Centralized secrets management picks up pace

Centralized secrets management picks up pace

Sponsored Feature: There’s no question that fast-feedback software delivery offers multiple advantages by streamlining processes for developers. But in software development, as in life, there is no such thing as a free lunch.

Automated continuous integration/continuous delivery (CI/CD) pipelines created by tools like Jenkins and Concourse are there to help, of course, but the potential downside is that they can increase the likelihood of security vulnerabilities. And as development teams expand into Infrastructure as Code (IaC), the practice of deploying CI/CD pipelines to manage configuration files for engineering the actual infrastructure on which their applications run is gaining popularity.

These trends necessitate developers ensure they can effectively manage the secrets required to run corporate applications and systems. Secrets that have the potential to put critical systems at risk. Associated vulnerabilities can manifest themselves along the length of extended DevOps pipelines, which, in today’s hybrid corporate infrastructures, typically span a range of different internal and externally hosted applications, services and data repositories.

Adding further to the security risk in CI/CD DevOps cycles is the threat posed by non-human entities, which are predicted to account for almost 98 percent of total identities in corporate systems by the end of this year.

Machine identities taking over

The scale of this issue was brought into stark relief by new research from CyberArk, a leading specialist in Identity Security and access management. The company’s April 2022 report found that machine identities outnumber humans 45 to one, which could mean that 98 percent of an organization’s accounts and identities are non-human or machine. What’s more, 68 percent of non-human identities have access to sensitive data and assets on enterprise networks.

To address these issues, savvy software developers are now recognizing the need to secure non-human identities in organizational supply chains that are accessing and processing sensitive data hosted in multiple internal/external and on-/off-premises systems, including virtualized and containerized cloud environments.

CyberArk Vice President of DevOps Uzi Ailon explains how this proliferation of non-human entities — which need to be granted secure access to corporate networks — is being fueled by enterprise digital transformation initiatives and an increasingly widespread reliance on automation tools.

“The growth of non-human entities on corporate systems is happening because of digital transformation,” he says. “If you think about it, everything is being changed to be an automated process. Now there are tools that help us to replace any process that is repeatable.”

“But this is only one part. When we are talking about developers and DevOps, nothing is happening manually today. From the moment I commit my code, there is a script that takes me all the way to the test environment. There is a testing that runs automatically, and then I push everything into production. With CI/CD, there is another layer of automation; everything is happening automatically. I want to build my cloud so I have an API to start a new machine or to start a new application. So even when I’m building my environment, it’s all done automatically.”

Ailon goes on to warn that this trend towards automation and data dispersal is creating even more complexity and potentially serious security vulnerabilities. And that means developers urgently need to manage the secrets and credentials necessary to enable the accounts that have been created in the automated processes.

According to Ailon, those companies with the least sophisticated credential coding practices are inevitably the most vulnerable. “There are a lot of different layers of problems,” he says. “The first thing we’re talking about is DevOps teams that are not very mature, what we define as a security-basic organization. What they’re going to do is edit credentials into the code. You’re going to have hard-coded credentials.”

Islands of security in the stream

The biggest problem with hard-coded credentials is the risk of privilege elevation. Even if malicious attackers have obtained credentials to only log into an organization with a low-level account, they can use this access to obtain hard-coded credentials and thus secrets allowing them to compromise top-level accounts.

For enterprises with more sophisticated credential management, these security risks are diminished but not eliminated altogether. Ailon defines the second echelon of credential security as “islands of security,” which are created when developers do not hard code credentials but instead rely on multiple vaults depending on the software development platforms and frameworks they are using. So, for example, in every Ansible chain, there is some kind of safe, though some of them are better than others.

“It’s not very secure, but every tool is provided with its own safe. The problem is that in no time, because you’re using a large number of tools, you have what we call islands of security,” he explains. “There are secrets in Jenkins, secrets in my TerraForm script, in my Infrastructure as a Service script. I have secrets everywhere.”

This creates multiple problems, the first of which is uncertainty about the source of truth if someone is going to need to go to 20 or 30 different vaults and update them manually. And then, what happens if someone forgot to update some vaults?

“Now we have the same script, the same secret with a different value. What is the source of truth, which secret is the right secret?” asks Ailon. The last issue is the operational efficiency for developers and DevOps: “Let’s say that something happened, malicious code or a malicious event is identified in your organization, and you want to disable all the passwords. You will not be able to do it if you don’t have the central element.”

Centralized secrets management

The deployment of centralized secrets management solution is arguably the best way to properly address these issues. For on-premises installation, CyberArk Conjur Secrets Manager Enterprise is a self-hosted solution to securely authenticate, centrally control and audit how applications and DevOps and automation tools use secrets and privileged credentials to access databases, cloud environments and other sensitive resources. For those that prefer the software as a service approach, CyberArk has developed CyberArk Conjur Cloud, a SaaS-based secrets management solution powered by the CyberArk Identity Security Platform, a system which manages non-human access and machine identity across multi-cloud and hybrid environments.

Centralized secrets management solutions are rapidly coming to represent the only viable option in cloud-centric corporate environments, where the number of non-human entities requiring secure near-instant access to mission-critical systems is growing exponentially, according to Ailon. “For the developers and DevOps teams, we’re going to be almost transparent. We give you all the APIs. We give you all the connectors, and everything will happen behind the scenes of the development. The developers need to focus on developing an application. The DevOps team needs to focus on making sure that they can run all the operational automation. And security needs to provide the security policies postures and the secret management as a service. And now we have one solution for all the organization.”

This type of secrets management system formed a central plank in a recent strategic security upgrade by DZ BANK AG, part of the Volksbanken Raiffeisenbanken cooperative financial network and one of the largest private financial services organizations in Germany, with annual revenues of €3.1 billion and 31,400 staff.

The bank has been transitioning away from perimeter-based defenses to safeguard its IT infrastructure as it embraces a cloud computing model, explains an, IT security specialist at DZ BANK. Alongside the shift toward cloud computing and remote working, it had recognized that financial services organizations were facing increasing and more sophisticated cyberattacks.
“The threat is certainly more challenging. Because of changes like cloud computing, software as a service and remote working, internal identities are getting exposed in the outside world.”

This strategic security migration centered on DZ BANK strengthening and enhancing the handling of privileged access management (PAM). It implemented a CyberArk Identity Security solution comprising CyberArk Privileged Access Manager, CyberArk Conjur Secrets Manager Enterprise and CyberArk Identity. The upgrade delivered multiple benefits, including the satisfaction of audit and compliance requirements and reduction of cyber risks.

Elsewhere TIAA, a leading provider of financial services to the academic, research, medical, cultural and governmental sectors, derived similar benefits from a recent security and secrets management upgrade. Founded in 1918 by Andrew Carnegie, the organization has $1 trillion in combined assets under management, and it recognized the need for improved secrets management for applications and privileged access management as it migrated critical systems to the cloud.

That led to TIAA deploying a portfolio of solutions comprising CyberArk Conjur Secrets Manager and several additional products: CyberArk Privileged Access Manager, CyberArk Credential Providers and CyberArk Endpoint Privilege Manager. To date, CyberArk Conjur has been rolled out across two cloud production environments, a disaster recovery system and a variety of additional on-premises domains. The result is that CyberArk has provided TIAA with a single view for auditing and a central location for users to manage and monitor passwords.

CyberArk’s Ailon believes that there’s much more to be gained beyond operational efficiency and security benefits. Other, more strategic paybacks are in play, notably increased harmony between DevOps, developers and security specialists.

“Another benefit can be seen when security teams and the DevOps teams and developers are starting to talk,” he concludes. “In non-mature organizations, there is a big gap between security and DevOps, while the more mature organizations see these teams coming together.”

Sponsored by CyberArk.