Peter Greenwood, Practice Team Lead and Senior Consultant, SecureITsource, Inc.
Managing the secrets consumed in a high velocity DevOps environment can often be a blind spot for an organization. The modern software development lifecycle (SDLC) has undergone a remarkable transformation in the past few years with the rapid adoption of cloud computing, containerization, microservices, and the myriad of tools at our disposal. As is often the case with rapid development and innovation; Security can be seen as an obstacle to be tackled at a later date because it requires additional effort that can potentially slow down development. Enter DevSecOps and security as code;
There is no shortage of vendors advertising secrets management including AWS, Azure Key Vault, GCP Cloud KMS, Docker Secrets, Kubernetes secret objects, Ansible Vault, HashiCorp Vault, and others. These solutions all have something in common; they are either limited to their respective platforms or only cover limited aspects of an organization’s secret management needs. This segmentation forces application developers to maintain multiple versions of an application, each conforming to platform specific secret management tools. What is truly needed in this space is a unified solution that promotes standard coding practices enterprise-wide that mitigates vendor lock-in and is platform agnostic.
CyberArk is the global leader in privileged access security serving more than half of the Fortune 100 with their Enterprise Password Vault. With the release of the Vault-Conjur Synchronizer, CyberArk has provided the means to securely deliver secrets to the cloud, containers, and microservices. This is exciting news, and while CyberArk acquired Conjur in May of 2017, the two platforms have co-existed as separate platforms, securing mutually exclusive secrets. Businesses that have invested in the traditional CyberArk PAM solution can now extend their investment to the cloud, microservices, containers, and a growing list of DevOps platforms with Conjur’s Docker/Kubernetes friendly deployment options.
The Vault-Conjur-Synchronizer runs on Windows server just like most CyberArk components and installs as a service. The service checks in with the vault on an interval for changes (every 5 minutes by default) to variables synced with Conjur and updates them as needed. The Vault-Conjur-Synchronizer uses a ConjurSync safe, a ConjurSync user, and LOBUsers (Line of Business). The LOBUsers are added to the ConjurSync safe and any safes that need to be synced with Conjur (currently limited to 10 total). The diagram below demonstrates the flow but also introduces a new human role, the LOB Admin. The LOB admin would be responsible for managing the conjur side of the flow, handling access control and other administrative functions for his/her designated LOB. We at secureITsourceLABS have found this integration to be quite intuitive, and we look forward to demonstrating specific use cases with this new functionality.
Exposing secrets stored in CyberArk’s Password Vault to Conjur’s clients, SDK’s, and API’s gives developers a powerful new set of tools for securely retrieving secrets.
SecureITSource will once again be a premium sponsor of CyberArk Impact this year (July 16th, – July 19th 2018) and we look forward to demonstrating the power that this integration unlocks at our booth on the mezzanine level. If you have any questions or would like to discuss the challenges that your organization faces with cloud and DevOps adoption, we would be happy to discuss potential solutions.