Are you protecting your secrets?
By secrets, we don’t mean your friend’s surprise party or an old family recipe. In technology, secrets are a private piece of information that acts as a key to unlock protected resources or information in tools, applications, containers and environments.
Put simply, it’s anything that can grant a user access to something, said Mark Hurter, Secrets Manager Specialist at CyberArk. Hurter spoke at GovLoop’s virtual summit “7 Perspectives on Transforming Government” on Tuesday.
Agencies can have thousands of networking devices that need to be secured and audited. One agency, for example, had 85,000. Imagine the scale and manpower needed to secure all of these and make updates as necessary.
“The only way you can solve that problem is with efficient and secure automation,” Hurter said.
Hurter encouraged organizations to stay away from hard-coding keys into automation systems or having shared and unmanaged keys. These all mean that a single or a set of keys would be able to grant access to all the agency’s systems – 85,000, in the abovementioned case – which would mean if malicious actors get a hold of one secret, they can get to them all.
Very rarely will there be a need for someone to access 85,000 systems, Hurter pointed out. They may need to use 5,000 or 10,000, but often no more. That’s why it’s key to only grant access to users based on their needs, and plug automation in to manage the volume of systems that need securing.
“If [a credential] is good enough for employees to access information, it’s good enough for an attacker,” Hurter said.
CyberArk’s solution was able to provide a secure, centralized credential management hub with multifactor authentication, which – with the help of Red Hat’s Ansible automation capabilities – also automated security changes. That way, if one network was breached, it would stay contained and bad actors wouldn’t be able to access other networks as well.
The use of automation for security, however, is only a close-up look of a larger push to adopt DevSecOps.
Short for development, security and operations, DevSecOps is a way of working that integrates these formerly siloed functions into a more seamless process. Importantly, it establishes “security at inception,” as Hurter said, so agencies can have secure products from the start. And essentially, they can also save time and energy not repeating work to refactor in security.
“Involve security early and often,” Hurter said. “They should be a partner. They should not be a roadblock.”
Check out other recaps from today’s virtual summit here, and make sure to register for other upcoming GovLoop online trainings.
This online training was brought to you by: