How to Enable Applications Teams to Secure Code (part 2)

/ DFARS, NIST 800-171 / By

It’s more important than ever to make sure your applications are secure. What tools are available to help in this effort – and what are the pros, cons, features, and benefits of these enablement tools?

In our previous post we set the stage for this discussion by covering the challenge application developers and their security teams face securing code in an efficient manner. Read about the impact securing (or not securing) application credentials can have on your organization and what you can do about it.

To continue our discussion, apps typically run in one of three network zone configurations. These include:

  • On-Prem – Apps that run in this space are your traditional applications, which usually run on physical machines or dedicated VMs. These apps have a long lifecycle.
  • Internal Cloud – Apps in this zone run on semi-elastic machines. Their lifecycle is much shorter than traditional servers and they are deployed much quicker than on-prem apps.
  • “The Cloud” – This zone exists outside the organization’s firewall. Apps in the cloud run on a very short-lived infrastructure, which is hosted by an outside vendor. These apps are deployed and destroyed auto-magically based on the application’s needs.

Whether you’re trying to meet DFARS, MAS, HIPPA, or NERC compliance, you have choices on where your apps run. Whichever environment meets your needs, CyberSheath has the resources to help keep your applications secure.

What you need How CyberSheath can help
On-Prem Your on-premise applications need to be just as secure as apps in the cloud. Depending on the way your application functions (homegrown code, services, scheduled tasks, IIS services), the CyberArk Enterprise Password Vault (EPV) has a feature for you. EPV is designed for:

  • Managing secrets.
  • Rotating passwords and keys.
  • Allowing humans and applications to fetch them for authorized tasks.
Your on-prem apps are developed on a platform like Java or C++. CyberArk’s Application Identity Manager can help. An agent, which serves as a credential provider, is installed on the local host. It:

  • Communicates between the application and the Vault, serving up the password each time it’s needed.
  • Is designed for high transaction volumes, and high availability.
  • Allows for seamless credential rotation with zero downtime.
  • Challenge: Agent workflow and management can be cumbersome.
Your on-prem applications rely on less hardcore code, but more scripting and basic Windows functions. The built-in remote management features of the Central Policy Manager are a good alternative.

  • Scheduled tasks, services, and IISAppPools running under a specific user can have that user’s password rotated automatically.
  • Challenge: Configuring the workflow for this is where most app teams get hung up.
Internal Cloud Your apps running on an internal or private cloud tend to be less risk-oriented. These apps generally require faster deployment, have shorter return to operations (RTO) requirements, and need to be semi-elastic. CyberArk’s Central Credential Provider (CCP) is one recommended approach.

  • It allows app teams to make simple code changes.
  • Instead of an agent installed on a semi-elastic device, a web service call is made to retrieve the credential.
  • Identity can be established with a number of machine characteristics, in addition to client certificates.
  • Challenge: It can be difficult to define a clear and repeatable process to register applications and issue certificates to them.
“The Cloud” Your applications running on cloud infrastructure (a.k.a. the public cloud) generally require extremely high availability and elastic growth on demand.

Provisioning applications’ access to secrets at such quick speeds is challenging, which is why many organizations are hesitant to put apps in the cloud.

 CyberArk’s Conjur, which is a DevOps security platform designed for cloud computing, can help.

  • As a cloud application itself, it conforms to the highly elastic nature of cloud applications.
  • It uses the concept of machine identity to establish trust that your app is who it says it is.
  • Using web calls (similar to CCP), Conjur serves up secrets to authorized applications.
  • No configuration is required for a new app instance. It’s built, has its authorizations, and it’s on its way.
  • Challenge: It’s not easy to create a system to import secrets or to build a methodology for developers to code in Conjur during their build process.

Contact CyberSheath to learn how we can help your organization secure your applications.

Join our May 29th 12 pm ET webinar Mastering CUI Boundaries: A Comprehensive Guide to Scoping, SPRS Input and Audit Navigation.
Register Now
This is default text for notification bar
Learn more