How a DevSecOps Initiative Could Have Prevented the IKEA Canada Privacy Breach
Ofir Stein
September 20, 2022
Earlier this week, IKEA Canada confirmed that an employee had accessed private customer information. Although the official announcement did not provide details, it’s a safe bet to assume that controls related to data governance and regulatory compliance are the primary guardrails that led to the revelation. Unfortunately, this particular case hardly represents an isolated incident.
While data loss is on the list of most concerning threats to DevSecOps success, Identity and Privileged Access Management (IAM & PAM) are at the top.
Regulatory compliance can be an effective guardrail. Still, infrastructure and operations leaders are united on the urgent need to implement a DevSecOps initiative. Regardless of where organizations are on their DevOps journey, a 2021 Cloud Security Alliance survey confirms the tightly coupled relationship between privileged access and DevSecOps success. While data loss is on the list of most concerning threats to DevSecOps success, Identity and Privileged Access Management (IAM & PAM) are at the top. Regardless of the maturity of the DevSecOps journey, the DevOps community clearly faces a mounting challenge.
Who Controls Privileged Access to What and When?
By IKEA Canada’s own admission, an employee used a “generic internet search” to query personally identifiable information (consumer PII). In other words, an over-privileged user or machine identity queried a shared data asset that included restricted information. To make matters worse, no controls were in place to prevent the privacy breach from recurring over a 72 hour period before security operations teams were alerted.
Effectively answering the following questions will impact every department spanning IT, infrastructure engineers, application developers, and security operations:
- Who requests (and approves) privileged access to sensitive data?
- What assets contain sensitive data?
- When is privileged access warranted by authorized parties?
How Dynamic Privileged Access Could Prevent Data Exposure
The shared high-level goal is to strike the right balance between “Just Enough” privileged access to address security concerns, and “Just in Time” access grants to ensure smooth business operations.
The shared high-level goal is to strike the right balance between “Just Enough” privileged access to address security concerns, and “Just in Time” access grants to ensure smooth business operations. For simplicity, let’s assume the sensitive information was stored in one shared database functioning as a single point of failure enabling unauthorized access to sensitive data. Without an enterprise-wide DevSecOps initiative in place, the engineers charged with developing and maintaining critical systems typically face an impossible choice between bad and worse. By restricting access to data to authorized personnel only, engineers could theoretically prevent illicit access. Unfortunately, using legacy technology to implement such measures would effectively cripple business operations. This tradeoff is familiar to anyone grappling with static role-based access control (RBAC). As DevOps transformation initiatives deepen, enterprises have begun to explore dynamic access workflows that account for requester, approver, asset, and duration. Taking this approach a step further, teams with significant production workloads in the cloud can leverage tagging practices that clearly separate data assets that contain sensitive information (e.g. customer PII).
The DevSecOps Transformation Challenge
By supporting dynamically contextualized access to sensitive data, teams can get the job done while eliminating unauthorized parties from ever exposing customer PII in the first place.
DevSecOps can only be successful by addressing the three core elements of security, namely people, culture, and technology. Long-term collaboration between people can create the foundations that build bridges that transcend traditional organizational silos (e.g. application developers working alongside security operations practitioners). It’s up to C-level leadership to embrace the success of isolated initiatives and build out processes that permeate throughout the organization. Finally, disruptive technologies focused on the key challenges (namely cloud IAM and PAM) are critical to empower the workforce to step up and embrace positive change. By supporting dynamically contextualized access to sensitive data, teams can get the job done while eliminating unauthorized parties from ever exposing customer PII in the first place.
Ready to Embrace Cloud-first Privileged Access?
Learn how Apono’s approach to cloud-first Privileged Access Management enables DevSecOps Transformation!