How Federal Agencies Can Secure Secrets in Automation Environments at Scale
IT modernization in the federal government sector is more than just plugging in new technology. It’s about changing the way government workers operate to be more efficient, effective, and transparent — all while bolstering cybersecurity to help secure critical systems and protect citizens.
“As digital technology evolves, our adversaries are releasing updated capabilities and features just as quickly as we are,” said CyberArk DevSecOps specialist Mark Hurter during his talk at the recent GovLoop virtual summit “7 Perspectives on Transforming Government.” Staying ahead of emerging threats requires a proactive — and increasingly automated — approach to security. Here, we summarize some of his key presentation messages, highlight a real-world federal success story and look at how automation plays a big role in the broader push to DevSecOps.
Unprotected Secrets in the DevOps Pipeline Put Agencies at Risk
Recent software supply chain attacks such as SolarWinds and Codecov have highlighted new levels of attacker creativity and opportunism, the growing risk to CI/CD pipelines and the potential for amplified damage and disruption. In response, the White House last month issued an executive order emphasizing the need for enhanced software security to strengthen the country’s cyber resilience.
The security of the CI/CD pipeline, the backbone of government DevOps environments, and applications themselves are vital to federal agencies’ ability to perform critical functions and achieve their missions. But speed is just as important. “Whether the end-user is a warfighter in the military or the public-at-large, federal agencies must be able to rapidly deliver new capabilities and remediate vulnerabilities in lockstep to deliver end-user advantage and reduce risk,” said Hurter.
The government’s progression from traditional waterfall development practices to agile, CI/CD methodologies is helping security, operations and development teams break down traditionally siloed functions and work in concert to get secure code out the door faster.
All of this is made possible through automation. Likewise, automation and privileged access go hand-in-hand. Take Red Hat Ansible, one of the leading automation platforms, for example. In order to execute automation functions such as standing up a virtual machine (VM), managing configurations, or copying, releasing, and re-installing code, Ansible playbooks require, and hold powerful privileged credentials and secrets. Because of this, Ansible and other CI/CD pipeline tools are attractive targets for cyber criminals.
Unprotected secrets, whether in automation playbooks, scripts, code, or elsewhere can put agencies at risk, and also violate federal compliance regulations because they could grant attackers unrestricted access to sensitive government data and infrastructure. And as the number of secrets grows, it becomes exponentially harder for agencies to store, transmit and audit secrets securely.
Case Study: How a Federal Government Contractor Secures and Retrieves Ansible Secrets at Scale
A centralized, automated secrets management approach can help federal agencies, along with organizations providing services to the government, to reduce operational complexity, protect and accelerate digital transformation initiatives and achieve compliance with important standards like FISMA and NIST.
In his GovLoop presentation, Hurter shared a real-world example of this in action. A large defense contractor that managed more than 85,000 networking devices across a federal government environment needed a way to apply configuration changes across this massive tech stack efficiently.
“The only way you can solve that problem was with efficient and secure automation,” Hurter said.
But it had to be done right: that meant forgoing the use of one shared key or small set of unmanaged keys that could unlock access to systems across the environment.
“‘One key to rule them all’ means that not only can your administrator access all 85,000 networking devices, so can an attacker or unauthorized user,” said Hurter. “Very rarely will there be a legitimate need for someone to access all 85,0000 systems. That’s why it’s important to intelligently limit access to only what users need to perform their specified functions.”
The risky practice of storing, or “hardcoding,” secrets within the agency’s automation platform of choice, Red Hat Ansible, was also out of the question. Instead, secrets were placed in a secure repository — bolstered by multi-factor authentication (MFA) — where they could be automatically managed, rotated, audited, and when needed, retrieved quickly and securely. Identities, whether human or machine, can now be managed by role-based access control, while policy-as-code allows the organization to store the current state of the service in version control.
Through streamlined secrets management made possible by out-of-the-box integrations between Red Hat Ansible and CyberArk Conjur, the defense organization can now perform configuration management as code — automating updates (including important security changes) or deploying new assets across the entire network stack in less than two hours. Explore this federal case study in detail to learn more about protecting Ansible secrets and driving operational efficiency with CyberArk.
Securing Automated CI/CD Pipelines Means Security from Inception
Automation is one of several critical enablers of DevSecOps — a broader philosophy that emphasizes the need to integrate security into every phase of the software development lifecycle.
DevSecOps also means automating key security processes, such as secrets management, to keep DevOps workflows moving fast. Adopting the right tools and approaches can help your agency meet these objectives.
But of course, DevSecOps is primarily about people — it requires communication, collaboration, empathy and cultural change. It highlights the need to engage security teams from the start of DevOps initiatives while empowering developers to easily adopt security best practices without slowing down.
“Involve security early and often,” said Hurter. “They should be a partner. They should not be a roadblock.”
He continued, “By securing code at inception, federal agencies can minimize time spent refactoring code because it wasn’t done right the first time, eliminate cycles spent pushing new copies of secrets to new disparate credential stores, respond to incidents faster, and ultimately, focus on delivering more value to end-users.”
Red Hat and CyberArk: Automating and Securing DevOps Together
Watch Hurter’s full presentation, “How to Use Automation Data Securely & Safely in Government” on-demand (free registration required). And visit our team this week at the virtual Red Hat Summit to learn more about CyberArk and Red Hat’s joint efforts to automate and secure DevOps, while supporting organizations in both the public and private sectors on their path to IT modernization. Registered Red Hat Summit attendees can also explore a leading financial institution’s IT automation journey in the on-demand session “Ansible + CyberArk = More secure digital transformation: The CIBC case study.”
For additional resources, discover secrets management made simple, check out our joint solution brief or set up a personalized demo to learn how CyberArk and Red Hat can help you secure your automation workloads.