Sri Kanth Mandru, Information Security Engineer at Cisco Systems, specializes in PAM, Secrets Management and Cloud Security.
In a world where speed is the currency of innovation, development teams are pushing code to production faster than ever. However, as cyber threats grow in complexity and frequency, security can’t afford to be an afterthought. Organizations now face a pressing challenge: how to enforce least privilege without disrupting developer velocity.
One answer lies in DevSecOps—the convergence of development, security and operations—and more specifically, in reimagining access control through automation, policy-driven enforcement and developer-centric tooling. When done right, security becomes a strategic advantage rather than a blocker.
The Real Problem: Traditional Security Slows Innovation
The principle of least privilege, which means granting users and services only the access necessary to perform their functions, is a cornerstone of modern security frameworks. But legacy approaches often rely on static credentials, manual ticketing systems and overprivileged shared accounts.
These outdated mechanisms not only create friction and delays for engineering teams but also increase the attack surface and make audits unnecessarily complex. In the worst cases, they lead to credential sprawl, misconfigurations and security gaps that are difficult to detect until it’s too late.
Today’s development environments are dynamic. Containerized microservices, short-lived infrastructure and multicloud workloads are now the norm. Security needs to evolve accordingly, shifting from reactive controls to automated, context-aware systems that enforce access with minimal human involvement.
Real-World Solutions: Engineering Security Into The Pipeline
Over the past several years, I’ve had the opportunity to design and implement DevSecOps practices in cloud-native environments. The goal has always been to embed least privilege without slowing down delivery. Below are three solutions we implemented that reflect this balance between speed and security.
Just-In-Time (JIT) CLI Access With Session-Based Controls
To eliminate persistent access to infrastructure environments, we implemented a just-in-time access workflow integrated with our command line interface (CLI) tools and privileged access management system.
• Developers request short-term access through a secure request interface.
• Sessions are granted with ephemeral credentials that expire automatically.
• All access is brokered through a session gateway, fully recorded and monitored.
• Credentials are never visible to users, reducing the risk of leaks or misuse.
We also integrated session approvals with change management workflows for production access, adding accountability without delay.
Outcome: We reduced the number of long-lived privileged accounts by over 80% and improved audit compliance by automating session logging and validation.
Secrets Federation Across Multi-Environment Workloads
Managing secrets across staging, production and hybrid-cloud environments had become a growing operational risk. We addressed this by designing a federated secrets management layer.
• Secrets remained in their native vaults depending on the environment, but access was orchestrated through a unified control plane.
• Developers and workloads retrieved secrets through identity-based APIs without needing to know where or how secrets were stored.
• Rotation policies were automated, and access controls were governed centrally using a policy-as-code model.
• Integration with deployment pipelines ensured secrets were injected securely at runtime, reducing risk exposure.
This architecture reduced overhead, prevented duplication and allowed us to scale securely across multiple environments with consistent policies and fewer human errors.
Outcome: We achieved seamless secrets access across the cloud and on-premise systems, eliminated hardcoded credentials from pipelines and improved compliance readiness.
Policy-As-Code Model With Namespace-Level Access Boundaries
To support granular access and auditability, we transitioned to a policy-as-code model, defining role-based and environment-specific access in version-controlled repositories.
• Each team was assigned access within defined namespaces such as “dev,” “qa” or “prod.”
• Policies were written in code, reviewed via pull requests and automatically applied through CI and CD.
• Every change was logged, traceable and tied to a reviewer or approver.
This improved visibility and control and empowered engineering teams to take ownership of secure access within their boundaries.
Outcome: We improved the separation of duties, eliminated shared credentials and reduced the cycle time for secure access requests from days to minutes.
The Business Impact
By integrating these solutions, we didn’t just improve security. We enabled innovation and removed friction from delivery workflows.
Measured results:
• We reduced our privileged credential exposure by 70%.
• Zero delays were introduced into development cycles.
• We achieved a faster audit response for frameworks such as SOC2 and ISO 27001.
• There was greater consistency in policy enforcement across business units.
• Developers reported higher job satisfaction due to smoother and smarter workflows.
These implementations proved that security, when embedded into development pipelines, accelerates delivery instead of slowing it down. When least privilege is automated, context-aware and transparent to users, it becomes a foundation for scale.
A Culture Shift, Not Just A Technical Fix
DevSecOps isn’t just about tools. It’s about changing how organizations think about security. Security must be invisible, intelligent and integrated from day one. When access controls are automated and adapted to the context, least privilege becomes part of the normal engineering process rather than a burden.
As organizations continue to mature their DevSecOps practices, the focus should shift from simply limiting access to building trust models that evolve with systems and teams. Security that moves with the pipeline, not against it, is what defines a future-ready enterprise.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
