Let me ask you something, have you ever taken a look at your DevOps setup and thought, “Is all my data really safe here?” I’ve thought that, many times. When you’re using GitHub, GitLab, or Azure DevOps moving quickly, it’s easy to think that all that data is safe, by default. But in reality, there are risks that are hiding in your DevOps data setup that will get you into deep trouble, if ignored.
GitHub or GitLab will keep their platform running, you can control:
Allowing someone to have more access than they require increases risk.
You should:
2. Secrets and Pipeline Access
Your Continuous Integration and Continuous Delivery (CI/CD) pipelines and tokens are all easy objects to compromise if you do not work to protect them.
Best practice:
3. Backups and recovery
Another large issue I run into with teams is just not backing up your DevOps data properly.
Typically, cloud computing frameworks do not back up everything.
You should:
Integrate security into your standard operating procedures.
This will save you from the 2 AM panic—I’ve literally been there!
2. Keep access under tight control
Consider backup to include:
Why Your DevOps Data Is Risky
Companies like GitHub or GitLab, either protects their own system, however, you need to protect your own data.GitHub or GitLab will keep their platform running, you can control:
- Who has access to your repos
- How your secrets are stored
- If your data is backed up
Small Errors Lead To Big Headaches
I've seen some very standard errors like:- Too many users given full access.
- No MFA/SSO, or easy to hack account credentials
- No real backups (relying on the platform only)
Primary Areas of Risk
1. Access PermissionsAllowing someone to have more access than they require increases risk.
You should:
- Enable the least privilege principle (no more access than is necessary)
- Removing inactive or old accounts
- Turn on SSO/MFA for all users
2. Secrets and Pipeline Access
Your Continuous Integration and Continuous Delivery (CI/CD) pipelines and tokens are all easy objects to compromise if you do not work to protect them.
Best practice:
- Never store secrets in the repo
- Use vault tools or encrypted secrets
- Rotate tokens on a regular cadence
- Isolate CI/CD runners
3. Backups and recovery
Another large issue I run into with teams is just not backing up your DevOps data properly.
Typically, cloud computing frameworks do not back up everything.
You should:
- Implement automatic backups
- Make immutable backups
- Keep backups in multiple locations
- Validate the restore plan
How to Mitigate These Risks
1. Start security earlyIntegrate security into your standard operating procedures.
This will save you from the 2 AM panic—I’ve literally been there!
2. Keep access under tight control
- Review access on a monthly schedule
- Use MFA + SSO
- Limit access to admin rights to a small, trusted group of people
- Store secrets securely
- Keep runners up to date
- Limit pipeline access
Consider backup to include:
- repos
- pipelines
- configs
- metadata
