If you’ve worked in IT or development you have seen it before: user names and passwords sitting in a file. When your database starts up, or when you run an automation script, it grabs the credentials it needs to function. The problem is obvious: admins and attackers alike know this common practice, and they both know where to look for easy access to applications and services.
With growing use of automation and orchestration, largely in response to Continuous Integration build processes and fully programable cloud infrastructure, we are automating many traditional IT task to speed up processes. Together they have compounded this problem.
From the paper:
>Developers have automated software build and testing, and IT automates provisioning, but both camps still believe security slows them down. Continuous Integration, Continuous Deployment, and DevOps practices all improve agility, but also introduce security risks — including storing secrets in source code repositories and leaving credentials sitting around. This bad habit leaves every piece of software that goes into production is at risk! All software needs credentials to access other resources; to communicate with databases, to obtain encryption keys, and access other services. But these access privileges must be carefully protected lest they be abused by attackers! The problem is the intersection of knowing what rights to provision, what format the software can accept, and then securely provision access rights when a human is not — or cannot — be directly involved. Developers do integrate with sources for identity — such as directory services — but are usually unaware technologies exist that helps them distribute credentials to their intended destinations.
Content licensed by CyberArk.
The full paper is here: Securosis_Secrets_Management_JAN2018_FINAL.pdf
We are proud to announce the availability of our Cloud Identity and Access Management research paper. While you have likely been hearing a lot about cloud services and mobile identity, how it all works is not typically presented. Our goal for this research paper is simple: Present the trends in IAM in a clear fashion so that security and software development professionals understand the new services at their disposal. This paper shows how cloud computing is driving extensible architectures and standardization of identity protocols, and how identity and authorization is orchestrated across in-house IT and external cloud services. Changes to IAM architectures provide the means to solve multiple challenges; additionally, external service providers offer commoditized integration with the cloud and mobile devices — reducing development and management burdens.
Here is an except from the paper:
If you want to understand emerging Identity and Access Management (IAM) architectures, it’s best to start by forgetting what you know. The directory services we use today (most often LDAP and Active Directory) were designed in the client-server age, and their implementations generally presuppose a closed system. Third-party cloud services, and to a lesser extent mobile computing, have forced a fresh approach that embraces decentralization. We liken the change from in-house directory service to Cloud IAM as that of moving from an Earth centric view of the universe to a Sun centric view: it’s a complete change in perspective. We are talking about the fusion of multiple identity and access management capabilities — possibly across multiple cloud services — for computers and devices not fully under your control. We are developing the ability to authorize users across multiple services without distributing credentials to each and every service provider.
We would like to thank Symplified for licensing this content. Without their interest in projects such as this, we would not be able to bring you cutting edge research, free of charge. Please email us if you have questions!