Meet us at AWS re:Invent to discuss the latest challenges we are solving for customers and book a time to meet with us!

Learn more

How a DevSecOps Initiative Could Have Prevented the IKEA Canada Privacy Breach

Ofir Stein

September 20, 2022

How a DevSecOps Initiative Could Have Prevented the IKEA Canada Privacy Breach post thumbnail

Earlier this week, IKEA Canada confirmed that an employee had accessed private customer information. Although the official announcement did not provide details, it’s a safe bet to assume that controls related to data governance and regulatory compliance are the primary guardrails that led to the revelation. Unfortunately, this particular case hardly represents an isolated incident. 

While data loss is on the list of most concerning threats to DevSecOps success, Identity and Privileged Access Management (IAM & PAM) are at the top.

Regulatory compliance can be an effective guardrail. Still, infrastructure and operations leaders are united on the urgent need to implement a DevSecOps initiative. Regardless of where organizations are on their DevOps journey, a 2021 Cloud Security Alliance survey confirms the tightly coupled relationship between privileged access and DevSecOps success. While data loss is on the list of most concerning threats to DevSecOps success, Identity and Privileged Access Management (IAM & PAM) are at the top. Regardless of the maturity of the DevSecOps journey, the DevOps community clearly faces a mounting challenge. 

Who Controls Privileged Access to What and When?

By IKEA Canada’s own admission, an employee used a “generic internet search” to query personally identifiable information (consumer PII). In other words, an over-privileged user or machine identity queried a shared data asset that included restricted information. To make matters worse, no controls were in place to prevent the privacy breach from recurring over a 72 hour period before security operations teams were alerted. 

Effectively answering the following questions will impact every department spanning IT, infrastructure engineers, application developers, and security operations:

  • Who requests (and approves) privileged access to sensitive data?
  • What assets contain sensitive data?
  • When is privileged access warranted by authorized parties?


How Dynamic Privileged Access Could Prevent Data Exposure

The shared high-level goal is to strike the right balance between “Just Enough” privileged access to address security concerns, and “Just in Time” access grants to ensure smooth business operations.

The shared high-level goal is to strike the right balance between “Just Enough” privileged access to address security concerns, and “Just in Time” access grants to ensure smooth business operations. For simplicity, let’s assume the sensitive information was stored in one shared database functioning as a single point of failure enabling unauthorized access to sensitive data. Without an enterprise-wide DevSecOps initiative in place, the engineers charged with developing and maintaining critical systems typically face an impossible choice between bad and worse. By restricting access to data to authorized personnel only, engineers could theoretically prevent illicit access. Unfortunately, using legacy technology to implement such measures would effectively cripple business operations. This tradeoff is familiar to anyone grappling with static role-based access control (RBAC). As DevOps transformation initiatives deepen, enterprises have begun to explore dynamic access workflows that account for requester, approver, asset, and duration. Taking this approach a step further, teams with significant production workloads in the cloud can leverage tagging practices that clearly separate data assets that contain sensitive information (e.g. customer PII). 

The DevSecOps Transformation Challenge

By supporting dynamically contextualized access to sensitive data, teams can get the job done while eliminating unauthorized parties from ever exposing customer PII in the first place. 


DevSecOps can only be successful by addressing the three core elements of security, namely people, culture, and technology. Long-term collaboration between people can create the foundations that build bridges that transcend traditional organizational silos (e.g. application developers working alongside security operations practitioners). It’s up to C-level leadership to embrace the success of isolated initiatives and build out processes that permeate throughout the organization. Finally, disruptive technologies focused on the key challenges (namely cloud IAM and PAM) are critical to empower the workforce to step up and embrace positive change. By supporting dynamically contextualized access to sensitive data, teams can get the job done while eliminating unauthorized parties from ever exposing customer PII in the first place. 

Ready to Embrace Cloud-first Privileged Access? 

Learn how Apono’s approach to cloud-first Privileged Access Management enables DevSecOps Transformation!

Related Posts

Top 5 AWS Permissions Management Traps DevOps Leaders Must Avoid post thumbnail

Top 5 AWS Permissions Management Traps DevOps Leaders Must Avoid

As born-in-the cloud organizations grow, natively managed Identity and...

Ofir Stein

September 20, 2022

How we passed our SOC2 compliance certification in just 6 weeks with Apono post thumbnail

How we passed our SOC2 compliance certification in just 6 weeks with Apono

We recently went through the SOC2 process and are happy to report that...

Ofir Stein

September 20, 2022

What we can learn from the LastPass hack post thumbnail

What we can learn from the LastPass hack

LastPass, a password manager with over 33M users reported an unauthori...

Ofir Stein

September 20, 2022