Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur

Puppet presents “Talking Tech”
A new webinar series featuring exciting technology solutions
that are driving the industry forward
Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur
Date: Wednesday, 8 November 2017
Manage F5 BIG-IP Infrastructure with Puppet
Date: Tuesday, 14 November
Shift Left: Puppet + CloudPassage = New Approach to Securing DevOps
Date: Wednesday, 15 November

Delivering Infrastructure and
Security Policy as Code

Presenters
Jeff Schmied
Director
Information Technology
Puppet
Ryan Prior
Software Engineer
@ryanprior
CyberArk
Talking Tech: Puppet Webinar Series

Automating Rapid Delivery, Securely
Infrastructure-as-Code
IT infrastructure managed and
provisioned through code, rather than
manual processes
Security-as-Code
Automating security policy enforcement
through code, rather than manual
processes

Agenda
• Enterprise Information Security Perspective
• Overview of CyberArk Conjur
• Overview of Puppet and DevOps
• Security Challenges in DevOps Toolchain
• Leading Practices
• Example Code
• Q&A

Privileged access management
Data security in the cloud
Social engineering
Ransomware
Vulnerability management
Bring Your Own Device
Nation-state cyber attacks
Shadow IT
Internet of Things
What do I wake up worrying about?

Database containing driver PII was compromised after storing keys in a
publicly available repository (May 2014)
XcodeGhost hack uses compiler backdoor to inject 3rd party code into
developed applications (September 2015)
Hacker accessed a Docker registry that contained the entire Vine source
code, API keys, and other secrets (July 2016)
Hackers have exploited known MongoDB vulnerabilities to plant
ransomware into high-profile clients such as Emory Healthcare (January
2017)
Exploits are targeting the application development tool stack

Manually copied SSH keys to servers to provide
access?
Shared a key over chat?
Manually configured or changed production servers?
Stored secrets in config files in S3?
Stored secrets in source control?
Embedded passwords in applications?
Confession time... Haven’t we all, at least once...

Your secrets and privileged accounts are the keys to your
business.
Every piece of infrastructure you operate uses secrets.
CyberArk provides the tools and know-how to manage all your
secrets, giving you total visibility and control.
CyberArk is Proactive Security

Using a common language
Across everything, no matter where it runs
Puppet provides an automatic way to:
know what you have control it and enforce
consistency
secure it and keep it
compliant
modernize it

to the new wayfrom the old way
DevOps Represents A Massive Shift
Automatic, standard and scalable
Delivering at will
Inherent security
Constantly modern
Ad hoc, manual and error prone
Infrequent delivery
Security in silos
Legacy platforms

Traditional view of security:
A bunch of suits preventing my killer app
from going to prod
Perspectives Matter
An essential view of security:
A thing that helps prevent the destruction
of my employer, my job, my information

Securing secrets has evolved since Puppet’s early days
Human Identity
Degree of
Security
Less
More
Hiera-Eyaml
- secrets abstracted
and encrypted
Conjur Secrets Store
- secrets secured
- key rotation
Puppet Manifests
- secrets exposed in
code
Time (& Scale!)

Some Good Practices
• Encrypt secrets
• Rotate secrets
• Make secrets ephemeral
• Authenticate all requests (Zero Trust)
• Authorize minimally (Least Privilege)
• Audit everything
• Automate all of the above

Some Better Practices (Enlightened State)
▪ Workflows that support velocity and enhance security at the same time
▪ Security configuration is part of the development flow - i.e. in the same
code repos as the applications - otherwise security and code get out of sync
and deploys fail
▪ Security tools run separately from developer tools – to isolate secrets
management from application code

Example CI Workflow w/ GitHub, Jenkins & Docker
SECRETS
REQUIRED!
SECRETS
REQUIRED!
SECRETS
REQUIRED!
SECRETS
REQUIRED!

How do these ideas apply to Puppet?
Puppet
Master
Secret
Store
Staging
App 1
App 2
App 3
Production
App 1
App 2
App 3

The Solution
+
Human Identity

Build on a chain of trust
Authenticate all requests
Authorize w/ least amount of privilege
Audit everything
...and do it with code!
Identity leads to effective access management

Machine Identity with Conjur
PUPPET
MASTER
Puppet Admin
Node Node
Configuration
Puppet
Agent
Puppet
Agent
Node
Puppet
Agent
TEAM 1 TEAM NTEAM 2
Node obtains a
Conjur access
token, encrypts it,
and places it in the
“facts”
• The Puppet master uses a Node’s
identity to fetch secrets via the
Conjur module.
• A Node’s access to Secrets is
defined in declarative Policies
CyberArk-Conjur
Conjur Module

Secure Workflow w/ Machine Identity

Puppet Manifest with Secrets
################## Site.pp ##################
node 'default' {
require secrets
file { '/tmp/dbpass':
ensure => file,
content => "${secrets::postgres_password.unwrap}",
show_diff => false, # don't log file content
}
file { '/tmp/token':
ensure => file,
content => "${secrets::vendor_oauth_token.unwrap}",
show_diff => false,
}
}
################## Secrets.pp ##################
class secrets {
$vendor_oauth_token = Sensitive('5262e7a7-4cfd')
$postgres_password = Sensitive('wake operator pure')
}

Heira with Secrets
################## Site.pp ##################
node 'default' {
ensure => file,
content => "${hiera(‘postgres_password’)}",
}
ensure => file,
content => "${hiera(‘vendor_oauth_token’)}",
show_diff => false,
}
}
# oauth token
$ eyaml encrypt '5262e7a7-4cfd'
# database password
$ eyaml encrypt 'wake operator pure'
# instructions:
# load these into Hiera, distribute keys to operators

Puppet Manifests using Conjur
################## Site.pp ##################
node 'default' {
require secrets
ensure => file,
content => "${secrets::postgres_password.unwrap}",
}
ensure => file,
content => "${secrets::vendor_oauth_token.unwrap}",
show_diff => false,
}
}
################## Secrets.pp ##################
class { 'conjur':
account => 'demo',
appliance_url => 'http://conjur',
authn_login => "host/app-${::trusted['hostname']}",
host_factory_token => Sensitive('placeholder-for-HF-token'),
version => 5,
}
class secrets {
$vendor_oauth_token = conjur::secret('app/vendor-oauth-token')
$postgres_password = conjur::secret('app/postgres-password')
}

Conjur Policy that Controls Secrets Access
- !policy
id: app
annotations:
description: Conjur Puppet demo app policy
body:
# Roles
- !layer app
- !host-factory
annotations:
description: factory for new app node identities
layers: [ !layer app ]
# Secrets
- !variable
id: vendor-oauth-token
annotations:
description: authenticate vendor access to service endpoint
- !variable
id: postgres-password
annotations:
description: login credential for app database
# Entitlements
- !group users
- !permit
role: !group users
privileges: [ read, execute ]
resources: [ !variable vendor-oauth-token, !variable postgres-
password ]
- !grant
role: !group users
members:
- !layer app

Tradeoffs to using identity to retrieve secrets...
▪ Pros:
• Eliminates over-privileged central attack target
• Enables fine grained control of secret retrieval & updating
• Secrets are dynamically retrieved without writing a lot of code
• Enables teams to self manage their application secrets (ex. staging)
• All access is authenticated, authorized and audited (makes Security happy)
▪ Cons:
Requires a one-time manifest change

Lessons We’ve Learned
• It is possible to align Velocity and Security
• If security is a bad UX, everybody loses
• Established Security principles still apply, but must acknowledge new realities
• Security policies should declaratively model applications, users and envs
• You can easily add secure, dynamic secrets retrieval to your manifests

CyberArk-Conjur Puppet Module

conjur.org: Open Source Secrets Management

Summary
Puppet and CyberArk Conjur enable organizations to provide better security and
increase developer and operations autonomy using infrastructure-as-code and
security-policy-as-code
Takeaways:
• Automate everything
• Abstract secrets from code
• Encrypt and rotate secrets
• Authenticate all requests
• Use Least Privilege principles
• Audit everything
Stay tuned for more webinars from CyberArk and Puppet ...

Questions?
Puppet OpenSource: https://www.conjur.org/
Conjur Puppet Module: https://forge.puppet.com/cyberark/conjur
Conjur OpenSource: https://www.conjur.org/
Conjur Slack channel: https://conjur.slack.com
Resources

Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur

Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur

Similar to Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur (20)

More from Claire Priester Papas

More from Claire Priester Papas (6)

Recently uploaded

Recently uploaded (20)

Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur