Taking a DevOps Approach to Securing Privileged ... ID: #RSAC Jeffrey Kok. Taking a DevOps Approach to Securing Privileged Credentials in DevOps. Senior Director, Asia Pacific and

  • View
    214

  • Download
    1

Embed Size (px)

Text of Taking a DevOps Approach to Securing Privileged ... ID: #RSAC Jeffrey Kok. Taking a DevOps Approach...

  • SESSION ID:SESSION ID:

    #RSAC

    Jeffrey Kok

    Taking a DevOps Approach to Securing Privileged Credentials in DevOps

    Senior Director, Asia Pacific and JapanCyberArkJeffrey.kok@cyberark.com

    GPS-F01B

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq2

    Application architectures are getting pulverized

    Monolith Virtualized Containerized Micro Services

    All may need access to secrets. Some are very short-lived.

    How do we manage all this?

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    Automation enables reliable, rapid change at scale

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    So basically, robots are your administrators now

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq5

    Providing all kinds of new opportunities

    Its all automated nobodys really watching it

    So many new tools...

    Unchanged, shared,over-provisioned

    secrets

    New ways to access servers

    Look for API keys, AWS servers/images that are publicly available and use default secrets or cache secrets in plain text

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    The Threat Surface is Broad

    MALWAREOPERATIONAL

    EFFICIENCYCOMPLIANCETHIRD PARTY

    ACCESS

    BREACHES & INSIDER THREATS

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    The Threat Surface is Broad

    MALWAREOPERATIONAL

    EFFICIENCYCOMPLIANCE

    A hacker accessed a docker registry that contained the entire source code, API keys and secrets

    THIRD PARTYACCESS

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    The Threat Surface is Broad

    MALWAREOPERATIONAL

    EFFICIENCYCOMPLIANCE

    A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

    The initial intrusion into organizations systems was traced back to network credentials that were stolen from a third-party vendor

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    The Threat Surface is Broad

    A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

    The initial intrusion into Targets systems was traced back to network credentials that were stolen from a third-party vendor

    UK-based telco was fined a record 400,000 due to a breach that exposed the personal data of 150,000 customers

    MALWAREOPERATIONAL

    EFFICIENCY

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    The Threat Surface is Broad

    A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

    The initial intrusion into Targets systems was traced back to network credentials that were stolen from a third-party vendor

    UK-based telco TalkTalk was fined a record 400,000 due to a breach that exposed the personal data of 150,000 customers

    Hackers are exploiting known organizations misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare

    OPERATIONALEFFICIENCY

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    The Threat Surface is Broad

    A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

    The initial intrusion into Targets systems was traced back to network credentials that were stolen from a third-party vendor

    UK-based telco TalkTalk was fined a record 400,000 due to a breach that exposed the personal data of 150,000 customers

    Hackers are exploiting known MongoDB misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare

    Organization had a database containing personal information about drivers compromised after storing the key in a publicly available repository

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    Summary of Current Challenges

    12

    Explosion of short-lived entities that need access to secrets

    Scaling to millions of instances in minutes

    Privileged automation tools are doing the work of SysAdmins

    Cloud and DevOps workflows represent new security risks

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    Five Recommended Practices

    13

    1. Make Secrets Ephemeral

    2. No Security Islands

    3. Embrace Machine Identity

    4. Security-as-Code

    5. Good Security UX

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    1. Ephemeral Secrets

    14

    No embedded passwords

    Get secrets out of source code

    Dynamically fetch them as needed

    Use a password rotation strategy for apps you cant modify easily

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    2. No Security Islands

    15

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    3. Embrace Machine Identity

    16

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    4. Security as Code (borrowing ideas from Automation)

    17

    Modern automation tools are declarative Documents describe desired state (the what) Tools configure/remediate to that state (the how)

    Security tools need to follow suit w/ Policies This has multiple benefits:

    Versioned, like source code Collaborative Encourages design vs. ad hoc administration Automated audit/compliance workflows

    Determine if current state aligns with desired state (or not) Ensures consistency across teams, environments and domains Can be used to quickly reconstruct entire structure for new DCs, DR, etc.

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    5. Security UX need to change perception

    18

    Five short years ago

    DevOps Security

    TodayI want

    security!

    We can produce change reliably, at scale and speed!

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq19

    Security is a user experience, make it a good one!

  • Presenters Company Logo replace or

    delete on master slide

    #RSAC

    wq

    RECAP : Five Recommended Practices

    20

    1. Make Secrets Ephemeral

    2. No Security Islands

    3. Embrace Machine Identity

    4. Security-as-Code

    5. Good Security UX

  • #RSAC

    Thank You!

    Jeffrey KokSenior Director, Asia Pacific and JapanCyberArkJeffrey.kok@cyberark.com

    Taking a DevOps Approach to Securing Privileged Credentials in DevOpsApplication architectures are getting pulverizedAutomation enables reliable, rapid change at scaleSo basically, robots are your administrators nowProviding all kinds of new opportunitiesThe Threat Surface is BroadThe Threat Surface is BroadThe Threat Surface is BroadThe Threat Surface is BroadThe Threat Surface is BroadThe Threat Surface is BroadSummary of Current ChallengesFive Recommended Practices1. Ephemeral Secrets2. No Security Islands3. Embrace Machine Identity4. Security as Code (borrowing ideas from Automation)5. Security UX need to change perceptionSecurity is a user experience, make it a good one!RECAP : Five Recommended PracticesThank You!