AWS re:Inforce 2019: Best Practices for Privileged Access & Secrets Management in the Cloud (DEM04)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you very much for the for the intro and thank you all so much for for coming out I know there's a lot going on in the in the expo hall here and you had a choice you could choose to go back to your hotel room and take a nap but against all odds you chose to come hang out with us so greatly appreciate it so ice men shinned my name is Brandon I'm joined with with my good friend Leandro here and come on in there's plenty of room up here to like you're more than welcome and and our goal today is to give you some quick wins for securing privileged access in the cloud from both the human side of things but also the non-human side of things too oh no so quick agenda you've you've already heard who we are we'll talk to you about our respective companies kind of what they do where they fit we'll then look at how to add automation to security before jumping into what we do with privileged human access but then also how applications are accessing our AWS environments we'll then move into looking at some open source tools that allow you to start this process without needing to have budget without needing to have a project just to instantiate security with what's available on stage alright so we'll give you open source solutions to help you secure the environment without needing to do anything outside of what you're already doing today well so let me introduce myself from Leandro I'm full todos which is a Brazilian company todos is a ERP software development company we have about 50% of the market share in Brazil and basically our air P covers about 10 types of industries going from retail financial HR to manufacturing and we have about 8,000 employees so just to give you some ideas and some numbers and I'm with a company called cyber-ark we do privileged access security that is the vaulting and rotation of incredibly powerful accounts from things like privileged AWS access key secret key pairs to IM users to ec2 instance keys going all the way back on prem to domain admin access UID 0 accounts so we store them securely we change them programmatically so you don't have to do it we then can impose things like session isolation and monitoring threat analytics on top of these very privileged sessions in your organization's we also have a booth right over there so we're giving demonstrations just right right a couple steps away from the from the theater here ok so let me explain and about our scenario over there in brazil our customers can run our software on prams or into our cloud so this is the before scenario we had as you can see we had a lot of processing over to deploy our customer environment into the cloud so we have like a bazillion steps evolving over there so we started to plan like to autumn to make the some autumn automatisation involving the whole steps so when the customer our customer needs to has the customer environment deploy it we had like several steps involving like creating the virtual machine the final rules database and like permit making some parameters ations so this is going to delivery our customer environment takes up to 15 days or up to one month depending the size of these our customers right and then some years ago we started through delivery this customer tenant our customer environment creating and using ultimate ization concept so we created our platform which is like a mirror that has several components involve it it's created and built on top of a double west's features okay so we are using like lambda kognito woth CloudFormation okay and then we have a web front-end for the customer so the customer connects to this front end to this portal and our platform has all the intelligence to create and delivery our to delivery the customer tenant the customer environment into our cloud or into AWS so have this process like orchestration evolve it so before to delivery the customer environment took about one month and then it's decrease it so much so we can delivery the customer in about 30 minutes or less so this is so good for our our our business all right and then cyber art is one of these part of the of the Demeter so cyber arc has its I mean it's part of the whole intelligence that compounds our platform and I imagine many of you are going through this transition today why use cloud born processes why leverage AWS if you're not performing automation so this transition from 30 days to do something to 30 minutes or 15 days to 30 minutes is a huge shift building automation is something you should do it's something that Leandro and team builds but the question becomes how do we do this in a secure way how are we making sure that we're imposing both Austin and RZ on the people and non people who this process yes yes when specific points the business need that we are looking at the market so we could have a solution that could address all the business needs so we are looking for some solution that could address this automation need that we had and like some solution that has a higher level of HR hive availability odds also recover to maintain to keep our customers environment running and of course to delivery the standardization and high level of automatization so before that the the whole process was done like manually and now we have this process which is done like automated process and yeah in one of the important important topic to mention is that we could delivery some increase perspective in terms of security to our customers so our customers can see that we are very engaged to increase over and over our circular check posture so where do we start many of us in the room are security practitioners this is reinforced right it's AWS this first security conference so of course we got to dive a little bit into the security aspect of things and if you've been paying attention over the last six years things have changed the breach flow used to be you compromised an end-user sinned Leandra a funny cat video link I guarantee you he'll click it you elevate privilege on his system move laterally continue to elevate before you compromise it's here zero asset and own an environment old-school breach method it hasn't gone away its diminished significantly from what we see today today a new environment is you've got more and more stuff within AWS and if you're not careful you don't follow AWS s best practices the potential risk here of gaining a privileged access into say even the management console can be heightened now admittedly I'm a millennial I tend to want to be efficient with what I do I'm a little lazy I'm not gonna lie for you if given the choice between breach flow a and breach flow B I probably choose the second one right I can do this from the comfort of my mother's basement not that I live in my mother's basement but this flow is becoming more and more popular and it starts with not following AWS as best practices we'll also show you how to add security to this process too but the very first question if you don't take anything away from this besides the cognitive dissonance around this message is look at your human access power people the people who sit behind keyboards and opening up those cat videos how did the gain they gain access at a privileged level into say the management console or by accessing AWS CLI interactively how often is the root account being used I hope the answer is as little as humanly possible but if you want to start look at the privileged humans we're trusting to perform administration on these incredibly key AWS environments vault the accounts rotate them put it through some sort of isolation process so that I can say I know what Leandro did when he was in fire call using the root account now let's take a look at how that that actually operates but first let's look at kind of what you've you've addressed in in terms of your deployment and how you handle these problems so as I told you todos is a ARP software company so now we are delivering the our ARP into the cloud to our to the our customers has this sauce experienced right and to delivery these customer environment our customer environment we have the dis mirror which makes these connections to our cloud or to AWS so this step is basically the mid where has intelligence the intelligence to connect to the cloud and make the the infrastructure stack so this is going to create the infrastructure stack I mean created the veto machine creating the fire rules creating the database and so far and then as a second step it's going to create the software stack which is installing our arp making the configuration parameterization and then delivery this environment to our customers so all this step is done automatically over Altimas asians and over this is this so long scripts we have separate integrated into this step so cyber-ark is a very important important component because it's going to protect the customer environment so when a ARP Cloud analyst needs to connect to our customer environment for some troubleshooting or for some analysis this connection is as a sage or RDP is done by cyber-ark so sbrick works as a centralization component giving high increasing increasing the security because it's reducing the attack surface and also it's really really important because fabric can record the the section that the analyst is doing so for auditing purposes is very beneficial for us and I would say out point as well that for example when this clock is analyst this needs to connect to the customer environment it is he or she didn't need to know the password because the sbrick is the one that's responsible to make this connection so for example if this analyst leaves the company he doesn't need access to the customer passwords so it's good and also the password is were rotated periodically done by cyber-ark so the customer environment the Dennett itself is like protected because sbrick uses this technology to rotate the password and the don't delivery they they credentials they password to the users to connect so the connections done like in a secure way okay and this is also brings us be compliance with the ISO 27001 requirement so the answer I'm gonna challenge you on that one because what you've constructed is a scenario where users are authenticating to a solution in this case cyber-ark somehow and going through a secure Bastion process but if you've ever used a Bastion it sucks it's the worst thing ever because I have to connect to one thing then identica together connecting to one thing and then connect to another so if you don't mind I'll walk through this process a little bit so what it looks like the way it operates and the way we want it to be done is using native interface so the analysts that Leandra mentioned when connecting to a back-end infrastructure resource or the management console first authenticates somehow you can use a web portal to do this but better yet if you're connecting over ssh use your own ssh client if you're connecting via RDP use your own RDP aggregator if you're connecting into a web console use your native browser find solutions that allow you to natively proxy so user authenticates they perform their strong authentication in this flow the secret is pulled internal to cyber-ark so the user doesn't see the password or secret but also it doesn't end up on their workstation so malware memory scrapers keystroke loggers nasty stuff doesn't get access to our secret even though it's already rotating as an added benefit as Leandra said we're monitoring what's happening I can tell you what he was doing as the root account for instance so no malware is getting in to those disparate systems but no credentials are reaching the end users eyes because if you're anything like me I feel like you're a little bit better but if you're like me you see a password the first thing you want to do deep down inside of yourself if you want to write it down and then I give it to Leandro Leandro sells it on the darknet bad things happen so we want to avoid that whenever possible but the user experience can't suck because then people line up outside of our offices with torches and pitchforks saying this isn't gonna work I want to go back to the way things were before now I'll challenge you when we're talking about privileged access you may have thought about say the the management console that's a great place to start but remember there are all sorts of assets in your environment that have administrative rights that are accessible through direct OS connectivity or even web-based connectivity - so if Jenkins is running all of your your configuration management processes Jenkins is just like Skynet which if you've not seen terminator as an artificial intelligence designed to save the human race and it decided it was going to do that by just killing everybody it's an automated process but at some point someone said I'm gonna turn on Skynet that's a great idea there's always human access that begins as a nexus to our automation our scripted processes things of that nature so just remember once you've targeted something like the console look at your other web-based applications - typically you'll find unfettered administrative access typically even if they're deployed inside of AWS and you've already got security controls that exists there even something like cyber-ark has web-based administrative access that can and should be protected drinking our own champagne not eating our own dog food that seems weird so to speak and Brendan one important topic automation as well is that we are protecting the applications password of our environment so not not only the the clients I mean the the cloud analysts that are using cyber Ark as well but our mid ware uses cyber are key making the API calls to rescue or to retrieve the customer password and then having having this credential then the the platform or the meter can make the connection and ultimate eyes and ultimate eyes the the customer environment and I'm glad you brought it up so far we've talked a lot about human access but and I I don't imagine this is something you have in your environment but sometimes we go against all odds we go against recommendations and our developers accidentally leave a hard-coded secret inside of a public or private code repository sometimes secrets are hard-coded inside of our our PA tools or inside of our vulnerability scanning so the same process applies they're being able to programmatically pull secrets from a secure store and doing it in a way that doesn't require code changes is a challenge that we all face from an application security standpoint and something that at cyber-ark we've done a lot of work to help mitigate the risk around now while we won't talk very deeply about the application side of things I'll leave you a couple of a couple of ideas first whether you are looking at cyber-ark you use another solution like it's challenge your vendors to integrate with as much stuff as humanly possible those are PA vendors those vulnerability scanners the the CI CD management tools if they use a hard-coded secret and we're not integrating be like hey vendors integrate together admittedly we didn't just take well we didn't just take AWS out for ice cream one day and say hey we should integrate our customers said cyber-ark AWS you guys must integrate together it has to happen so look for those integrations as quick wins on your application rollout it means you have to make minimal changes for very large security value increases also when you're authenticating applications resist the urge to replace one hard-coded secret put in a vault with another hard code secret that lets you access the vault to pull the hard coded secret you just vaulted in doing that you've done a lot of work maybe built something really beautiful but you've done very little in terms of security posture increase so look at ways of using attribute based authentication monolithic applications a hash of the calling stack file path run as use or whitelist at host for things like AWS Bourne applications I am roles if you're using eks or vanilla kubernetes or OpenShift native sidecar init container based off using attributes of the containers themselves not using just hard-coded API keys this is possible and better yet it's even possible using open-source technology that Liana and I will tell you about towards the very end of the presentation so applications are people to don't forget about that but also when you're looking at invoking security in your environment doing things like say managing the hard-coded secrets associated with ec2 instances look for integrations that allow for automation things like lambda functions that allow for say cyber-ark to monitor cloud watch when we find a new instance programmatically vault and rotate the SSH key pair associated with it this is not a replacement for AWS kms it's an augmentation to what you're already doing with the platform that you have when we automate deep provisioning and provisioning it leaves us time to make human decisions rather than the rote vaulting stuff that happens manually and makes us well kind of hate our lives so always look at means of automating this as Leon join team have done ok and one specific point that we need to secure as well is the human axis into sub right for example so mf8 multi-factor authentication is a very important thing to consider so not only the the applications credentials but also the human beings credentials need to be protected so be sure to use NFA for that the world is changing so while you're securing human access into things like the console and instances also don't forget there's privileged human access and other tooling that builds the automation of your pipeline if any of you enjoy scouring github give it a try one day type in Postgres underscore secret and search by recent code commits I guarantee you within 30 minutes you'll find someone's hard coded secret existing in a public code repo we're not just talking about direct console access there's so much privilege associated with the automation processes that we're building and that goes the same for knowing that they're human and non-human processes running in parallel it can't be either or they both must move forward in terms of a security posturing increase in a security program okay and the last but not least begin with work with automatization and to delivery fast integrations to your environment so as you could see we took we use it to talk about one month to deploy our customer environment and now we are doing this like in minutes so now we our business can delivery like much more an environment for our customers order than before so earlier we mentioned free stuff who doesn't like free stuff I mentioned open source i I think I slightly mentioned free tooling to help you just understand what's going on in your AWS environment or in your hybrid environments to which is very important right this is not just an AWS story on prim privilege exists and will continue exist for the foreseeable future but cyber-ark offers a couple of pieces of software that are available at no cost and this is key for me the first is a tool we have called DNA or discovery and audit daa sounded weird so we just put put an in in there what it does it's it's a nifty little binary that will scan either on premier cloud environments it scours Active Directory it scans Knicks target nodes for username or user accounts SSH keys it looks for hashes it can also integrate with AWS inspector to give you information about privileged I am users access key secret key pairs and even ec2 instance privileged we can even jump down into code for things like WebSphere WebLogic Tomcat and JBoss or even into ansible playbooks - and what we do with that data is we build a terrifying report that you can take to people who are saying we don't need security and say look at this look what I've done look at what has happened in the environment so you don't have to do it like that but it shows you areas of risk that you can mitigate immediately if see that every single user with access to AWS has associated with an AWS admin role you probably don't need to do that have a talk with your cloud architects or you yourselves audit the process if you see human accounts first initial last name logging in a domain controllers on a day-to-day basis with domain admin rights that's super weird look at that from a an immediate mitigation standpoint and leverage this as a way just to know how your environment looks so this is available all you have to do is ask us for it we'll provide it to you even give you help so if you want our help running the scan or analyzing the results I'm more than happy to do that the other side of that is what if there were an open source spot where we could store our secrets and make them available to applications we have a project called called conjurer that's available in an open source state that is well it's a it's a secret vault it's a secret store we have other open source tools one's called secret lists one's called summon that allow developers who are integrating the ability to continue to variable isin code without needing to make direct code changes this is just cyber-ark open source supported tools there are all kinds of elements of platforms many tools here open source that allow you to scaffold your security but my recommendation to you is whenever use OSS if there's a vendor associated always challenge them on the security automation is key digital transformation is magnificent but we should always focus on security as we move these processes forward we don't want to slow people down you just want to prevent terrible things from happening because of all the velocity that we've built Leon do anything to add before we before we move to a Q&A ok we are very engaged like to increase the security of perspective our customers and this is one of the strategic projects the project that we could address in our environment that could for sure leverage discrete perspective now before we start for questions a one quick note I mentioned it earlier but everything we've talked about to you today are available to demo so if you got a second to stop by we're actually right over there you see the big cyber-ark sigh and they're hanging from the roof please let us know if you're interested in the particular element we're more than glad to dive as deep as you'd like but with the last couple of minutes what questions do you have for us and I will happily bring you the microphone if you'd like and you're not just rushing in comments grievances they're all welcome maybe maybe positive comments and less grievances but anything at all you have given them all the information they could possibly want apparently sounds like it thank you all so much again for taking the time let us know if you anything you need at all and have a great rest of the show Cheers okay thank you

Info

Channel: Amazon Web Services

Views: 2,529

Rating: 5 out of 5

Keywords: AWS, Amazon Web Services, Cloud, cloud computing, AWS Cloud, AWS re:Inforce, AWS re:Inforce 2019, security, identity, compliance, cloud security, AWS security, cloud security community, learning conference, Detective Controls, Infrastructure Security, Data Protection, Incident Response, Governance, Risk, Compliance, security best practices, Demo Theater, AWS re:Inforce 2019 Sessions, Demo Session, DEM04-R

Id: TFMgT6NxKEk

Channel Id: undefined

Length: 27min 7sec (1627 seconds)

Published: Wed Jun 26 2019