21
SESSION ID: SESSION ID: #RSAC Jeffrey Kok Taking a DevOps Approach to Securing Privileged Credentials in DevOps Senior Director, Asia Pacific and Japan CyberArk [email protected] GPS-F01B

Taking a DevOps Approach to Securing Privileged ... · SESSION ID: #RSAC Jeffrey Kok. Taking a DevOps Approach to Securing Privileged Credentials in DevOps. Senior Director, Asia

  • Upload
    vanque

  • View
    217

  • Download
    1

Embed Size (px)

Citation preview

SESSION ID:SESSION ID:

#RSAC

Jeffrey Kok

Taking a DevOps Approach to Securing Privileged Credentials in DevOps

Senior Director, Asia Pacific and [email protected]

GPS-F01B

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq2

Application architectures are getting pulverized

Monolith Virtualized Containerized Micro Services

All may need access to secrets. Some are very short-lived.

How do we manage all this?

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

Automation enables reliable, rapid change at scale

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

So basically, robots are your administrators now

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq5

Providing all kinds of new opportunities

It’s all automated – nobody’s really watching it

So many new tools...

Unchanged, shared,over-provisioned

secrets

New ways to access servers

Look for API keys, AWS servers/images that are publicly available and use default secrets or cache secrets in plain text

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

The Threat Surface is Broad

MALWAREOPERATIONAL

EFFICIENCYCOMPLIANCETHIRD PARTY

ACCESS

BREACHES & INSIDER THREATS

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

The Threat Surface is Broad

MALWAREOPERATIONAL

EFFICIENCYCOMPLIANCE

A hacker accessed a docker registry that contained the entire source code, API keys and secrets

THIRD PARTYACCESS

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

The Threat Surface is Broad

MALWAREOPERATIONAL

EFFICIENCYCOMPLIANCE

A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

The initial intrusion into organization’s systems was traced back to network credentials that were stolen from a third-party vendor

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

The Threat Surface is Broad

A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor

UK-based telco was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers

MALWAREOPERATIONAL

EFFICIENCY

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

The Threat Surface is Broad

A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor

UK-based telco TalkTalk was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers

Hackers are exploiting known organization’s misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare

OPERATIONALEFFICIENCY

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

The Threat Surface is Broad

A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor

UK-based telco TalkTalk was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers

Hackers are exploiting known MongoDB misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare

Organization had a database containing personal information about drivers compromised after storing the key in a publicly available repository

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

Summary of Current Challenges

12

Explosion of short-lived entities that need access to secrets

Scaling to millions of instances in minutes

Privileged automation tools are doing the work of SysAdmins

Cloud and DevOps workflows represent new security risks

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

Five Recommended Practices

13

1. Make Secrets Ephemeral

2. No Security Islands

3. Embrace Machine Identity

4. Security-as-Code

5. Good Security UX

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

1. Ephemeral Secrets

14

▪ No embedded passwords

▪ Get secrets out of source code

▪ Dynamically fetch them as needed

▪ Use a password rotation strategy for apps you can’t modify easily

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

2. No Security Islands

15

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

3. Embrace Machine Identity

16

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

4. Security as Code (borrowing ideas from Automation)

17

Modern automation tools are declarative Documents describe desired state (the what) Tools configure/remediate to that state (the how)

Security tools need to follow suit w/ Policies This has multiple benefits:

Versioned, like source code Collaborative Encourages design vs. ad hoc administration Automated audit/compliance workflows

Determine if current state aligns with desired state (or not) Ensures consistency across teams, environments and domains Can be used to quickly reconstruct entire structure for new DCs, DR, etc.

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

5. Security UX – need to change perception

18

Five short years ago…

DevOps Security

TodayI want

security!

We can produce change reliably, at scale and speed!

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq19

Security is a user experience, make it a good one!

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq

RECAP : Five Recommended Practices

20

1. Make Secrets Ephemeral

2. No Security Islands

3. Embrace Machine Identity

4. Security-as-Code

5. Good Security UX

#RSAC

Thank You!

Jeffrey KokSenior Director, Asia Pacific and [email protected]