Securing Enterprise DevOps Environments with CyberArk Conjur: 3 Common Use Cases
September 11, 2018 | DevOps | Chris Smith
Enterprises adopt DevOps and CI/CD methodologies to accelerate the pace of innovation, eliminate inefficiencies and reduce costs. While this is a giant step forward for businesses, it often introduces complex authentication, authorization and auditing challenges for security teams. Securing credentials and secrets in dynamic DevOps and cloud-based infrastructure requires solutions that are able to support these highly automated dynamic environments by authenticating and managing machine-based identities. Additionally, IT operations and security want to leverage the security policies they have already established across the enterprise, to consistently enforce access policies and avoid disjointed or stand-alone approaches which hamper the pace of development and create additional risk.
DevOps requires a new, centralized approach to secrets management and access control that removes credentials and secrets (i.e. passwords, SSH keys and API keys) from applications and source code control systems, unifies reporting and administration, eliminates friction and fosters programmability and automation.
CyberArk Conjur Enterprise, part of the CyberArk Privileged Access Security Solution, is an enterprise-proven secrets management solution, tailored specifically to the unique infrastructure requirements of native cloud, containerized applications and DevOps environments. The solution helps organizations to secure and manage secrets used by machines and users throughout the DevOps pipeline. With Conjur Enterprise, developers can easily protect secrets, keys, certificates and authentication data. All can be stored more securely—out of repositories, out of source code and off of developer’s laptops —for powerful protection, control and manageability.
While Conjur can be used to apply security controls and best practices anywhere in cloud automation and the continuous software delivery pipeline, here are three common use cases:
- Securing the Continuous Integration and Delivery Pipeline. Many enterprises use automated configuration management tools to enable continuous integration and delivery (CI/CD) practices. However, these solutions are inherently difficult to secure because they comprise of multiple tools, often each with some varying form of secrets management capability. This leads to “security islands” that make it difficult to securely share secrets and institute uniform security policies. Additionally, secrets and credentials used to authenticate exchanges and encrypt transactions can be scattered across multiple tools, physical and virtual machines, as well as coded into playbooks, making them effectively impossible to track and manage. CyberArk Conjur integrates natively with leading automated configuration management tools, helping enterprises centralize and simplify the management of security credentials across the application lifecycle. By centrally managing machine identity and role-based access controls for CI/CD configuration management solutions, IT organizations can streamline operations and improve compliance, while instituting uniform security policies across the pipeline.
- Strong Container Authentication. In a given enterprise, a few VMs can easily give way to hundreds or many thousands of containers—each with its own security attributes. Adding to this IT security nightmare, containers are by nature transient—spun up and down to support continuous delivery—making them extremely difficult to track and manage. CyberArk Conjur is specifically architected for containerized environments. The solution leverages the native capabilities of the leading container platforms, including Kunernetes, OpenShift and Pivotal Cloud Foundry with seamless integrations to provide robust authentication and authorization. These native integrations enable IT organizations to centralize and simplify the management of secrets for containers across their cloud and hybrid environments. With Conjur, each container/pod is assigned a unique set of role-based access privileges for fine-grained control. Applications and services running in containers are uniquely authenticated, ensuring secrets are shared securely and only with their intended recipients. Credentials are managed based on policy and central audit trails provide visibility into critical security events.
- Secure Application Autoscaling. Leading cloud providers, such as AWS, offer auto-scaling capabilities to support elasticity and pay-as-you-grow economics. Yet the dynamic nature of auto-scaling creates numerous security management challenges for enterprises. CyberArk Conjur integrates with leading public cloud services, helping enterprises centralize, simplify and automate the onboarding of secrets and other credentials in auto-scaling environments. For example, Conjur host authentication capabilities enable the distribution of secrets to new cloud compute instances as they are instantiated. Automated rotators make it easy to periodically or proactively update the access keys. Organizations can also use the free CyberArk DNA tool to scan a cloud service, such as AWS, and automatically discover EC2 instances, IAM users and access keys to identify vulnerabilities and assess risks.
For more information on the capabilities and architecture of this powerful secrets management solution, download our white paper and also try Conjur Open Source. To learn more about effectively accelerating the pace of innovation while enabling DevOps security at scale, explore these six guiding principles.