with full separation.  

To stop cyber attackers from accessing sensitive resources, run these two VM environments on each device: 

  • Fully locked-down VM that’s restricted to accessing production servers and sensitive IT systems.
  • Unlocked, open VM for coding, email, and access to non-sensitive resources, including browsing the web and using external devices.

Full OS isolation solutions like the Hysolate Platform ensure that users always use the correct VM. If they try to perform tasks in the wrong VM, they will be automatically redirected to the correct one. 

Just as critical, hackers cannot move laterally in the network to access production servers. Hysolate air gaps the device’s virtual environments, keeping them completely separate from each other. As far as hackers are concerned, they may as well be two different physical laptops. Any malware that infiltrates a web browser or any other attack vector on the open VM cannot reach sensitive resources. Malware can only see and access the VM that it’s contained within. 

Learn how Hysolate isolates DevOps access without restricting user experience. Start your free trial here.

About the Author

An industry veteran with 20 years of IT, networking and cloud experience, Yuki serves as Hysolate's VP of Product Management. Yuki started his career at P-Cube, a networking startup that was later acquired by Cisco. After his position as system architect at Cisco, Yuki became CEO of Comsleep, an energy saving startup. Most recently, Yuki served as Head of Product for Nokia’s NFV infrastructure, driving telecom networks towards virtualization.

Share this article: