Simplify and Improve Container Security Using New CyberArk Conjur Integrations with Kubernetes and Red Hat OpenShift
May 8, 2018 | Technology Partners | Chris Smith
This week at the Red Hat Summit, we’re introducing two new integrations that improve container security. CyberArk Conjur Enterprise now offers general availability support for the Red Hat OpenShift Container Platform and Kubernetes. This is in addition to previously announced enterprise-level support for Pivotal Cloud Foundry and Docker.
While container platforms provide some security, organizations face specific challenges for protecting the secrets and credentials needed for a containerized workflow. These challenges include:
- Potential inadvertent exposure of secrets and other credentials
- Limited, if any, runtime authentication processes to ensure the calling container (requesting the secret) is the correct (authenticated) application container
- A lack of segregation of duties between different application containers as well as between the application secrets and the container platform admin
- Limited audit trails
- Limited, if any, rotation of secrets
Red Hat OpenShift and Kubernetes
OpenShift is a popular platform-as-a-service (PaaS) offering from Red Hat that is built on Docker and Kubernetes. Kubernetes is an open source, container-as-a-service (CaaS) project that originated from Google and appears to be emerging as the de-facto container orchestration tool. Docker is a widely used tool designed to make it easier to create, deploy and run applications by using containers. With the CyberArk Conjur integrations, enterprises can take advantage of micro-services by building powerful, secure container environments.
Simplified Secrets Management for Containers
The integrations between OpenShift/Kubernetes and CyberArk Conjur Enterprise simplify secrets management for containers and strengthen container security in a seamless and native way. This enables organizations to more securely deploy enterprise applications at scale. For example, with these integrations, organizations using OpenShift or Kubernetes can leverage CyberArk Conjur Enterprise to secure, manage and rotate secrets and other credentials by authenticating the pods and then securely passing secrets stored in CyberArk Conjur to the application’s containers.
CyberArk Conjur Enterprise is designed to ensure secrets are never exposed to third parties, and the Conjur integration enhances security for OpenShift environments by providing:
- End-to-end encryption of secrets through mutual TLS (Transport Layer Security).
- Robust authentication and authorization incorporating Conjur policy, signed certificates, and an internal Kubernetes authenticator.
- Separation of duties and other policies by letting OpenShift security teams control container access while development teams define application requirements.
- Easy deployment of applications across environments and pods.
- Scalability and performance advantages of the Conjur master-follower architecture. As Followers provide read-only activity for client containers and applications, scale-out is easy by simply adding more followers.
- Secret rotation, centralized auditing, and all other advantages of Enterprise Conjur.
Ease of Use for Developers
With these integrations, developers are able to easily meet security requirements without changing their application code. CyberArk Conjur Enterprise was designed specifically for developers with the goal of empowering them to focus on development. For example, security polices can be written and managed as code using yaml files, enabling security policies to be more easily established and managed. The policy files can be checked into version control, re-used across development, test and production environments.
True End-to-End Credential Management Across The Enterprise – No Security Islands
Another advantage of the integrations is that organizations gain policy-based secrets and credential management across their entire enterprise. With the integration between CyberArk Conjur Enterprise and Red Hat OpenShift, the CyberArk Enterprise Password Vault enables secrets and credential managed by the CyberArk Vault to be automatically replicated into OpenShift or Kubernetes. Organizations can consistently manage access credentials and secrets across on-premises, hybrid and multi-cloud environments, as well as for OpenShift, Kubernetes, and other DevOps platforms and tools. Of course Conjur can also be used as a standalone solution that can be integrated if and when the enterprise wants to.
Getting Started with Conjur Enterprise and OpenShift
The CyberArk Conjur Enterprise OpenShift and Kubernetes Integrations are available now. To learn more, view the on-demand OpenShift Commons Briefing: CyberArk Conjur Secrets Management demo and webinar, contact sales, or visit CyberArk.com/Conjur. If you are at Red Hat Summit this week (May 8-11) please stop by booth #932 for a demo.
Conjur Open Source Also Available
CyberArk Conjur Open Source is freely available for trial or download on GitHub or Conjur.org and it supports many integrations with other open source DevOps tools. Everyone using Conjur Open Source is encouraged to join the Conjur Slack channel to communicate directly with the Conjur engineering team to ask questions and provide product feedback.