The Big Shift: Static to Dynamic Security Models
| DevOps |
With the advent of Cloud Computing, Mobile Endpoints, and IoT, Data Center Infrastructure and Security models have shifted from well-defined perimeters that were protected by firewall appliances, static policies, and monolithic stacks to dynamic, software-defined infrastructure powered by virtualization and containerization. The perimeter is now elastic and can’t be defined or secured by static policies. Host and Endpoint Security has shifted to a distributed model that is driven by dynamic policies, ephemeral machine instances, and immutable infrastructure.
One major component of Infrastructure hasn’t kept pace with this transformation, and that is Identity, Access, and Secrets Management for Users, Services, and Machines. The traditional solutions of /etc/passwd, LDAP, and Active Directory lack flexible context for these new architectures, and as the 2015 breach reports show, a lack of rigor around Identity Credentials is the root cause for the majority of them. Another challenge for CIOs and Infrastructure leaders is the development and maintenance of “home grown” solutions, that typically solve a tactical challenge, but fall short strategically, and then inevitably lose support over time and become “orphaned”. This approach usually creates more security challenges than solutions.
The two basic components of Identity Security are:
Authentication (AuthN) :: Are you who you say you are?
Authorization (AuthZ) :: Do you have the access rights to perform the requested action?
Cloud and Microservice architectures along with Cloud-Native applications require a new Identity and Security orchestration solution; one that is API-driven, dynamic, and adaptive. Ephemeral instances and services need a new approach to AuthN and AuthZ, where access rights have an expiration time, secrets such as API keys, tokens, and certificates are rotated at specific intervals, and, most importantly for security and compliance, a complete audit log is kept. Traditional ACLs are unable to provide the level of granularity for security, and even host-based approaches don’t translate to this new architecture due to challenges around eventual consistency. Services and Machines need to perform both AuthN and AuthZ operations in real-time, instead of having static rules applied to them.
Conjur’s Next-Gen Identity Security Platform is the only one on the market built with the new stack in mind. Identity Security has shifted from static policies on monolithic systems to dynamic policies that adapt to architectural changes and new ephemeral services. User Authentication and Authorization is now powered by a RESTful API and Elastic Policies can be applied to Users, Machines, and API endpoints.
Because Authorization rules can be applied to both users and machines, your API endpoints can now have a much finer level of security granularity, instead of simply being Public or Private. Policy Enforcement is decoupled from the underlying infrastructure and becomes proactive instead of reactive, and is also built upon Role Based Access Control (RBAC). Security is now woven into the fabric of applications instead of being a shield in front of them.
SSH Key management shifts from the distribution of public-keys to every host in your infrastructure (eventually consistent) to a centralized, secure host that applies both AuthN and AuthZ policies at login time. All activity is securely logged to an immutable audit log, which bolsters your overall security insight, as well as provides rich context for your SOX, PCI, and other compliance requirements.
Secrets such as passwords, API Keys, and SSL Certificates should never be stored in source-code files. Conjur’s Summon allows you to securely move secrets out of source code and inject them from a configurable secrets provider into the process environment at run-time.
Policy configuration and management moves out of disparate configuration files into a single-pane-of-glass UI that allows complete visibility into the Infrastructure, complete with detailed reports for insight, audit, and compliance.