Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
THE PRIVILEGE CONNECTION: CLOUD AND DEVOPS SECURITY
Mark Hurter
Sales Engineer - Southeast
1
THE CHALLENGE OF A NEW PLATFORMCLOUD/DEVOPS PUSH CHANGES SECURITY & ACCESS CONTROL REQUIREMENTS
Human Actors
Non-Human
ActorsHeterogeneityDynamismScale
Excessive access privileges, role confusion
Explosive proliferation of privileged, non-human automation and agents that must be controlled
No more homogeneous infrastructure.
Services span multiple cloud providers each with different security interfaces & capabilities
No more static inventory of servers and hosts to secure.
Instances are spun up and torn down elastically and in bulk
Services are provisioned on scale of thousands to tens of thousands of instances in the cloud vs. hundreds of physical servers in a data center
Typical Lifecycle of a Cyber AttackTHE ATTACK LIFECYCLE AND PRIVILEGE
What is changing?
THE POWER OF PRIVILEGE IN THE CLOUD
“Old Way –
Hack a System”
“New Way –
Hack Cloud Infrastructure”
Hypervisor /
Management Console /
APIs
RED TEAM VS. IAAS - CUSTOMER EXAMPLE
Recently asked by a large financial institution to test their security
4
Lateral movement
Management
Console
1
3
2
Success -- The Red-team gained
access to the customer Database
including sensitive PII
Exploit
■ Using the stolen API key, the
Red-team cloned the servers,
and attached the storage to
their own servers.
Step 1 – Phishing
■ Red-team
compromised
an IT laptop.
Explore
■ The Red-team found the local API
key used to provision the entire
organization’s cloud infrastructure
.
IAAS: CLOUD SECURITY IS A SHARED RESPONSIBILITY
Customer Data
Applications IdentityAccess
Mgmt.
OS Network Firewall
Client Side Encryption Network ProtectionServer Side
Encryption
Compute Storage Networking
Global Infrastructure / Regions /Physical Infrastructure
Customer
/Enterprise
Security IN
the Cloud
Security OF
the Cloud
Cloud Vendor
/Provider
Source: AWS, Fortinet, CyberArk
▪ Security Of the Cloud – AWS, Azure, etc.
▪ Security In the Cloud – You -- customer /enterprise
Management
Console
FIRST, SECURE THE CONSOLE
• Basic steps to protect the “keys to your cloud kingdom”
• Operations and configuration
• Security /authentication
• Billing
SECURING THE MANAGEMENT CONSOLE
Secure Vaulting SolutionAdministrator /
End Users
Web Portal
Password
Rotation
Secure
Storage
*****
Account
Discovery
Centralized
Policy
AWS
Management
Console
Cloud Infrastructure
Accounts Available to Access
Websites/
Web Apps
Applications
Customer
Database
HYBRID & MULTIPLE CLOUD ENVIRONMENTS ARE PREVALENT
• Best practice is to plan for multiple cloud and hybrid environments
Gartner Survey On Number Of Cloud Providers Organizations Work With
15%
29%
32%
12%
6%4%
2%
0%
5%
10%
15%
20%
25%
30%
35%
One Two 3 to 5 6 to 10 11 to 15 16 or more Don't know
Percentage of Respondents
N = 498; base: organizations using or planning to use public cloud by year-end 2015. These numbers refer to
sanctioned/approved cloud usage only and do not include shadow IT and personal cloud usage by employees.
Source: Gartner (May 2016)
10
GOTCHA, BUT WHAT ABOUT ROBOTS AND SCALE?
APPLICATION ARCHITECTURES ARE GETTING PULVERIZED
Monolith Virtualized Containerized Micro Services
Deployment Measurement ChatOps IaaS
Infra-as-Code CI/CD Test Automation Container Orchestration
MEET THE NEW IT DEPARTMENT
CLOUD+DEVOPS = RISK OF SECURITY ISLANDS
CyberArk PAS• Master Policy
• Audit records
• Admin credentials
• Application/3rd party
COTS credentials
• Privileged Session
Management
Established Systems of Trust
Microsoft AD• User authentication
• Group membership
(access control)
Puppet Hiera
Chef Data
Bags
Ansible Vault
Bespoke Islands of Trust
AWS
IAM /KMS
MS Azure
IAM / KMS
Google Cloud
IAM / KMS
Docker
Secrets
Kubernetes
Secrets
OpenShift
Secrets
THE ATTACKERS OPPORTUNITY: KEYS IN THE BUILD SYSTEMS
AND MAKING THEIR WAY INTO THE PUBLIC DOMAIN
AUTOMATION/DEVOPS PIPELINE – NOT SO SECURE
AUTOMATION/DEVOPS PIPELINE – THAT’S BETTER!
ESTABLISHING MACHINE IDENTITY
Bill
• Has a clear identity
• Has a defined role
• Can multi-factor
• Warm and friendly
Application Node WA113
• Identity?
• Role?
• Cannot multi-factor
• Cold and unfeeling
APPLICATIONS ARE PEOPLE TOO!
Bill
• Has a clear identity
• Has a defined role
• Can multi-factor
• Warm and friendly
Application Node WA113
• Has a clear identity
• Has a defined role
• Can’t multi-factor
• Warm and friendly
CyberArk PAS• Consolidated audit
• Centralized policy
• Centralized
credential
management
• Centralized
monitoring
• Threat Analytics
Microsoft AD• User authentication
• Group membership
CyberArk
Conjur• RBAC
• Audit
• HA
EXTENDED TRUST PLATFORM FOR CLOUD+DEVOPS
Puppet
Chef
Ansible
AWS
MS Azure
Google Cloud
Docker
Kubernetes
OpenShift
21
WHERE DO WE START?
ALSO – GOT ANY FREE STUFF?
CYBERARK DISCOVERY & AUDIT (DNA)FREE TOOL TO GAIN VISIBILITY OF THE PRIVILEGED ACCOUNT ENVIRONMENT
• Discover all accounts (privileged and non-privileged)
• Identify privileged accounts and credentials including:
• Embedded & hard-coded credentials in
WebSphere, WebLogic and IIS servers
• Golden Ticket attack risk
• SSH keys
• Password hashes and password length
• Insecure privilege escalations in Unix
• AWS IAM Users, Access Keys and EC2 Key pairs
• Easily view results in the
Executive Summary Dashboard
• Enhance insight with visual maps of
password hashes and
SSH key trust relationships
• Gain visibility without impacting performance
• Requires no installation
• Consumes very low bandwidth
CYBERARK HAS LAUNCHED CONJUR, ITS FIRST OPEN SOURCE PROJECT
• CyberArk, has released an open source version of our DevOps secret management solution: Conjur
• The Conjur core product is distributed under the AGPL license
• Clients and integrations are governed by the Apache License, v2
• Conjur Enterprise Edition also available
• Contact us to schedule a conjur demo and find out how you can deploy a full devops pipeline to test
with in under 30 minutes!
• Visit conjur.org