Your Expensive Coder Is Now a Million-Dollar Liability
- By Winston Thomas
- August 25, 2024
Your developers are becoming the new weak link in your security chain. Bad actors are catching on, crafting increasingly sophisticated schemes to exploit them.
Charles Chu, general manager of CyberArk, paints a stark picture: “Attackers have realized that when you develop a cloud application, your developer writes it, your developer deploys it, and your developer is then on call over the weekend if your consumer banking portal goes down.”
This expanded role gives developers broad access to critical systems and data. Hackers see an opportunity: instead of targeting security-conscious IT professionals, why not go after developers with near-equivalent access but may be less vigilant about security protocols?
As Chu puts it, “Attackers have figured out that they should go steal a developer identity; they're not being secured.”
How did we get here?
The evolution of the developer as an attack vector stems from a combination of factors.
First and foremost, the widespread adoption of cloud computing has blurred the lines between development and operations. Developers are no longer confined to coding; they now have a hand in deploying and managing applications, which often grants them access to sensitive infrastructure, like infrastructure as code (IaC), to test and deploy applications.
Second, traditional security models are struggling to keep up with the dynamic nature of cloud environments. “Companies are simply taking that traditional IT mindset and applying it to the cloud without recognizing how different it is,” Chu explains.
Finally, the sheer number of developers compared to other IT roles makes them an attractive target for attackers.
Recent high-profile breaches, including LastPass, Microsoft, and Okta, all exploited vulnerabilities related to developer access. These incidents underscore the urgent need for companies to rethink their approach to securing developer identities.
ZSP-ing the problem
One promising solution to this challenge is the concept of zero standing privilege (ZSP). ZSP, as Chu describes it, is “a radically different concept allowing a company to delete all of the permissions from every user completely.”
In essence, ZSP operates on the principle of least privilege, granting users access only to the specific resources and permissions they need and for the duration required to complete their tasks.
Chu highlights the effectiveness of ZSP in preventing breaches, noting that it would have stopped the types of attacks that happened at LastPass, Okta, and Microsoft. “Zero standing permissions thinks you have no permissions,” he explains.
While ZSP offers a powerful defense against developer-focused attacks, its implementation requires careful planning and execution. Chu outlines a roadmap:
Implementing ZSP requires a change in mindset and a commitment to best practices. Here's a roadmap:
- Secure production first: Start by applying ZSP to your production environments. The rules here are clear-cut: developers shouldn't have standing access. This quick win demonstrates the value of ZSP and builds momentum for further adoption.
- Embrace the cloud's differences: Recognize that the cloud is not simply an extension of your on-premises environment. Traditional security models don't translate seamlessly. Embrace the cloud's unique capabilities and design your security policies accordingly.
- Leverage AI: AI can help accelerate the journey to ZSP by automating the analysis of user behavior and intelligently granting permissions based on context. This reduces the burden on security teams and minimizes the risk of human error.
What success looks like
So, you've launched a brand-new identity security program. But how can you tell if it's working? Here's what to watch for, according to Chu:
- Reduced Mean Time to Remediation (MTTR): ZSP limits the impact of an attack, making it faster to contain and fix breaches.
- Improved developer productivity: By automating access requests and removing unnecessary permissions, ZSP can actually boost developer efficiency.
- Alignment with business objectives: Security should support business goals, not block them. Make sure your identity security program promotes agility and innovation.
Chu also warns that while regulatory frameworks can encourage action, they can slow things down if they're based on outdated models. They can even negatively influence and impede the development and implementation of identity security policies. Plus, regulatory practices like requiring separate admin IDs and session recording can significantly increase costs.
The future of identity security
The evolving threat landscape demands a new approach to identity security. Developers, once considered a safe behind firewalls, are now in the crosshairs of bad actors as their responsibilities and roles widen. CISOs and developers alike must adapt to this new reality by embracing solutions like ZSP and harnessing the power of AI.
As Chu aptly states, “We are at this inflection point... where certain people totally get it. Others are still very rooted in... old systems.”
By proactively securing developer identities, companies can protect their most valuable assets and stay one step ahead of the attackers.
Image credit: iStockphoto/master1305
Winston Thomas
Winston Thomas is the editor-in-chief of CDOTrends. He likes to piece together the weird and wondering tech puzzle for readers and identify groundbreaking business models led by tech while waiting for the singularity.