Taking a DevOps Approach to Securing Privileged ... · SESSION ID: #RSAC Jeffrey Kok. Taking a DevOps Approach to Securing Privileged Credentials in DevOps. Senior Director, Asia

SESSION ID:SESSION ID:

#RSAC

Jeffrey Kok

Taking a DevOps Approach to Securing Privileged Credentials in DevOps

Senior Director, Asia Pacific and [email protected]

GPS-F01B

Presenter’s Company Logo – replace or

delete on master slide

#RSAC

wq2

Application architectures are getting pulverized

Monolith Virtualized Containerized Micro Services

All may need access to secrets. Some are very short-lived.

How do we manage all this?



#RSAC

wq

Automation enables reliable, rapid change at scale



#RSAC

wq

So basically, robots are your administrators now



#RSAC

wq5

Providing all kinds of new opportunities

It’s all automated – nobody’s really watching it

So many new tools...

Unchanged, shared,over-provisioned

secrets

New ways to access servers

Look for API keys, AWS servers/images that are publicly available and use default secrets or cache secrets in plain text



#RSAC

wq

The Threat Surface is Broad

MALWAREOPERATIONAL

EFFICIENCYCOMPLIANCETHIRD PARTY

ACCESS

BREACHES & INSIDER THREATS



#RSAC

wq


MALWAREOPERATIONAL

EFFICIENCYCOMPLIANCE

A hacker accessed a docker registry that contained the entire source code, API keys and secrets

THIRD PARTYACCESS



#RSAC

wq


MALWAREOPERATIONAL

EFFICIENCYCOMPLIANCE

A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets

The initial intrusion into organization’s systems was traced back to network credentials that were stolen from a third-party vendor



#RSAC

wq



The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor

UK-based telco was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers

MALWAREOPERATIONAL

EFFICIENCY



#RSAC

wq




UK-based telco TalkTalk was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers

Hackers are exploiting known organization’s misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare

OPERATIONALEFFICIENCY



#RSAC

wq




UK-based telco TalkTalk was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers

Hackers are exploiting known MongoDB misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare

Organization had a database containing personal information about drivers compromised after storing the key in a publicly available repository



#RSAC

wq

Summary of Current Challenges

12

Explosion of short-lived entities that need access to secrets

Scaling to millions of instances in minutes

Privileged automation tools are doing the work of SysAdmins

Cloud and DevOps workflows represent new security risks



#RSAC

wq

Five Recommended Practices

13

1. Make Secrets Ephemeral

2. No Security Islands

3. Embrace Machine Identity

4. Security-as-Code

5. Good Security UX



#RSAC

wq

1. Ephemeral Secrets

14

▪ No embedded passwords

▪ Get secrets out of source code

▪ Dynamically fetch them as needed

▪ Use a password rotation strategy for apps you can’t modify easily



#RSAC

wq


15



#RSAC

wq


16



#RSAC

wq

4. Security as Code (borrowing ideas from Automation)

17

Modern automation tools are declarative Documents describe desired state (the what) Tools configure/remediate to that state (the how)

Security tools need to follow suit w/ Policies This has multiple benefits:

Versioned, like source code Collaborative Encourages design vs. ad hoc administration Automated audit/compliance workflows

Determine if current state aligns with desired state (or not) Ensures consistency across teams, environments and domains Can be used to quickly reconstruct entire structure for new DCs, DR, etc.



#RSAC

wq

5. Security UX – need to change perception

18

Five short years ago…

DevOps Security

TodayI want

security!

We can produce change reliably, at scale and speed!



#RSAC

wq19

Security is a user experience, make it a good one!



#RSAC

wq

RECAP : Five Recommended Practices

20

1. Make Secrets Ephemeral



4. Security-as-Code

5. Good Security UX

#RSAC

Thank You!

Jeffrey KokSenior Director, Asia Pacific and [email protected]