All Of Your Robots Belong To Us
September 8, 2015 | DevOps |
[Note: Conjur’s first blog post out of stealth in December of 2013 was entitled “Take command of your robot army”. The robot army is still out there, and growing! This post revisits some of the same concepts through the lens of 2015 IT Operations.]
In the above context, “Us” used to refer to Developers, Operations, and End Users. With the advances in Cloud, Big Data, Containerization, MicroServices, IoT, etc…, “Us” now extends to mobile devices (Smart Phones, Tablets, Wearables), Ephemeral Machine Instances (VMs and Containers), Beacons/Sensors, automated infrastructure workflows and build and deploy pipelines. In other words, robots (aka. “code”) is running the show.
Traditional perimeter-based approaches to System and Data Security are no longer viable or effective in today’s Cloud-native and Software-Defined world. Companies need to start strategically thinking about how they manage and govern access by developers, infrastructure users, machines, and services identities in order to ensure that security is implemented consistently throughout the new IT stack.
In Verizon’s 2015 Data Breach report, 3 of the top 4 causes of breach were due to stolen credentials of internal users or system-level accounts. The latter, which tend to be the command center for robot armies, are typically the most disruptive and costly.
The starting place for securing the increasingly diverse army of “robots” has been to implement point solutions over existing technologies. This leads to having common security controls spread across many technologies: passwords are stored in files, HSMs, and config repositories, /etc/sudoers files are stored in configuration management and Cloud IaaS IAM systems, traffic authentication rules are stored in source code repositories. Security sprawl and security breakdown.
In previous eras, when the topology of IT systems was more homogenous, managing merely one of the axes of access control – “Identity”, was reasonably straightforward. The system of record was a singular directory of users stored in either Active Directory or LDAP. With the onset of Cloud Computing, Virtualization, and now Containerization plus Microservice Architectures, the notional responsibilities associated with “Identity” have been extended to machines, instances, and microservices, all which can be ephemeral. This new set of users is what we describe as your “Robot Army”. This now results in a very complex Identity and Access Management challenge that requires a completely new approach.
Securing Your Robot Army From Breaches
Your robots will be smart, as they typically have full and direct access to more data and information than standard users do. As a result, they are an attractive attack vector and if compromised, they will give the hacker full access to whatever their code contains. Once the hacker has control over a robot, they can perform malicious activities such as escalation of privileges to access and steal sensitive data or delete important systems or data. Managing your robot army should be approached the same way you manage and administer roles and access-rights of your normal users. Security practices like “least-privilege” and role-based access control should be implemented, along with an immutable Audit log of all activity, to help mitigate either malicious or unintentional access to critical systems and data.
How Large Is Your Robot Army?
The answer to that question depends upon where your organization is with respect to Cloudinfrastructure and other “new stack” technology like microservices. Are you using Public Cloud Infrastructure such as Amazon Web Services or Microsoft Azure? Perhaps you also have a Private Cloud and other on-premises systems. Have you implemented a containerization strategy? Have you deployed a Continuous Integration and Delivery system? Most likely your answers are all yes, or partially yes along with plans to deploy new technology in the upcoming months. Your Robot Army is already probably larger than you initially believed, and growing each day.
Securing Your Robot Army
At the core, a new platform is required to identify, manage, control and audit all these new system actors. One that has been purpose-built with API controls for Authentication and Authorization. Manual or one-off processes don’t allow you to move at the speed of DevOps and Cloud, and are often times fraught with human error.
The platform should also include a comprehensive Audit log for Security and Compliance, and communication with internal and external teams. Microservices should also be part of your Authorization strategy. APIs shouldn’t be completely open, and service-level authorization adds another layer of security, complete with an audit log for compliance and review.
With a solution like this deployed, you can be assured that your Robot Army remains under your full control and that evil Robots won’t be taking over your Infrastructure.