the privilege connection: cloud and devops security hurter - cyberark... · google cloud iam / kms...
TRANSCRIPT
![Page 1: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/1.jpg)
THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY
Mark Hurter
Sales Engineer - Southeast
1
![Page 2: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/2.jpg)
THE CHALLENGE OF A NEW PLATFORMCLOUD/DEVOPS PUSH CHANGES SECURITY & ACCESS CONTROL REQUIREMENTS
Human Actors
Non-Human
ActorsHeterogeneityDynamismScale
Excessive access privileges, role confusion
Explosive proliferation of privileged, non-human automation and agents that must be controlled
No more homogeneous infrastructure.
Services span multiple cloud providers each with different security interfaces & capabilities
No more static inventory of servers and hosts to secure.
Instances are spun up and torn down elastically and in bulk
Services are provisioned on scale of thousands to tens of thousands of instances in the cloud vs. hundreds of physical servers in a data center
![Page 3: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/3.jpg)
Typical Lifecycle of a Cyber AttackTHE ATTACK LIFECYCLE AND PRIVILEGE
What is changing?
![Page 4: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/4.jpg)
THE POWER OF PRIVILEGE IN THE CLOUD
“Old Way –
Hack a System”
“New Way –
Hack Cloud Infrastructure”
Hypervisor /
Management Console /
APIs
![Page 5: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/5.jpg)
RED TEAM VS. IAAS - CUSTOMER EXAMPLE
Recently asked by a large financial institution to test their security
4
Lateral movement
Management
Console
1
3
2
Success -- The Red-team gained
access to the customer Database
including sensitive PII
Exploit
■ Using the stolen API key, the
Red-team cloned the servers,
and attached the storage to
their own servers.
Step 1 – Phishing
■ Red-team
compromised
an IT laptop.
Explore
■ The Red-team found the local API
key used to provision the entire
organization’s cloud infrastructure
.
![Page 6: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/6.jpg)
IAAS: CLOUD SECURITY IS A SHARED RESPONSIBILITY
Customer Data
Applications IdentityAccess
Mgmt.
OS Network Firewall
Client Side Encryption Network ProtectionServer Side
Encryption
Compute Storage Networking
Global Infrastructure / Regions /Physical Infrastructure
Customer
/Enterprise
Security IN
the Cloud
Security OF
the Cloud
Cloud Vendor
/Provider
Source: AWS, Fortinet, CyberArk
▪ Security Of the Cloud – AWS, Azure, etc.
▪ Security In the Cloud – You -- customer /enterprise
Management
Console
![Page 7: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/7.jpg)
FIRST, SECURE THE CONSOLE
• Basic steps to protect the “keys to your cloud kingdom”
• Operations and configuration
• Security /authentication
• Billing
![Page 8: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/8.jpg)
SECURING THE MANAGEMENT CONSOLE
Secure Vaulting SolutionAdministrator /
End Users
Web Portal
Password
Rotation
Secure
Storage
*****
Account
Discovery
Centralized
Policy
AWS
Management
Console
Cloud Infrastructure
Accounts Available to Access
Websites/
Web Apps
Applications
Customer
Database
![Page 9: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/9.jpg)
HYBRID & MULTIPLE CLOUD ENVIRONMENTS ARE PREVALENT
• Best practice is to plan for multiple cloud and hybrid environments
Gartner Survey On Number Of Cloud Providers Organizations Work With
15%
29%
32%
12%
6%4%
2%
0%
5%
10%
15%
20%
25%
30%
35%
One Two 3 to 5 6 to 10 11 to 15 16 or more Don't know
Percentage of Respondents
N = 498; base: organizations using or planning to use public cloud by year-end 2015. These numbers refer to
sanctioned/approved cloud usage only and do not include shadow IT and personal cloud usage by employees.
Source: Gartner (May 2016)
![Page 10: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/10.jpg)
10
GOTCHA, BUT WHAT ABOUT ROBOTS AND SCALE?
![Page 11: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/11.jpg)
APPLICATION ARCHITECTURES ARE GETTING PULVERIZED
Monolith Virtualized Containerized Micro Services
![Page 12: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/12.jpg)
Deployment Measurement ChatOps IaaS
Infra-as-Code CI/CD Test Automation Container Orchestration
MEET THE NEW IT DEPARTMENT
![Page 13: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/13.jpg)
CLOUD+DEVOPS = RISK OF SECURITY ISLANDS
CyberArk PAS• Master Policy
• Audit records
• Admin credentials
• Application/3rd party
COTS credentials
• Privileged Session
Management
Established Systems of Trust
Microsoft AD• User authentication
• Group membership
(access control)
Puppet Hiera
Chef Data
Bags
Ansible Vault
Bespoke Islands of Trust
AWS
IAM /KMS
MS Azure
IAM / KMS
Google Cloud
IAM / KMS
Docker
Secrets
Kubernetes
Secrets
OpenShift
Secrets
![Page 14: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/14.jpg)
THE ATTACKERS OPPORTUNITY: KEYS IN THE BUILD SYSTEMS
![Page 15: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/15.jpg)
AND MAKING THEIR WAY INTO THE PUBLIC DOMAIN
![Page 16: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/16.jpg)
AUTOMATION/DEVOPS PIPELINE – NOT SO SECURE
![Page 17: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/17.jpg)
AUTOMATION/DEVOPS PIPELINE – THAT’S BETTER!
![Page 18: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/18.jpg)
ESTABLISHING MACHINE IDENTITY
Bill
• Has a clear identity
• Has a defined role
• Can multi-factor
• Warm and friendly
Application Node WA113
• Identity?
• Role?
• Cannot multi-factor
• Cold and unfeeling
![Page 19: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/19.jpg)
APPLICATIONS ARE PEOPLE TOO!
Bill
• Has a clear identity
• Has a defined role
• Can multi-factor
• Warm and friendly
Application Node WA113
• Has a clear identity
• Has a defined role
• Can’t multi-factor
• Warm and friendly
![Page 20: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/20.jpg)
CyberArk PAS• Consolidated audit
• Centralized policy
• Centralized
credential
management
• Centralized
monitoring
• Threat Analytics
Microsoft AD• User authentication
• Group membership
CyberArk
Conjur• RBAC
• Audit
• HA
EXTENDED TRUST PLATFORM FOR CLOUD+DEVOPS
Puppet
Chef
Ansible
AWS
MS Azure
Google Cloud
Docker
Kubernetes
OpenShift
![Page 21: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/21.jpg)
21
WHERE DO WE START?
ALSO – GOT ANY FREE STUFF?
![Page 22: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/22.jpg)
CYBERARK DISCOVERY & AUDIT (DNA)FREE TOOL TO GAIN VISIBILITY OF THE PRIVILEGED ACCOUNT ENVIRONMENT
• Discover all accounts (privileged and non-privileged)
• Identify privileged accounts and credentials including:
• Embedded & hard-coded credentials in
WebSphere, WebLogic and IIS servers
• Golden Ticket attack risk
• SSH keys
• Password hashes and password length
• Insecure privilege escalations in Unix
• AWS IAM Users, Access Keys and EC2 Key pairs
• Easily view results in the
Executive Summary Dashboard
• Enhance insight with visual maps of
password hashes and
SSH key trust relationships
• Gain visibility without impacting performance
• Requires no installation
• Consumes very low bandwidth
![Page 23: THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY Hurter - CyberArk... · Google Cloud IAM / KMS Docker Secrets Kubernetes Secrets OpenShift Secrets. THE ATTACKERS OPPORTUNITY:](https://reader033.vdocuments.mx/reader033/viewer/2022052802/5f1e0a58c929100c61693d8e/html5/thumbnails/23.jpg)
CYBERARK HAS LAUNCHED CONJUR, ITS FIRST OPEN SOURCE PROJECT
• CyberArk, has released an open source version of our DevOps secret management solution: Conjur
• The Conjur core product is distributed under the AGPL license
• Clients and integrations are governed by the Apache License, v2
• Conjur Enterprise Edition also available
• Contact us to schedule a conjur demo and find out how you can deploy a full devops pipeline to test
with in under 30 minutes!
• Visit conjur.org