taking a devops approach to securing privileged ... · session id: #rsac jeffrey kok. taking a...
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
Jeffrey Kok
Taking a DevOps Approach to Securing Privileged Credentials in DevOps
Senior Director, Asia Pacific and [email protected]
GPS-F01B
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq2
Application architectures are getting pulverized
Monolith Virtualized Containerized Micro Services
All may need access to secrets. Some are very short-lived.
How do we manage all this?
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
Automation enables reliable, rapid change at scale
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
So basically, robots are your administrators now
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq5
Providing all kinds of new opportunities
It’s all automated – nobody’s really watching it
So many new tools...
Unchanged, shared,over-provisioned
secrets
New ways to access servers
Look for API keys, AWS servers/images that are publicly available and use default secrets or cache secrets in plain text
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
The Threat Surface is Broad
MALWAREOPERATIONAL
EFFICIENCYCOMPLIANCETHIRD PARTY
ACCESS
BREACHES & INSIDER THREATS
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
The Threat Surface is Broad
MALWAREOPERATIONAL
EFFICIENCYCOMPLIANCE
A hacker accessed a docker registry that contained the entire source code, API keys and secrets
THIRD PARTYACCESS
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
The Threat Surface is Broad
MALWAREOPERATIONAL
EFFICIENCYCOMPLIANCE
A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets
The initial intrusion into organization’s systems was traced back to network credentials that were stolen from a third-party vendor
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
The Threat Surface is Broad
A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets
The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor
UK-based telco was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers
MALWAREOPERATIONAL
EFFICIENCY
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
The Threat Surface is Broad
A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets
The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor
UK-based telco TalkTalk was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers
Hackers are exploiting known organization’s misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare
OPERATIONALEFFICIENCY
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
The Threat Surface is Broad
A hacker accessed a docker registry that contained the entire Vine source code, API keys and secrets
The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor
UK-based telco TalkTalk was fined a record £400,000 due to a breach that exposed the personal data of 150,000 customers
Hackers are exploiting known MongoDB misconfigurations and vulnerabilities and planting ransomware into high-profile clients such as Emory Healthcare
Organization had a database containing personal information about drivers compromised after storing the key in a publicly available repository
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
Summary of Current Challenges
12
Explosion of short-lived entities that need access to secrets
Scaling to millions of instances in minutes
Privileged automation tools are doing the work of SysAdmins
Cloud and DevOps workflows represent new security risks
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
Five Recommended Practices
13
1. Make Secrets Ephemeral
2. No Security Islands
3. Embrace Machine Identity
4. Security-as-Code
5. Good Security UX
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
1. Ephemeral Secrets
14
▪ No embedded passwords
▪ Get secrets out of source code
▪ Dynamically fetch them as needed
▪ Use a password rotation strategy for apps you can’t modify easily
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
3. Embrace Machine Identity
16
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
4. Security as Code (borrowing ideas from Automation)
17
Modern automation tools are declarative Documents describe desired state (the what) Tools configure/remediate to that state (the how)
Security tools need to follow suit w/ Policies This has multiple benefits:
Versioned, like source code Collaborative Encourages design vs. ad hoc administration Automated audit/compliance workflows
Determine if current state aligns with desired state (or not) Ensures consistency across teams, environments and domains Can be used to quickly reconstruct entire structure for new DCs, DR, etc.
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
5. Security UX – need to change perception
18
Five short years ago…
DevOps Security
TodayI want
security!
We can produce change reliably, at scale and speed!
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq19
Security is a user experience, make it a good one!
Presenter’s Company Logo – replace or
delete on master slide
#RSAC
wq
RECAP : Five Recommended Practices
20
1. Make Secrets Ephemeral
2. No Security Islands
3. Embrace Machine Identity
4. Security-as-Code
5. Good Security UX