Forrester’s 5 Steps to Reinforce and Harden Application Security
March 24, 2017 | DevOps | Ranjeet Vidwans
Forrester recently published an updated research document entitled “Five Steps to Reinforce and Harden Application Security”. It lays out strategies and steps that Infrastructure and Operations teams can take to collaborate with Security personnel to weave an ever-stronger security fabric into their applications. We’re happy to make that report available to you today. Below, we discuss each of the five steps and how Conjur’s trust-forward platform can help organizations implement each of those steps.
Step 1: Remove Environment Inconsistencies and Create a Bill of Materials
The report cites evidence that over 50% of web servers have one or more misconfigurations – and that’s just one example of how individually configuring production servers can lead to security exposures. You should embrace the ethos of “configuration-as-code” to establish clear and proven best-configurations, and to minimize and catch any drift from those configurations.
Conjur integrates with many of the leading Configuration Management (CM) and Application Release Automation (ARA) solutions in the market including Puppet, Chef, Ansible, and SaltStack. In fact, our latest release introduces even stronger integration with Puppet than ever before including capabilities for establishing Node Identity, support for the Sensitive data type, and rich integration at the UI level to make it easier than ever to manage hosts maintained with Puppet.
Step 2: Monitor Changes by Controlling Access to Systems and Network Devices
This point is all about ensuring that you have strong identity-driven controls in place to protect yourself from outsider and insider threats, and using tight controls, such as Privileged Access Management (PAM) / Privileged Identity Management (PIM) tools, to ensure that only authenticated and authorized users are allowed to configure, deploy, and access production infrastructure.
Conjur doubles down on this point by providing industry-leading Secrets Management / PAM capabilities that are fully automated / integrable with your CM/ARA tools and your CI/CD pipeline. This approach significantly reduces your threat surface by eliminating humans from the chain of custody for production secrets.
Step 3: Assist in Intrusion Detection and Response
Intrusion is not an “if”, it’s a “when”. In spite of all your best efforts, it’s only a matter of time before you are compromised. It’s critical to pre-define “red flag” conditions and thresholds, including combinations of tripwires, and communicate those to your security team so that they can monitor for those conditions in real-time.
Conjur not only tracks each request for a secret or an authorization decision, but it also integrates with enterprise SIEM tools such as Splunk and ArcSight so that your security team and your Security Operations Center (SOC) have real-time visibility into what’s happening in your production environment. Conjur also provides a “kill-switch” capability that allows instantaneous shutdown of any access if it’s flagged. As with all things Conjur, this can be done manually or can be programmatically integrated into your incident response workflow for full automation and instant response.
Step 4: Log Everything Possible
Not much explanation needed here. A detailed audit trail is like a police officer’s backup / ankle weapon (you don’t need it till you need it badly). Detailed log information on every configuration change, authentication / authorization request and disposition, etc. is what your forensic team will use when digging into issues when (not if) they occur.
Conjur stores every transaction, even those that are requested but not approved, into an immutable database. The audit trail can be inspected at any time via APIs and command line tools. More importantly, Conjur provides rich, user-friendly reports that can be used by auditors and other non-technical users. These reports and views can be quickly filtered to narrow down to audit events during a particular timeframe, or for a particular role or resource.
Step 5: Create a Stack of Application Security Tools
Infrastructure and Security personnel need to have a diverse arsenal of tools for securing access to infrastructure and resources, performing dev-time and run-time security monitoring, and kick into incident response workflows as and when needed. Conjur provides a crucial piece of that security mosaic, and is completely programmable to ensure that it can fit seamlessly into a modern Secure DevOps, or SecDevOps, workflow.