spo3 r14 rise of the machines devops and the role of secrets management

1. #RSAC SESSION ID: SP03-R14 RISE OF THE MACHINES: DEVOPS AND THE ROLE OF SECRETS MANAGEMENT Elizabeth Lawler Vice President, DevOps Security CyberArk @ElizabethLawler @CyberArk
2. Code Delivery = Revenue Growth #RSAC $ Slower Code Delivery Faster Code Delivery Companies with faster code delivery were % 62 more likely to see YoY revenue growth of 25% or more Source: EMA, “DevOps/Continuous Delivery Tooling: Launchpad for the Digital Enterprise,” 2017.
3. The New Norm #RSAC Devops Continuous Delivery CLOUD-NATIVE Microservices Containers 3
4. #RSAC 51% BUT Sources: F5 “The Evolving Role of CISOs and the Importance to the Business” CyberArk “2018 Threat Landscape Report” of security pros says there is no relationship between IT security and business innovation 75% of organizations don’t have a privileged account security strategy in place for DevOps % 50 don’t have a privileged account security strategy in place for for Cloud 4
5. PROTECT THE PIPELINE “Unmanned” Environment Powerful Rights Accessed, Changed, and Modified by People and Code Constantly Massive Amounts of Corporate IP
6. The New Norm: Customer And Industry Realities #RSAC More Infrastructure More Applications More Privileged Actors More Automation IT Admins, End Users, Privileged Business Users, SaaS Admins, DevOps Teams 6
7. The Expanded Attack Surface #RSAC More Infrastructure More Applications More Privileged Actors More Automation More Privileged Security Risk IT Admins, End Users, Privileged Business Users, SaaS Admins, DevOps Teams 7
8. Security Islands: Different Locations & Rules #RSAC Islands of Security PRIVILEGED ACCESS MANAGEMENT AD/LDAP Puppet Hiera DockerSecrets AWS IAM /KMS Ansible Vault Kubernetes Secrets Microsoft Azure IAM/KMS / KMS Chef Databags Google Cloud IAM / KMS OpenShift Secrets
9. Managing Secrets in One Flow #RSAC 9
10. Vault Cluster Architecture and Secret Rotation #RSAC 10
11. Application Enrollment Flow for Secrets Retrieval #RSAC 11
12. “Secret 0” #RSAC 12
13. Use the Right Size Vault for the Environment Enterprise Vault Organization DevOps Vault Environment Cluster Vault Cluster Application Vault Process Risk Scope #RSAC 3
14. The Maturity Level of Secrets Solutions #RSAC DevOps Vault Product Evolution Generations "0th” – No strong encryption, robust authentication, authorization or audit 1st – Encryption, authentication, authorization, CLI management and REST API, single-site HA 2nd – Add declarative policy, user interface, multi-site HA, integrations with 3rd party tools 3rd – Add extensible authentication (delegation of "Secret-0" root of trust), and enrollment workflows to support separation of duties 4th – Remove developers and code from the secrets workflows. Secure the "last mile" delivery of connectivity to applications
15. Securing Devops Initiatives is a Team Sport #RSAC
16. Simple Steps to Secure Devops #RSAC Assess secrets and management approaches across cloud and DevOps environments. 1 4 2 Mitigate poorly secrets as basic DevOps hygiene. 3 Embed security with developers and DevOps teams to facilitate better secrets management practices. Embrace security engineering and security automation.
17. #RSAC SESSION ID: SP03-R14 THANK YOU Elizabeth Lawler Vice President, DevOps Security CyberArk @ElizabethLawler @CyberArk
18. Rotate, Repave and Repair Rotate datacenter credentials every few minutes or hours Repave every server and application every few hours from a known good state #RSAC Repair vulnerabilities consistently within hours of patch availability BUT there are always exceptions. No one has every environment set fully on automate. If it is fit for purpose, use it. *Concept from Justin Smith, Pivotal