Many financial services organizations fail to enforce strongcryptographic protection policies in their DevOps environments,sometimes at the expense of security, data privacy and compliancein areas such as mobile banking.

That is a finding by Salt Lake City, Utah-based cybersecurityfirm Venafi, from its a study on the cryptographic securitypractices of DevOps teams in the financial services industry.

DevOps, short for software development and informationtechnology, refers to a combination of practices and tools used toincrease an organization's capacity to deliver applications andservices.

Cryptographic security helps guard valuable data resources onintranets, extranets, and the internet risks. In DevOps settings,compromises in development or test environments can spread toproduction systems and applications. According to Venafi this is aparticular issue for financial services organizations, which havebeen early adopters of DevOps technology.

According to the study, many financial services organizationsprovide fairly strong cryptographic security policies in theirproduction systems. However, they often fail to enforce the samevital measures in their DevOps environments.

“Financial services organizations use DevOps technology todeliver new features and improve customer experience in today'shyper competitive market,” said Kevin Bocek, chief securitystrategist for Venafi. “However, the competitive advantage DevOpsoffers can't come at the expense of security, data privacy andcompliance.” He added, it's clear many financial servicesorganizations still struggle with securing the machine identitiesimpacting everything from mobile banking to high speed trading.“Despite DevOps teams indicating they are aware of the risksassociated with TLS/SSL keys and certificates—the most frequentlyused method to establish machine identities—this awareness clearlyisn't being translated into meaningful protection.”

Key study findings:

• Financial services organizations struggle with enforcingsecurity polices for DevOps environments. Thirty percent do notconsistently enforce the same cryptographic security policies forDevOps projects as they do with production environments. Inaddition, 7% of respondents were unsure about the enforcement ofthese policies across both DevOps and production environments.
• Eighty percent of financial services DevOps teams are aware ofthe volume and severity of cyberattacks as a result of compromisedkeys and certificates. Two thirds of these teams are aware of thecontrols needed to prevent this type of cyberattack.
• Only 51% of financial services organizations replace all DevOpscertificates with production certificates once live. Whencertificates are not changed, there is no way to distinguishbetween the identities of untested machines that should remain indevelopment and trusted machines that are safe to place inproduction.
• On the positive side, financial services organizationsgenerally implement robust cryptographic security practicesthroughout their operations, with 75% requiring strong keys(2048-bit or stronger) and 60% of organizations requiring differentcertificate authorities for development and productionenvironments. Only 2% of respondents said their organization doesnot require key and certificate policies.

Venafi suggested as the speed and scale of DevOps developmentintensifies, particularly in the financial services industry,the need to secure machine identities throughencryption is exploding. Without robust security measures andpractices, successful attacks that target DevOps keys andcertificates, can allow attackers to remain hidden in encryptedtraffic and evade detection.

“As we've seen with the SWIFT attacks, financial servicesorganizations are a valuable and popular target for cybercriminals,” Tim Bedard, director of threat intelligence andanalytics for Venafi said. If financial service organizations don'tprotect the keys and certificates used by DevOps teams,cybercriminals can exploit transport layer security/secured socketslayers and keys and certificates to create their own encryptedtunnels. Bedard added attackers can also use misappropriated secureshell keys to pivot inside the network, elevate their ownprivileged access, install malware or exfiltrate large quantitiesof sensitive corporate data while remaining undetected.

Dimensional Research conducted the study in November 2016 usingresponses from 103 IT professionals in financial services companieswith DevOps programs in the U.S. and Europe.