SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
The 5 Stages of Secrets Management Grief, And How to Prevail
1. The 5 Stages of Secrets Management Grief
(And How to Prevail)
Josh Bregman
Conjur
2. Josh has 20 years experience successfully architecting, evangelizing, and delivering
innovative identity management and security products to customers. Prior to joining
Conjur , Josh spent a decade as a solutions and pre-sales leader in the Oracle ecosystem. A
developer at heart, early in his career Josh worked as a software engineer at IBM, GTE
Labs, and Netegrity. He has 3 U.S. patents and received a B.A. in Math from the University
of Rochester in 1995.
4. Denial - We don’t have a problem
Anger - Why is this my problem?
Bargaining - A series of trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem
5. Denial - We don’t have a problem
Anger - Why is this my problem?
Bargaining - A series of trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem
6. You’re at Puppet Camp, so your
infrastructure is coded, and
your code is in source control.
10. “Searching GitHub for AWS and
Azure credentials reveals that many
people are making the same
mistake as Ashley Madison, Uber
and D-Link.”
11. “Ashley Madison’s leaked code
included hard-coded AWS tokens,
database credentials, certificate
private keys and other credentials.
12. “Uber had a database containing
personal information about drivers
compromised in 2014, after storing
the key in a publicly available
repo”
13. “...and D-Link recently published its
private code signing keys in the
open source code for a firmware
update.”
14. “Your cloud credentials are likely to
end up subsidizing Bitcoin miners, who
scan GitHub for keys and use them to
run up hundreds or thousands of
dollars of bills.”
16. Should everyone at your
company who has read access
to the repo have access to the
database?
17.
18. If you put your secrets in
source control, then anyone
who has access to the repo can
access all the secrets.
19. Denial - We don’t have a problem
Anger - Why is it my problem?
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem
21. Question to Information Security:
I’m concerned that storing secrets in
source control isn’t safe. Is there a
recommended approach that I should
be following?
21
22. Answer from Information Security:
We’re super busy right now
protecting the company from APT,
passing our ISO 27001 audit, and
assessing our compliance NIST CSF…
22
23. Question to Information Security:
Well, this initiative is super important
to the business. Is there anything that
you can recommend?
23
24. Answer from Information Security:
We’ll we have an existing system that
we use to manage privileged
accounts. You just open a
ServiceNow ticket and…
24
27. “I’m going to automate those *@!
out of a job.” – Anonymous DevOps
“Those *@! are running with
scissors” – Anonymous InfoSec
27
28. Few organizations practice blame
free post-mortems, if they are on the
front page of the Wall Street Journal.
This is a huge cultural change for
Information Security.
28
29. SecDevOps or DevSecOps or
RuggedDevOps are all terms for the
inclusion of information security in
the DevOps workflow
29
30. Automated testing that includes
security tests like code scanning,
application security testing,
automated patching of vulnerabilities
are all pretty easy…
30
31. …because they can be added without
the direct cooperation of information
security teams.
31
32. Question: How many people here
have information security
professionals as part of their DevOps
teams?
32
33. Question: How many people here
ACTIVELY seek out the information
security professionals in their
organization?
33
34. NIST CyberSecurity Framework - The
Framework Implementation Tiers
(“Tiers”) provide context on how an
organization views
cybersecurity risk and the processes
34
36. Go Find your Security Engineering
Team. This is the team that owns
and operates security solutions. Tell
them you can help them with
automation.
36
37. Denial - We don’t have a problem
Anger - It’s their fault!
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem
38. Two main camps on secrets
management with Puppet: Masterful
and Masterless
39. Masterful: I’m OK if all of my secrets
are on the master; my master is a
hardened command bunker.
Masterless: Secrets are ‘need to
know’ and my master doesn’t.
58. Denial - We don’t have a problem
Anger - It’s their fault!
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem
59. In both the masterful and masterless
models, the secrets wind up on the
nodes.
60. This represents a whole new threat
surface - a way that your secret
information can be compromised
61. Applications and services, not just
infrastructure also need access to
credentials. And applications are
stored in source control.
62. Summon is an open-source project
that allows for the retrieval of secrets
safely without checking the secrets
into source control
63. Summon works well with 12 factor
apps - those that expect to get their
configuration from the environment -
e.g. Java Application
68. Denial - We don’t have a problem
Anger - It’s their fault!
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem
69. This is an evolution from the Conjur Puppet
integration that I presented at Puppet Conf in
2015
70. Integration with Puppet is an
important but emerging area. These
modules and repos are works in
progress.
71. Customers are very interested in
additional capabilities such as
rotation, versioning, secure service
lifecycle