Puppet is Talking Tech, and we’re inviting you to join us!
In our new webinar series, we’ll host discussions about exciting technology solutions that are driving the industry forward. Our technology experts will dive deep into topics that matter and will bring customers, partners and other leaders to the table to give you answers to your technology questions. Today - we pres
Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur
Date: Wednesday, 8 November 2017
Time: 8:00 - 9:00 a.m. PT
Safeguard secrets and deliver applications faster
Puppet empowers organizations to rapidly deliver value by enabling infrastructure-as-code. Learn how CyberArk Conjur delivers security-policy-as-code, enables your organization to provide better security, and increases developer and operations autonomy. Join us and learn how to automatically apply secrets-management best practices to the DevOps toolchain using Puppet Enterprise and CyberArk Conjur.
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur
1. Puppet presents “Talking Tech”
A new webinar series featuring exciting technology solutions
that are driving the industry forward
Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur
Date: Wednesday, 8 November 2017
Manage F5 BIG-IP Infrastructure with Puppet
Date: Tuesday, 14 November
Shift Left: Puppet + CloudPassage = New Approach to Securing DevOps
Date: Wednesday, 15 November
4. Automating Rapid Delivery, Securely
Infrastructure-as-Code
IT infrastructure managed and
provisioned through code, rather than
manual processes
Security-as-Code
Automating security policy enforcement
through code, rather than manual
processes
Talking Tech: Puppet Webinar Series
5. Agenda
• Enterprise Information Security Perspective
• Overview of CyberArk Conjur
• Overview of Puppet and DevOps
• Security Challenges in DevOps Toolchain
• Leading Practices
• Example Code
• Q&A
Talking Tech: Puppet Webinar Series
6. Privileged access management
Data security in the cloud
Social engineering
Ransomware
Vulnerability management
Bring Your Own Device
Nation-state cyber attacks
Shadow IT
Internet of Things
What do I wake up worrying about?
Talking Tech: Puppet Webinar Series
7. Talking Tech: Puppet Webinar Series
Database containing driver PII was compromised after storing keys in a
publicly available repository (May 2014)
XcodeGhost hack uses compiler backdoor to inject 3rd party code into
developed applications (September 2015)
Hacker accessed a Docker registry that contained the entire Vine source
code, API keys, and other secrets (July 2016)
Hackers have exploited known MongoDB vulnerabilities to plant
ransomware into high-profile clients such as Emory Healthcare (January
2017)
Exploits are targeting the application development tool stack
8. Manually copied SSH keys to servers to provide
access?
Shared a key over chat?
Manually configured or changed production servers?
Stored secrets in config files in S3?
Stored secrets in source control?
Embedded passwords in applications?
Confession time... Haven’t we all, at least once...
Talking Tech: Puppet Webinar Series
9. Your secrets and privileged accounts are the keys to your
business.
Every piece of infrastructure you operate uses secrets.
CyberArk provides the tools and know-how to manage all your
secrets, giving you total visibility and control.
CyberArk is Proactive Security
Talking Tech: Puppet Webinar Series
10. Using a common language
Across everything, no matter where it runs
Puppet provides an automatic way to:
know what you have control it and enforce
consistency
secure it and keep it
compliant
modernize it
11. to the new wayfrom the old way
DevOps Represents A Massive Shift
Automatic, standard and scalable
Delivering at will
Inherent security
Constantly modern
Ad hoc, manual and error prone
Infrequent delivery
Security in silos
Legacy platforms
12. Traditional view of security:
A bunch of suits preventing my killer app
from going to prod
Perspectives Matter
An essential view of security:
A thing that helps prevent the destruction
of my employer, my job, my information
Talking Tech: Puppet Webinar Series
13. Securing secrets has evolved since Puppet’s early days
Human Identity
Degree of
Security
Less
More
Hiera-Eyaml
- secrets abstracted
and encrypted
Conjur Secrets Store
- secrets secured
- key rotation
Puppet Manifests
- secrets exposed in
code
Time (& Scale!)
Talking Tech: Puppet Webinar Series
14. Some Good Practices
• Encrypt secrets
• Rotate secrets
• Make secrets ephemeral
• Authenticate all requests (Zero Trust)
• Authorize minimally (Least Privilege)
• Audit everything
• Automate all of the above
Talking Tech: Puppet Webinar Series
15. Some Better Practices (Enlightened State)
▪ Workflows that support velocity and enhance security at the same time
▪ Security configuration is part of the development flow - i.e. in the same
code repos as the applications - otherwise security and code get out of sync
and deploys fail
▪ Security tools run separately from developer tools – to isolate secrets
management from application code
Talking Tech: Puppet Webinar Series
16. Example CI Workflow w/ GitHub, Jenkins & Docker
SECRETS
REQUIRED!
SECRETS
REQUIRED!
SECRETS
REQUIRED!
SECRETS
REQUIRED!
Talking Tech: Puppet Webinar Series
17. How do these ideas apply to Puppet?
Puppet
Master
Secret
Store
Staging
App 1
App 2
App 3
Production
App 1
App 2
App 3
Talking Tech: Puppet Webinar Series
19. Build on a chain of trust
Authenticate all requests
Authorize w/ least amount of privilege
Audit everything
...and do it with code!
Identity leads to effective access management
Talking Tech: Puppet Webinar Series
20. Machine Identity with Conjur
PUPPET
MASTER
Puppet Admin
Node Node
Configuration
Puppet
Agent
Puppet
Agent
Node
Puppet
Agent
TEAM 1 TEAM NTEAM 2
Node obtains a
Conjur access
token, encrypts it,
and places it in the
“facts”
• The Puppet master uses a Node’s
identity to fetch secrets via the
Conjur module.
• A Node’s access to Secrets is
defined in declarative Policies
CyberArk-Conjur
Conjur Module
Talking Tech: Puppet Webinar Series
26. Tradeoffs to using identity to retrieve secrets...
▪ Pros:
• Eliminates over-privileged central attack target
• Enables fine grained control of secret retrieval & updating
• Secrets are dynamically retrieved without writing a lot of code
• Enables teams to self manage their application secrets (ex. staging)
• All access is authenticated, authorized and audited (makes Security happy)
▪ Cons:
Requires a one-time manifest change
Talking Tech: Puppet Webinar Series
27. Lessons We’ve Learned
• It is possible to align Velocity and Security
• If security is a bad UX, everybody loses
• Established Security principles still apply, but must acknowledge new realities
• Security policies should declaratively model applications, users and envs
• You can easily add secure, dynamic secrets retrieval to your manifests
Talking Tech: Puppet Webinar Series
30. Summary
Puppet and CyberArk Conjur enable organizations to provide better security and
increase developer and operations autonomy using infrastructure-as-code and
security-policy-as-code
Takeaways:
• Automate everything
• Abstract secrets from code
• Encrypt and rotate secrets
• Authenticate all requests
• Use Least Privilege principles
• Audit everything
Stay tuned for more webinars from CyberArk and Puppet ...
Talking Tech: Puppet Webinar Series