Downloaded 12 times
![Puppet Manifests using Conjur
################## Site.pp ##################
node 'default' {
require secrets
file { '/tmp/dbpass':
ensure => file,
content => "${secrets::postgres_password.unwrap}",
show_diff => false, # don't log file content
}
file { '/tmp/token':
ensure => file,
content => "${secrets::vendor_oauth_token.unwrap}",
show_diff => false,
}
}
################## Secrets.pp ##################
class { 'conjur':
account => 'demo',
appliance_url => 'http://conjur',
authn_login => "host/app-${::trusted['hostname']}",
host_factory_token => Sensitive('placeholder-for-HF-token'),
version => 5,
}
class secrets {
$vendor_oauth_token = conjur::secret('app/vendor-oauth-token')
$postgres_password = conjur::secret('app/postgres-password')
}
Talking Tech: Puppet Webinar Series](https://image.slidesharecdn.com/puppetandcyberarkwebinarfinal-171108233138/85/Delivering-Infrastructure-and-Security-Policy-as-Code-with-Puppet-and-CyberArk-Conjur-24-320.jpg)
![Conjur Policy that Controls Secrets Access
- !policy
id: app
annotations:
description: Conjur Puppet demo app policy
body:
# Roles
- !layer app
- !host-factory
annotations:
description: factory for new app node identities
layers: [ !layer app ]
# Secrets
- !variable
id: vendor-oauth-token
annotations:
description: authenticate vendor access to service endpoint
- !variable
id: postgres-password
annotations:
description: login credential for app database
# Entitlements
- !group users
- !permit
role: !group users
privileges: [ read, execute ]
resources: [ !variable vendor-oauth-token, !variable postgres-
password ]
- !grant
role: !group users
members:
- !layer app
Talking Tech: Puppet Webinar Series](https://image.slidesharecdn.com/puppetandcyberarkwebinarfinal-171108233138/85/Delivering-Infrastructure-and-Security-Policy-as-Code-with-Puppet-and-CyberArk-Conjur-25-320.jpg)
More Related Content
Similar to Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur
Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur
- 1. Puppet presents “TalkingTech” A new webinar series featuring exciting technology solutions that are driving the industry forward Delivering Infrastructure and Security Policy as Code with Puppet and CyberArk Conjur Date: Wednesday, 8 November 2017 Manage F5 BIG-IP Infrastructure with Puppet Date: Tuesday, 14 November Shift Left: Puppet + CloudPassage = New Approach to Securing DevOps Date: Wednesday, 15 November
- 2. Delivering Infrastructure and SecurityPolicy as Code
- 3. Presenters Jeff Schmied Director Information Technology Puppet RyanPrior Software Engineer @ryanprior CyberArk Talking Tech: Puppet Webinar Series
- 4. Automating Rapid Delivery,Securely Infrastructure-as-Code IT infrastructure managed and provisioned through code, rather than manual processes Security-as-Code Automating security policy enforcement through code, rather than manual processes Talking Tech: Puppet Webinar Series
- 5. Agenda • Enterprise InformationSecurity Perspective • Overview of CyberArk Conjur • Overview of Puppet and DevOps • Security Challenges in DevOps Toolchain • Leading Practices • Example Code • Q&A Talking Tech: Puppet Webinar Series
- 6. Privileged access management Datasecurity in the cloud Social engineering Ransomware Vulnerability management Bring Your Own Device Nation-state cyber attacks Shadow IT Internet of Things What do I wake up worrying about? Talking Tech: Puppet Webinar Series
- 7. Talking Tech: PuppetWebinar Series Database containing driver PII was compromised after storing keys in a publicly available repository (May 2014) XcodeGhost hack uses compiler backdoor to inject 3rd party code into developed applications (September 2015) Hacker accessed a Docker registry that contained the entire Vine source code, API keys, and other secrets (July 2016) Hackers have exploited known MongoDB vulnerabilities to plant ransomware into high-profile clients such as Emory Healthcare (January 2017) Exploits are targeting the application development tool stack
- 8. Manually copied SSHkeys to servers to provide access? Shared a key over chat? Manually configured or changed production servers? Stored secrets in config files in S3? Stored secrets in source control? Embedded passwords in applications? Confession time... Haven’t we all, at least once... Talking Tech: Puppet Webinar Series
- 9. Your secrets andprivileged accounts are the keys to your business. Every piece of infrastructure you operate uses secrets. CyberArk provides the tools and know-how to manage all your secrets, giving you total visibility and control. CyberArk is Proactive Security Talking Tech: Puppet Webinar Series
- 10. Using a commonlanguage Across everything, no matter where it runs Puppet provides an automatic way to: know what you have control it and enforce consistency secure it and keep it compliant modernize it
- 11. to the newwayfrom the old way DevOps Represents A Massive Shift Automatic, standard and scalable Delivering at will Inherent security Constantly modern Ad hoc, manual and error prone Infrequent delivery Security in silos Legacy platforms
- 12. Traditional view ofsecurity: A bunch of suits preventing my killer app from going to prod Perspectives Matter An essential view of security: A thing that helps prevent the destruction of my employer, my job, my information Talking Tech: Puppet Webinar Series
- 13. Securing secrets hasevolved since Puppet’s early days Human Identity Degree of Security Less More Hiera-Eyaml - secrets abstracted and encrypted Conjur Secrets Store - secrets secured - key rotation Puppet Manifests - secrets exposed in code Time (& Scale!) Talking Tech: Puppet Webinar Series
- 14. Some Good Practices •Encrypt secrets • Rotate secrets • Make secrets ephemeral • Authenticate all requests (Zero Trust) • Authorize minimally (Least Privilege) • Audit everything • Automate all of the above Talking Tech: Puppet Webinar Series
- 15. Some Better Practices(Enlightened State) ▪ Workflows that support velocity and enhance security at the same time ▪ Security configuration is part of the development flow - i.e. in the same code repos as the applications - otherwise security and code get out of sync and deploys fail ▪ Security tools run separately from developer tools – to isolate secrets management from application code Talking Tech: Puppet Webinar Series
- 16. Example CI Workfloww/ GitHub, Jenkins & Docker SECRETS REQUIRED! SECRETS REQUIRED! SECRETS REQUIRED! SECRETS REQUIRED! Talking Tech: Puppet Webinar Series
- 17. How do theseideas apply to Puppet? Puppet Master Secret Store Staging App 1 App 2 App 3 Production App 1 App 2 App 3 Talking Tech: Puppet Webinar Series
- 18. The Solution + Human Identity TalkingTech: Puppet Webinar Series
- 19. Build on achain of trust Authenticate all requests Authorize w/ least amount of privilege Audit everything ...and do it with code! Identity leads to effective access management Talking Tech: Puppet Webinar Series
- 20. Machine Identity withConjur PUPPET MASTER Puppet Admin Node Node Configuration Puppet Agent Puppet Agent Node Puppet Agent TEAM 1 TEAM NTEAM 2 Node obtains a Conjur access token, encrypts it, and places it in the “facts” • The Puppet master uses a Node’s identity to fetch secrets via the Conjur module. • A Node’s access to Secrets is defined in declarative Policies CyberArk-Conjur Conjur Module Talking Tech: Puppet Webinar Series
- 21. Secure Workflow w/Machine Identity Talking Tech: Puppet Webinar Series
- 22. Puppet Manifest withSecrets ################## Site.pp ################## node 'default' { require secrets file { '/tmp/dbpass': ensure => file, content => "${secrets::postgres_password.unwrap}", show_diff => false, # don't log file content } file { '/tmp/token': ensure => file, content => "${secrets::vendor_oauth_token.unwrap}", show_diff => false, } } ################## Secrets.pp ################## class secrets { $vendor_oauth_token = Sensitive('5262e7a7-4cfd') $postgres_password = Sensitive('wake operator pure') } Talking Tech: Puppet Webinar Series
- 23. Heira with Secrets ##################Site.pp ################## node 'default' { file { '/tmp/dbpass': ensure => file, content => "${hiera(‘postgres_password’)}", show_diff => false, # don't log file content } file { '/tmp/token': ensure => file, content => "${hiera(‘vendor_oauth_token’)}", show_diff => false, } } # oauth token $ eyaml encrypt '5262e7a7-4cfd' # database password $ eyaml encrypt 'wake operator pure' # instructions: # load these into Hiera, distribute keys to operators Talking Tech: Puppet Webinar Series
- 24. Puppet Manifests usingConjur ################## Site.pp ################## node 'default' { require secrets file { '/tmp/dbpass': ensure => file, content => "${secrets::postgres_password.unwrap}", show_diff => false, # don't log file content } file { '/tmp/token': ensure => file, content => "${secrets::vendor_oauth_token.unwrap}", show_diff => false, } } ################## Secrets.pp ################## class { 'conjur': account => 'demo', appliance_url => 'http://conjur', authn_login => "host/app-${::trusted['hostname']}", host_factory_token => Sensitive('placeholder-for-HF-token'), version => 5, } class secrets { $vendor_oauth_token = conjur::secret('app/vendor-oauth-token') $postgres_password = conjur::secret('app/postgres-password') } Talking Tech: Puppet Webinar Series
- 25. Conjur Policy thatControls Secrets Access - !policy id: app annotations: description: Conjur Puppet demo app policy body: # Roles - !layer app - !host-factory annotations: description: factory for new app node identities layers: [ !layer app ] # Secrets - !variable id: vendor-oauth-token annotations: description: authenticate vendor access to service endpoint - !variable id: postgres-password annotations: description: login credential for app database # Entitlements - !group users - !permit role: !group users privileges: [ read, execute ] resources: [ !variable vendor-oauth-token, !variable postgres- password ] - !grant role: !group users members: - !layer app Talking Tech: Puppet Webinar Series
- 26. Tradeoffs to usingidentity to retrieve secrets... ▪ Pros: • Eliminates over-privileged central attack target • Enables fine grained control of secret retrieval & updating • Secrets are dynamically retrieved without writing a lot of code • Enables teams to self manage their application secrets (ex. staging) • All access is authenticated, authorized and audited (makes Security happy) ▪ Cons: Requires a one-time manifest change Talking Tech: Puppet Webinar Series
- 27. Lessons We’ve Learned •It is possible to align Velocity and Security • If security is a bad UX, everybody loses • Established Security principles still apply, but must acknowledge new realities • Security policies should declaratively model applications, users and envs • You can easily add secure, dynamic secrets retrieval to your manifests Talking Tech: Puppet Webinar Series
- 28. CyberArk-Conjur Puppet Module TalkingTech: Puppet Webinar Series
- 29. conjur.org: Open SourceSecrets Management Talking Tech: Puppet Webinar Series
- 30. Summary Puppet and CyberArkConjur enable organizations to provide better security and increase developer and operations autonomy using infrastructure-as-code and security-policy-as-code Takeaways: • Automate everything • Abstract secrets from code • Encrypt and rotate secrets • Authenticate all requests • Use Least Privilege principles • Audit everything Stay tuned for more webinars from CyberArk and Puppet ... Talking Tech: Puppet Webinar Series
- 31. Questions? Puppet OpenSource: https://www.conjur.org/ ConjurPuppet Module: https://forge.puppet.com/cyberark/conjur Conjur OpenSource: https://www.conjur.org/ Conjur Slack channel: https://conjur.slack.com Resources