Scribd
Upload
63 views28 pages

CAU 01 CP - Administration SecretsManager - Overview

The document provides a technical overview of CyberArk's Credential Provider solutions, emphasizing their role in securing enterprise applications against risks associated with hard-coded credentials. It outlines the challenges of managing application secrets and presents the CyberArk Secrets Manager as a solution to mitigate these risks. Key features and options of the Credential Providers are discussed, along with the importance of application security in preventing data breaches.

Uploaded by

Ganesh Revankar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
63 views28 pages

CAU 01 CP - Administration SecretsManager - Overview

The document provides a technical overview of CyberArk's Credential Provider solutions, emphasizing their role in securing enterprise applications against risks associated with hard-coded credentials. It outlines the challenges of managing application secrets and presents the CyberArk Secrets Manager as a solution to mitigate these risks. Key features and options of the Credential Providers are discussed, along with the importance of application security in preventing data breaches.

Uploaded by

Ganesh Revankar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

CREDENTIAL PROVIDER

ADMINISTRATION
Technical Overview

CyberArk Training
1
LESSON OBJECTIVES

This lesson provides a technical overview of the Credential Provider solutions


Upon completion of this lesson the participant will be able to:
• Describe what Credential Provider is and how it fits into the CyberArk Privileged Access
Management (PAM) solution stack
• Understand the risks associated with hard-coded credentials and how the Credential Providers
provide a solution to protect enterprise applications
• Learn a technical overview of the various Credential Provider options and features

2
2
SECURING APPLICATIONS OVERVIEW

3
Consequences of data breaches are
both familiar and painful:
Brand Damage, Loss of Customer Confidence,
Potentially Costly Litigation, and Regulatory Fines
CISO VIEW: Goals & Initiatives:
APPLICATION • Eliminate (significantly reduce) susceptibility to cyber attacks
SECURITY • Prevent compromise of sensitive customer, employee, and
business critical data

Application Security:
• Protect sensitive data from leaks that could damage reputation
and impact the business bottom line
• Minimize risk and security defects in software build cycles
(SDLC) effectively

4
RAISING APPLICATION SECURITY CONCERNS

Sponsored by Arxan Technologies: Ponemon Institute© 2018 Global Study on Application Security
5
APPLICATION RISK BY NUMBERS

Lack of application threat landscape visibility


▪ ONLY 23% of respondents knew with certainty their organization had experienced a material breach
X caused by a compromised application.
▪ Additional 51% thought a breach was likely but did not have visibility for their “apps in the wild” to
fully understand the situation.

Organizations fear applications yet to invest in prevention will be hacked


▪ 64% of respondents say they are either very concerned or concerned that they will be hacked through
X an application. And 54% expect the severity of threats to increase in 2018.
▪ However, only 25% of respondents say their organization is making a significant investment in
solutions to prevent attacks.

Disagreements within management on the importance of security


▪ 56% of IT management team respondents say performance/speed and security are equally important.
X ▪ In contrast, 48% of the non-IT management team is of the opinion that performance/speed is more
important than security.

Sponsored by Arxan Technologies: Ponemon Institute© 2018 Global Study on Application Security
6
THE CHALLENGE:
SECURING APPLICATION SECRETS

7
BREACHES DUE TO COMPROMISED APPLICATIONS!

Sponsored by Arxan Technologies: Ponemon Institute© 2018 Global Study on Application Security
8
PROBLEM: EMBEDDED SECRETS

9
FACT: THE RISK IS REAL

ref: [Link]

10
FACT: COST IS HIGH

11
CHALLENGE: APPLICATION SECRETS MANAGEMENT

UserName = “app”
Password = “y7qeF$1” AGE
Host = “[Link]”

THEY EXIST EVERYWHERE SECRETS ARE HARD-CODED SECRETS VALUES ARE STATIC SECRETS ARE STORED LOCALLY
(ON-PREM, CLOUD, HYBRID) IN CLEAR-TEXT AND AGING ON THE FILESYSTEM

?
SECRETS LEAKED TO PUBLIC LACK OF ACCOUNTABILITY FOR SECURITY ISLANDS CAUSED BY PURSUED BY ATTACKERS
REPOSITORIES ACCIDENTALLY NON-HUMAN AND HUMANS MULTIPLE SECRET STORES (INSIDER AND EXTERNAL)

12
13
SOLUTION:
SECRETS MANAGER

14
CYBERARK IDENTITY SECURITY PLATFORM

Endpoint Vendor Privileged


Cloud
Privilege Privileged Access
Entitlements
Manager Access Manager
Manager
Workstations | Servers Manager Cloud | On Premises

Secrets
Workforce Manager
Identity
Access Privilege DevSecOps Conjur Enterprise
Open Source

Secrets
Customer Manager
Identity IDENTITY SECURITY PLATFORM Credential Providers
Security First • AI-Enabled • Frictionless • Everywhere

15
SECRETS MANAGER: IN ACTION
CYBERARK SECURES CREDENTIALS FOR HUMAN AND NON-HUMAN IDENTITIES

Phase 2 – On-premise business Phase 3 – Highly dynamic, Scale


Phase 1 – Human /PAM
critical apps – static/stable /Containers /Cloud /DevOps

Windows nix
App with
caching
PAS agent (*nix)

App with
App
caching
App
agent (Win)
App
App
App with App
caching App Container
Paul agent (nix) Based Apps
Sue
PAM Secrets Manager

16
SECRETS MANAGER OFFERINGS: COMPARISON MATRIX

Installation Access Authentication Programming


Solution Use Case
Type Method Method SDK / API
Attribute Based:
Direct PAS Vault Business Critical
CP Allowed Java, .NET,
Agent per Server Access Apps (In-House /
Machines, OS C/C++, CLI, COM
(TCP 1858) Static / COTS)
User, Path, Hash
Attribute Based: SOAP (all Non-Business
Indirect PAS Vault
CCP Allowed versions) Critical Apps
Central Agent Access
Machines, OS REST (9.7.2 or (Web, Scripts,
(HTTPS 443)
User, Certificate newer) COTS)
Attribute Based:
Direct PAS Vault Data Sources Java Enterprise
ASCP Allowed
Agent per Server Access Java, C/C++, CLI, Business Critical
Machines, OS
(TCP 1858) COM Apps
User, Path, Hash
Business Critical,
Indirect Conjur
Conjur Server Attribute & API DevOps, CI/CD,
Vault Access REST
Infrastructure Key Based Cloud,
(HTTPS 443)
Containers

17
HOW SECRETS MANAGER REDUCES RISK?

Removal of Hard-Coded Establish Identity Credential


Credentials to Applications Rotation

Limits Discovery &


Create Auditable Regularly Perform
Reduces Attack
APP ID Identity for Apps Secrets Rotation
Surface

Enables Compliance No Updates to Files,


Enforce Strong
with Audit & Authn
MFA Authn for Apps
Code or DBs when
Best Practices Secrets Rotated

Access is No Application
Removes Security
Authorized, Logged Downtime Required
Island Dilemma
and Auditable to Rotate Secrets

18
CHALLENGE: EMBEDDED SECRETS

Application Workflow $secrets = “cardbapp01”,“Cyberark1”


$DB = “MySQLDB”
1. Ops Team creates and
rotates secrets $DBHost = “[Link]”

2. Ops Team shares secrets $ConnStr = “server=” + $DBHost +


with Developer “;port=3306;uid=” + $secrets[0] + “;pwd=” +
$secrets[1] + “;database=” + $DBHost
3. Developer embeds secrets
into code and pushes to
application server
</>
4. Application connects to data
resource using embedded
secret Developer
5. Malicious attack surface:
• Comprise Developer
workstation to exploit secrets
• Compromise application
server vulnerabilities to exploit
secrets

Ops Team
19
SOLUTION: SECURE SECRETS USING SECRETS MANAGER
$secrets = ([Link] GetPassword /p
Application Workflow [Link]=$app_id /p
"Query=VirtualUsername=$virtual;Address=$address" /o
"[Link],Password")
1. Ops Team onboards secrets $app_id = “FinApp”
to PAM Vault $DB = “MySQLDB”
$DBHost = “[Link]”
2. CPM rotates secrets
automatically via policy
</>
3. Developer integrates
CyberArk secure SDK/API
into code Developer PSM / PSM for
SSH
4. Developer securely pushes
code to application server Credential
using PSM/PSMP Provider

5. Application connects to data


resource using SDK/API to
securely retrieve secrets
6. Malicious attack surface
eliminated! PVWA

Ops Team CyberArk Vault CPM

20
CONCLUSION

21
HARD-CODED VS. SECRETS MANAGER
Application Examples
Type System HARD-CODED Enterprise Resources
SECRETS MANAGER
CREDENTIALS
Application Servers

CI/CD Tools Chains Servers Cloud /PaaS

Container Platforms
/PaaS
SDKs & Dev. Go, Java, Ruby, Python AFTER:
BEFORE: Databases Applications
Libraries .NET, C/C++, CLI, REST
UserName
UserName = “app”
= GetUserName()
Password
Password = “y7qeF$1”
= GetPassword()
Windows, *nix, = “[Link]”
Host
Host = GetHost()
Multiple Platforms zOS, Cloud ConnectDatabase(Host,
ConnectDatabase(Host, UserName,
UserName, Password)
Password)
Network Security
Devices Appliances
RPA

▪▪ Significant
Eliminates security
risk fromvulnerability
hard-coded application credentials
Security Tools
▪▪ Very hard flexible
Leverage to rotatedeployment
and manage options to meet the security and
Websites/ Cloud
Web Apps Infrastructure
Other Third Party availability requirements
or assignofaccountability
a wide rangetoofthe
applications
C3 alliance partners solution
with built in AAM integration
▪ No way to track credential use
Applications

22
23
STRONG PARTNERSHIPS
CYBERARK MARKETPLACE: HTTPS://[Link]/MPLACE/S/

24
SUMMARY

25
SUMMARY

In this session we discussed:


• Technology overview of the CyberArk Secrets Manager solution
• Risks associated with hard-coded credentials and how Secrets Manager can strategically solve risks
and challenges with securing enterprise applications
• Description of Secrets Manager features, options, and offerings

26
26
GET STARTED WITH CYBERARK SECRETS MANAGER!

Useful Resources:
• Credential Providers ([Link]
• Conjur Enterprise ([Link]
CyberArk University Training:
[Link]
CyberArk Marketplace:
[Link]

27
27
THANK YOU

28

You might also like