Taming Vault Sprawl with Modern Secrets Management

August 29, 2024 Eric Sun

Conjur Cloud graphic

In this cloud, DevOps and AI era, security teams grapple with the growing challenge of shadow secrets and vault sprawl. As organizations scale, secrets management increasingly fragments. For example, Microsoft recommends using one Azure Key Vault, per application, per environment per region. Without centralized visibility, security policies and rotation control, vault sprawl leads to heightened security risk and compliance challenges.

In CyberArk’s recent webinar, “How Security Teams are Solving Vault Sprawl with a Modern SaaS Solution,” John Walsh, senior product marketing manager; Joe Garcia, senior solutions engineer; Uzi Ailon, vice president of DevOps and Damon McDougald, Accenture global digital identity lead, discussed why teams are seeking a modern SaaS approach to scalable secrets management.

This post recaps key insights: view the full webinar on demand below.

 

Key Takeaways and Timestamps

  • [0:00-4:35] The Vault Sprawl Dilemma
    Discover why vault sprawl increases security risk; a unified secrets management approach is critical.
  • [4:35-16:05] CyberArk Identity Security Platform and Conjur Cloud Demo
    Live demo of Conjur Cloud in a real-world scenario focusing on AWS environments and CI/CD pipelines.
  • [16:05-23:22] Real-World Solutions with Accenture
    Damon McDougald shares the challenges legacy and open-source vaults bring to organizations: configuration complexity and scalability, integration challenges and centralized monitoring, logging and auditing of secrets usage.
  • [23:22-27:45] Simple and Secure Migration
    Explore the strategies for migration from vault sprawl to Conjur, including automation techniques and the use of a proxy to ease the transition.

Top Audience Questions:

  1. How can I discover and manage secrets across different platforms, such as HashiCorp Vault and Azure Key Vault (AKV)?
    Conjur supports centralized management and visibility across cloud-native secret stores, Kubernetes and common DevOps toolchains. For seamless migration, Conjur offers API-based automation to onboard secrets from other vaults, helping consolidate your secrets management strategy.
  2. How do I convince my AD Operations team to allow CyberArk to handle Azure Key Vault secrets rotation?
    To automate the rotation of secrets in AKV, you will need to use Azure Functions. Without CyberArk, you would need to request the team to develop a rotator from scratch for every secret type – with Conjur, this can be automatically managed for you.
  3. Is support for managing unused or stale secrets in Azure Key Vault available?
    Yes. You can identify unused and stale secrets in AKV with CyberArk Secrets Hub. Combined with Privilege Cloud or self-hosted PAM, you can store and manage secrets from CyberArk Vault and pick which ones you’d like to synchronize to Azure Key Vault. For a demo of this capability, see Using Secrets from CyberArk in Azure Key Vault.
  4. What are the benefits of migrating to Conjur from other vault solutions?
    onjur offers significant (1) security benefits with out-of-the-box audit trails and granular policy controls, (2) enterprise-scale performance and (3) seamless integration into a unified identity security platform. The migration process can be streamlined using automation tools and partner support for fast time to value.
  5. What are my deployment options for Conjur?
    Conjur can be deployed as self-hosted or SaaS to flexibly meet your security and organizational needs. With extensive integration support and transparent secrets management, Conjur is a smooth transition from legacy and open-source vaults.

Take the First Step with a Secrets Scan

Vault sprawl poses a looming shadow challenge for modern organizations. CyberArk Conjur offers a security-focused solution that can centralize and rotate secrets and improve compliance while keeping your developers and DevOps teams in flow. If you’d like to assess your level of machine identity risk, for a limited time, CyberArk is offering a cloud compliance check. This check will help you identify unused or stale passwords, the last rotation date across secrets – and other critical security metrics.

Eric Sun is responsible for competitive programs at CyberArk.

Previous Video
Live at Black Hat 2024 With Dark Reading DevSecOps Unlocked
Live at Black Hat 2024 With Dark Reading DevSecOps Unlocked

How to create a DevSecOps strategy and program that ensures the production of more secure software.

Next Article
A Security Analysis of Azure DevOps Job Execution
A Security Analysis of Azure DevOps Job Execution

In software development, CI/CD practices are now standard, helping to move code quickly and efficiently fro...