Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.
Why the Exponential Growth of Machine Identities Requires Evolution of Privileged Access Management
National Cyber Security Awareness Month - Week 1: If You Connect It, Protect It
October 08, 2020
Over time, applications have evolved from simple lines of code to a universe full of interconnected machines and systems powering continuous integration and continuous delivery. Software-defined data centers where "infrastructure as code" models are being used to deploy virtualized systems hosted on-premises as well as in cloud IaaS service environments have created challenges for DevOps and security teams.
The increased use of containers, microservices architectures and other connected services to develop applications has made it increasingly difficult for security teams to monitor who is accessing sensitive information. With deadlines and agility paramount for developers and operations teams, security teams need to prevent an attacker from infiltrating an organization through this exponential expansion of the attack surface.
Week one of National Cyber Security Awareness Month's theme is, "If You Connect It, Protect It." It is important for DevOps and security teams to work together to secure access to (and between) the containers, microservices architectures and other connected services used to build applications. Connecting services and workloads is also equally as important. Below we discuss the role privileged access management (PAM) plays in putting the security — or the "sec" — in DevSecOps, and why security teams should look beyond traditional PAM methods for the best results for their organizations.
Digital Transformation Changes Everything We Know About PAM
Developers do not want to waste time when deadlines are looming in the background. Because of this, DevOps teams will have a tendency of bypassing PAM - which could cost businesses. Avoiding PAM could lead to an increased risk of a cyberattack, a waste of money spent invested in PAM, and fines from violating industry regulations.
The goal of PAM for application developers is to simplify and centralize credential management (also commonly referred to as application-to-application password management, or AAPM). Unfortunately, traditional PAM methods tend to be complicated to deploy and manage, and require lots of manual care and feeding with the new technologies used to build applications.
However, developers have grown accustomed to putting static passwords and secrets in code as part of the development process. When an application is running, it authenticates using the static embedded password. Stop and think about it for a second, static passwords in code… this is a bad practice. Threat actors can simply use a password sniffer to discover and use the password, posing as a legitimate account and evading security teams. PAM is necessary to protect organizations, but with traditional methods comes some challenges such as not accounting for machine identities.
Furthermore, now there is a significant expansion in the number of identities that need to be created and managed. Human identities are now limited in the DevOps process compared to non-human identities such as other applications, virtual machines, services and workloads in the cloud — causing complexity in the PAM process.
Luckily, just as the way developers have built applications over time has evolved, PAM methods have too.
How to Seamlessly Incorporate AAPM into the DevOps Process
The best way for AAPM and PAM to integrate into the modern DevOps process is to use a combination of more modern methods: ephemeral tokens and delegated machine credentials.
Ephemeral tokens offer temporary, time-based access with automatic expirations. These tokens are created automatically by a password vault, eliminating the need for DevOps teams to utilize static passwords or secrets as part of the development process. Once the accessor — whether human or machine — is authenticated and after a set period of time, the token will disappear. If a threat actor were to compromise a server, there would be no static credential to steal, which would greatly reduce the risk of a full-scale attack or lateral movement.
The next layer to an effective modern PAM solution is something we call Delegated Machine Credentials. If a container, virtual machine or other connected device were to be enrolled into a PAM service, it receives its own temporary credentials so it can authenticate and establish a mutual trust relationship with a password vault. Now any applications or workloads running on the particular machine are able to use its credential as well, leveraging the binded trust granted by the DevOps team. Using a combination of the ephemeral tokens and delegated machine credentials, security becomes automated, and the number of service accounts is significantly reduced, also greatly reducing risk.
Keeping Connected and Secure
We live in a virtualized world, so it is no wonder application development has turned into a sea of connections with both human and non-human identities. Organizations must strive to modernize PAM in order to create a seamless, secure DevSecOps experience.
Industry News
May 09, 2024
Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.
May 09, 2024
StackHawk announced a new integration with Microsoft Defender for Cloud to help organizations build software more securely.
May 08, 2024
MacStadium announced that it has obtained Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 1, meaning that MacStadium has publicly documented its compliance with CSA’s Cloud Controls Matrix (CCM), and that it joined the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
May 08, 2024
The Cloud Native Computing Foundation® (CNCF®) released the two-day schedule for CloudNativeSecurityCon North America 2024 happening in Seattle, Washington from June 26-27, 2024.
May 08, 2024
Sumo Logic announced new AI and security analytics capabilities that allow security and development teams to align around a single source of truth and collect and act on data insights more quickly.
May 08, 2024
Red Hat is announcing an optional additional 12-month EUS term for OpenShift 4.14 and subsequent even-numbered Red Hat OpenShift releases in the 4.x series.
May 08, 2024
HAProxy Technologies announced the launch of HAProxy Enterprise 2.9.
May 08, 2024
ArmorCode announced the general availability of AI Correlation in the ArmorCode ASPM Platform.
May 08, 2024
Octopus Deploy launched new features to help simplify Kubernetes CD at scale for enterprises.
May 08, 2024
Cequence announced multiple ML-powered advancements to its Unified API Protection (UAP) platform.
May 07, 2024
Oracle announced plans for Oracle Code Assist, an AI code companion, to help developers boost velocity and enhance code consistency.
May 07, 2024
New Relic launched Secure Developer Alliance.
May 07, 2024
Dynatrace is enhancing its platform with new Kubernetes Security Posture Management (KSPM) capabilities for observability-driven security, configuration, and compliance monitoring.
May 07, 2024
Red Hat announced advances in Red Hat OpenShift AI, an open hybrid artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across hybrid clouds.
