Microservices and containerized approaches are becoming increasingly critical elements of digital transformation strategies. Container platforms offer developers and operations teams a simplified way to build and deploy better applications faster across hybrid cloud environments, and at scale. In fact, a recent Capital One study shows 86% of technology leaders have prioritized container usage for more applications, largely to improve collaboration between developers and operations (50%) and enhance the developer experience (46%).
Red Hat® OpenShift® is one of the leading container platforms, providing enterprises with a consistent foundation and set of services for building and scaling containerized applications across hybrid environments. OpenShift leverages the underlying capabilities of the popular open source container orchestration platform, Kubernetes (K8s).
Today, several thousand enterprises use OpenShift to migrate application workloads to the cloud, as well as develop cloud-native applications using DevOps methodologies at scale. All of these applications use credentials, or secrets, to access databases and other sensitive resources – credentials that must be managed and secured the same way human access is. However, in a typical enterprise compute environment, OpenShift is likely just one of several platforms being used. This means credentials must be shared across multiple IT platforms, CI/CD tools, as well as cloud and hybrid environments. If these credentials are exposed, attackers can use them to escalate access and privilege, reach critical assets and cause significant harm – from exfiltrating or maliciously destroying sensitive data to crypto-jacking cloud resources.
Many development platforms and tools have their own native, or built-in, security components that manage credentials and access, and may even offer some form of audit support. Yet typically these security mechanisms don’t securely share secrets with other tools, instead creating isolated “islands of security” that make it difficult to consistently manage privileged credentials across the organization. To eliminate these disparate security islands and mitigate the risk of data breaches, all privileged credentials should be centrally managed, rotated, monitored and audited across the enterprise’s entire development and operations environment.
Our secrets management solution, CyberArk Application Access Manager designed to do just that. It provides a comprehensive, centralized solution for securing credentials and secrets for applications, containers and CI/CD tools across native cloud and DevOps environments. CyberArk Conjur, our open source secrets management tool, complements this enterprise offering.
Simplify Securing OpenShift Containers with Out-of-the-Box Integrations
Through several powerful integrations, CyberArk and Red Hat provide ways to simplify and strengthen security by safeguarding the credentials used by applications running in OpenShift containers.
CyberArk Application Access Manager integrations with Red Hat OpenShift offer major benefits for cross-functional teams, including:
- Development: Simplifies how developers write code to use credentials to securely access databases and other sensitive resources with flexible APIs. Code running in OpenShift containers can seamlessly access – and use – the required credentials, which are centrally managed and secured by CyberArk.
- Operations: Automatically secures and rotates secrets used by OpenShift containers based on the organization’s policies managed by the CyberArk platform. This eliminates the need for operations to manually change, populate and provide audit trails for credentials used by containers.
- Security: Separates the duties so that each container-based application only has access to the credentials or secrets needed to access the specific resources they are authorized to access. Policy-based access controls are set by the organization’s security team and managed by the CyberArk platform.
Together, CyberArk and Red Hat can help eliminate security islands and siloed credentials, enabling developers and operations teams to more easily and securely deploy applications at scale.
Secretless Broker Further Improves Security and Simplifies How Developers Write Code
CyberArk Application Access Manager provides OpenShift developers with flexible APIs including environmental variables and Rest APIs. Each supported method is designed to secure secrets to databases and other sensitive resources, helping developers stay focused developing code and moving fast.
Developers looking for an alternative to APIs can take advantage of Secretless Broker, a feature within CyberArk Application Access Manager and CyberArk Conjur. With Secretless Broker, applications can securely connect to databases, services and other protected resources – without ever accessing or even knowing the credential.
When an application needs to securely access a resource, it simply makes a local connection request to Secretless Broker. Secretless Broker then automatically authenticates the app using the native characteristics of the OpenShift container and establishes a connection to the database or other resource. This approach reduces the attack surface by preventing credentials from being exposed to applications. After all, applications cannot leak credentials that they don’t have access to. This also provides a simpler way for developers to write code to securely access databases.