Provision of real-time DevOps data including zero trust protection
In the context of data security and compliance, zero Trust means ensuring the availability and security of data in the DevOps environment. Efficient and practical test data management and data masking play a decisive role in this.
For DevOps decision-makers, the focus is on the security of the developed software. Unfortunately, operating systems and applications are increasingly popular targets for cybercriminals. This became very clear at the latest with the incidents related to Solarwinds, which went down in history as one of the most frightening attacks. The attackers gained access to numerous public and private organizations around the world via an infected software update of the IT monitoring and management software.
Security experts found during their forensic investigations that Solarwinds’ DevOps pipeline was the real point of attack. The attackers did not even have to hack the production systems, because Solarwinds customers installed the infected upgrade themselves, which allowed the cyber attackers to gain access to the customer network with compromised credentials. From there, they moved sideways across the entire corporate network to ultimately steal large amounts of data.
More and more of these attacks are coupled with data theft and, in addition, with ransomware. Non-productive environments are particularly at risk – and there is a reason for this: many companies test their applications, developments or updates with real and sometimes large data sets to check the function, system stability and resilience. However, the focus of the security experts is usually on the production system and these test environments are often subject to less restrictive security conditions.
Some companies even believe that the process of anonymizing or masking sensitive data is not compatible with the speed requirements of DevOps workflows. In addition, development teams are often not based in the company, but are scattered around the world. As a result, sensitive data remains unprotected on additional test systems. In order to test applications, it is not uncommon for data sets to be sent by e-mail or via cloud services from companies via public lines to the developers in order to test the functions.
Research by Delphix confirms that 56 percent of companies do not anonymize their sensitive data in test environments. In addition to compliance issues, this approach generates an easy target for cybercriminals, especially for companies that provide a high number of test instances – in their own infrastructure or in the cloud.
Traditional Protection versus Zero Trust
In principle, Zero Trust assumes that there is no implicit trust in assets, user accounts, microservices or data solely because of their location. With a zero trust policy, each user and transaction must be verified before access to an enterprise resource is granted.
The National Institute of Standards and Technology (NIST) defines Zero Trust as an evolving set of cybersecurity paradigms that focus the defense of static, network-based perimeters on users, assets, and resources. However, Zero Trust is not as easy to install as an additional protection solution in IT. A software or an appliance would fall far short and at best place a few areas under the special protection approach of Zero Trust.
The challenge is that corporate networks are becoming more and more complex and are challenging traditional security concepts and access controls. The cooperation takes place across company boundaries, as employees often work in other places. Contractors and third-party providers also connect to a variety of devices and networks. In short, the infrastructure is no longer 100 percent in the company on site. In addition, companies with a duty of care for the data have a special challenge – especially in the field of DevOps – where traditional protection concepts fall short.
Zero Trust in DevOps
The strategic value of business data has led to a growing need for data-friendly environments in which sensitive data is increasingly accessed via the applications. This means that the data is constantly in motion. For example, data is extracted from an on-premises repository and loaded into an analytics workload in the cloud.
A common practice is to move data sets from a company to outsourced development teams or third-party vendors for further processing. If this data is not subjected to a zero trust concept, for example by anonymization or masking, companies are increasingly passing on more and more sensitive data to more and more non-production environments.
Many data sources, high security
DevOps requires a large amount of data and it is important that it is available quickly and in an easy way. This results in two elementary needs: The large amounts of data must be merged from many different sources and they must be protected against unauthorized access and use when using DevOps.
In a first step, it makes sense, for example, to make the real data records immutable via a write-once-read-many architecture and thus immune to ransomware. Ideally, the data is then made available via a virtualization layer with the aim that redundant copies do not have to be created. The advantage is that the testers always work with current test data and that there are no test data pools that burden the storage systems after the tests or are even forgotten in unsafe places.
Thirdly, the data should be masked. In practical use, personally identifiable information (PII) or sensitive data is quickly identified with the help of preconfigured algorithms of suitable tools, regardless of their source. These are then automatically masked or tokenized. The advantage for DevOps is that, for example, no real data is used in test scenarios, but fictitious but realistic data with referential integrity.
Masking irreversibly transforms the data, making it unusable for hackers, for example. This allows data operations to be carried out to the same extent and with the same quality as if real data were used – with the difference that compliance and security guidelines are complied with. The decisive factor here is that the masking process does not become a bottleneck for the developers and testers – which unfortunately was often the case with previous technologies and which has led many development departments not to mask the data.
It is therefore important to use a data provision and masking solution that does not fail because of the repetitions of tedious batch jobs for data masking and thus significantly impedes the work of DevOps. A technology that seamlessly integrates data provision and masking with data virtualization can provide this performance. Only then can DevOps on-site, in multi-cloud environments or at any location use the advantages of the masked, virtual real data unrestrictedly and on a large scale for their purposes and test scenarios and at the same time comply with compliance.
* Sven März is Senior Director, EMEA Field Services, at Delphix. In his position, he is responsible for the entire Field Services team, which implements data projects at companies such as BNPP, Michelin and myToys. The IT and data professional has worked in various positions for companies such as Siemens, Demandware and Salesforce. Prior to Delphix, he worked in the field of retail solutions that are heavily data-driven and that include personalization for transactions.