CREDENTIAL PROVIDER
ADMINISTRATION
Technical Overview
CyberArk Training
1
LESSON OBJECTIVES
This lesson provides a technical overview of the Credential Provider solutions
Upon completion of this lesson the participant will be able to:
• Describe what Credential Provider is and how it fits into the CyberArk Privileged Access
Management (PAM) solution stack
• Understand the risks associated with hard-coded credentials and how the Credential Providers
provide a solution to protect enterprise applications
• Learn a technical overview of the various Credential Provider options and features
2
2
SECURING APPLICATIONS OVERVIEW
3
Consequences of data breaches are
both familiar and painful:
Brand Damage, Loss of Customer Confidence,
Potentially Costly Litigation, and Regulatory Fines
CISO VIEW:
APPLICATION
SECURITY
Goals & Initiatives:
• Eliminate (significantly reduce) susceptibility to cyber attacks
• Prevent compromise of sensitive customer, employee, and
business critical data
Application Security:
• Protect sensitive data from leaks that could damage reputation
and impact the business bottom line
• Minimize risk and security defects in software build cycles
(SDLC) effectively
4
RAISING APPLICATION SECURITY CONCERNS
Sponsored by Arxan Technologies: Ponemon Institute© 2018 Global Study on Application Security
5
APPLICATION RISK BY NUMBERS
Lack of application threat landscape visibility
X
▪ ONLY 23% of respondents knew with certainty their organization had experienced a material breach
caused by a compromised application.
▪ Additional 51% thought a breach was likely but did not have visibility for their “apps in the wild” to
fully understand the situation.
Organizations fear applications yet to invest in prevention will be hacked
X
▪ 64% of respondents say they are either very concerned or concerned that they will be hacked through
an application. And 54% expect the severity of threats to increase in 2018.
▪ However, only 25% of respondents say their organization is making a significant investment in
solutions to prevent attacks.
Disagreements within management on the importance of security
X
▪ 56% of IT management team respondents say performance/speed and security are equally important.
▪ In contrast, 48% of the non-IT management team is of the opinion that performance/speed is more
important than security.
Sponsored by Arxan Technologies: Ponemon Institute© 2018 Global Study on Application Security
6
THE CHALLENGE:
SECURING APPLICATION SECRETS
7
BREACHES DUE TO COMPROMISED APPLICATIONS!
Sponsored by Arxan Technologies: Ponemon Institute© 2018 Global Study on Application Security
8
PROBLEM: EMBEDDED SECRETS
9
FACT: THE RISK IS REAL
ref: https://www.scmp.com/business/companies/article/2161800/shanghai-police-investigate-data-leak-130-million-hotel-clients
10
FACT: COST IS HIGH
11
CHALLENGE: APPLICATION SECRETS MANAGEMENT
THEY EXIST EVERYWHERE
(ON-PREM, CLOUD, HYBRID)
UserName = “app”
Password = “y7qeF$1”
Host = “10.10.3.56”
AGE
SECRETS ARE HARD-CODED
IN CLEAR-TEXT
SECRETS VALUES ARE STATIC
AND AGING
SECRETS ARE STORED LOCALLY
ON THE FILESYSTEM
SECURITY ISLANDS CAUSED BY
MULTIPLE SECRET STORES
PURSUED BY ATTACKERS
(INSIDER AND EXTERNAL)
?
SECRETS LEAKED TO PUBLIC
REPOSITORIES ACCIDENTALLY
LACK OF ACCOUNTABILITY FOR
NON-HUMAN AND HUMANS
12
13
SOLUTION:
SECRETS MANAGER
14
CYBERARK IDENTITY SECURITY PLATFORM
Vendor
Privileged
Access
Manager
Endpoint
Privilege
Manager
Workstations | Servers
Workforce
Identity
Access
Privileged
Access
Manager
Cloud | On Premises
Privilege
Cloud
Entitlements
Manager
DevSecOps
Secrets
Manager
Conjur Enterprise
Open Source
Customer
Identity
IDENTITY SECURITY PLATFORM
Secrets
Manager
Credential Providers
Security First • AI-Enabled • Frictionless • Everywhere
15
SECRETS MANAGER: IN ACTION
CYBERARK SECURES CREDENTIALS FOR HUMAN AND NON-HUMAN IDENTITIES
Phase 1 – Human /PAM
Windows
Phase 2 – On-premise business
critical apps – static/stable
Phase 3 – Highly dynamic, Scale
/Containers /Cloud /DevOps
nix
App with
caching
agent (*nix)
PAS
App with
caching
agent (Win)
App
App
App
App
App with
caching
agent (nix)
Paul
App
App
Container
Based Apps
Sue
PAM
Secrets Manager
16
SECRETS MANAGER OFFERINGS: COMPARISON MATRIX
Solution
CP
CCP
ASCP
Conjur
Installation
Type
Access
Method
Authentication
Method
Programming
SDK / API
Use Case
Agent per Server
Direct PAS Vault
Access
(TCP 1858)
Attribute Based:
Allowed
Machines, OS
User, Path, Hash
Java, .NET,
C/C++, CLI, COM
Business Critical
Apps (In-House /
Static / COTS)
Central Agent
Indirect PAS Vault
Access
(HTTPS 443)
Attribute Based:
Allowed
Machines, OS
User, Certificate
SOAP (all
versions)
REST (9.7.2 or
newer)
Non-Business
Critical Apps
(Web, Scripts,
COTS)
Agent per Server
Direct PAS Vault
Access
(TCP 1858)
Attribute Based:
Allowed
Machines, OS
User, Path, Hash
Data Sources
Java, C/C++, CLI,
COM
Java Enterprise
Business Critical
Apps
Server
Infrastructure
Indirect Conjur
Vault Access
(HTTPS 443)
REST
Business Critical,
DevOps, CI/CD,
Cloud,
Containers
Attribute & API
Key Based
17
HOW SECRETS MANAGER REDUCES RISK?
Removal of Hard-Coded
Credentials
Limits Discovery &
Reduces Attack
Surface
Enables Compliance
with Audit &
Best Practices
Removes Security
Island Dilemma
Establish Identity
to Applications
Credential
Rotation
APP ID
Create Auditable
Identity for Apps
Regularly Perform
Secrets Rotation
Authn
MFA
Enforce Strong
Authn for Apps
No Updates to Files,
Code or DBs when
Secrets Rotated
Access is
Authorized, Logged
and Auditable
No Application
Downtime Required
to Rotate Secrets
18
CHALLENGE: EMBEDDED SECRETS
Application Workflow
1.
Ops Team creates and
rotates secrets
2.
Ops Team shares secrets
with Developer
3.
Developer embeds secrets
into code and pushes to
application server
4.
5.
Application connects to data
resource using embedded
secret
$secrets = “cardbapp01”,“Cyberark1”
$DB = “MySQLDB”
$DBHost = “10.0.0.10”
$ConnStr = “server=” + $DBHost +
“;port=3306;uid=” + $secrets[0] + “;pwd=” +
$secrets[1] + “;database=” + $DBHost
</>
Developer
Malicious attack surface:
• Comprise Developer
workstation to exploit secrets
• Compromise application
server vulnerabilities to exploit
secrets
Ops Team
19
SOLUTION: SECURE SECRETS USING SECRETS MANAGER
$secrets = (CLIPasswordSDK.exe GetPassword /p
AppDescs.AppID=$app_id /p
"Query=VirtualUsername=$virtual;Address=$address" /o
"passprops.username,Password")
$app_id = “FinApp”
$DB = “MySQLDB”
$DBHost = “10.0.0.10”
Application Workflow
1.
Ops Team onboards secrets
to PAM Vault
2.
CPM rotates secrets
automatically via policy
3.
Developer integrates
CyberArk secure SDK/API
into code
4.
Developer securely pushes
code to application server
using PSM/PSMP
5.
Application connects to data
resource using SDK/API to
securely retrieve secrets
6.
Malicious attack surface
eliminated!
</>
Developer
PSM / PSM for
SSH
Credential
Provider
PVWA
Ops Team
CyberArk Vault
CPM
20
CONCLUSION
21
HARD-CODED VS. SECRETS MANAGER
Application Examples
Type
System
HARD-CODED
SECRETS
MANAGER
CREDENTIALS
Enterprise Resources
Application Servers
CI/CD Tools Chains
Servers
Cloud /PaaS
Databases
Applications
Network
Devices
Security
Appliances
Container Platforms
/PaaS
SDKs & Dev.
Libraries
Multiple Platforms
Go, Java, Ruby, Python
.NET, C/C++, CLI, REST
Windows, *nix,
zOS, Cloud
RPA
UserName
= GetUserName()
UserName
= “app”
Password
= GetPassword()
Password
= “y7qeF$1”
Host
= GetHost()
Host
= “10.10.3.56”
ConnectDatabase(Host,
UserName,
Password)
ConnectDatabase(Host,
UserName,
Password)
▪▪ Significant
Eliminates security
risk fromvulnerability
hard-coded application credentials
Security Tools
Other Third Party
Applications
AFTER:
BEFORE:
C3 alliance partners solution
with built in AAM integration
▪▪ Very
hard flexible
to rotatedeployment
and manage
Websites/
Leverage
options to meet the security
and
Web Apps
availability
requirements
a wide rangeto
ofthe
applications
▪ No
way to track
or assignofaccountability
credential use
Cloud
Infrastructure
22
23
STRONG PARTNERSHIPS
CYBERARK MARKETPLACE: HTTPS://CYBERARK-CUSTOMERS.FORCE.COM/MPLACE/S/
24
SUMMARY
25
SUMMARY
In this session we discussed:
• Technology overview of the CyberArk Secrets Manager solution
• Risks associated with hard-coded credentials and how Secrets Manager can strategically solve risks
and challenges with securing enterprise applications
• Description of Secrets Manager features, options, and offerings
26
26
GET STARTED WITH CYBERARK SECRETS MANAGER!
Useful Resources:
• Credential Providers (https://www.cyberark.com/products/credential-providers/)
• Conjur Enterprise (https://www.cyberark.com/products/secrets-manager-enterprise/)
CyberArk University Training:
https://training.cyberark.com/catalog
CyberArk Marketplace:
https://cyberark-customers.force.com/mplace/s/
27
27
THANK YOU
28
0
