The accelerated adoption of cloud-based solutions and other aspects of digital transformation have propelled an explosion of privileged credentials and secrets used by applications, automated workflows, and other non-human identities. Implementing secrets management practices is necessary to remain agile and innovative, while maintaining a strong security posture. BeyondTrust DevOps Secret Safe is a built-for-DevOps security solution that addresses these operating demands.
Read on for highlights of new features and enhancements now available with the release of BeyondTrust DevOps Secrets Safe 21.1.
Enhanced Dynamic Accounts
DevOps Secrets Safe can dynamically generate API accounts for automated processes to access various cloud environments. This workflow utilizes a "provider account" responsible for creating and deleting the requested service account on DevOps Secrets Safe's behalf. While this provider account should not have excessive permissions, it is still a source for potential stale credentials. Additionally, the responsibility of managing the lifecycle of dynamically generated accounts resides with the automated workflow. If proper deletion of accounts is not accomplished during this workflow, it could leave service accounts active for longer than necessary and lead to additional cleanup activities and increased risk of cyberattack exposure.
In this release, Dynamic Accounts have been enhanced by automating account lifecycle management and strengthening their security profile. Service accounts generated by DevOps Secrets Safe can now be configured with a "time-to-live" duration, limiting their access in alignment with just-in-time (JIT) access models. When this period is reached, these accounts will be automatically removed from the cloud infrastructure, significantly reducing their availability as a potential attack vector. Furthermore, the minimally privileged, but longer-lived, provider account can now continually self-manage its credentials by rotating the cloud API key.
Dynamic Accounts with Ansible
Ansible is often used to stand up infrastructure in the Cloud. This process requires Ansible workflows to have automated access to cloud APIs, which leverage service accounts’ API keys. This automated access makes the API keys highly privileged and, therefore, must be secured accordingly. It is recommended to apply the principle of least privilege to the specific task being performed to mitigate the opportunities for exploit. Additionally, by removing hard-coded API keys from source and configuration files, you can further limit potential account compromise.
In this release, customers can secure their Ansible playbooks when interacting with cloud APIs by leveraging a dynamic account generated by DevOps Secrets Safe. This integration secures automated workloads by using a credential created just-in-time, with just the right level of privilege and scope, while eliminating hard-coded or embedded Cloud API keys. This approach meets best practices for least privilege and JIT, significantly enhancing your security around Ansible playbooks.
New RPA Tool Integration: Blue Prism
Organizations are continually adopting new tools for automating many business processes, one of these tools is robotic process automation (RPA) applications. RPA tools automate business processes for systems that require manual steps or user interaction. These processes often require passwords or API keys for authentication and access to various systems or information. The integration between DevOps Secrets Safe and Blue Prism, a leading RPA developer, enables the secure storage and usage of this sensitive information by centrally vaulting the secrets, controlling access to them, and maintaining rich audits for all secrets operations.
About DevOps Secrets Safe
BeyondTrust DevOps Secrets Safe helps IT security personnel and DevOps engineers easily meet the scalability requirements for highly elastic DevOps environments. The BeyondTrust solution mitigates the risk of a single-point-of-failure with a high-availability micro-services-based architecture. The API-first approach makes DevOps Secrets Safe adaptable to the way developers work, removing friction and encouraging adoption.
DevOps Secrets Safe assigns unique identities to machines, applications, services, containers, VMs, etc. These non-human identities can be identified, authorized, and managed, just as a human user is managed, enabling much-needed access granularity and enhanced security. BeyondTrust DevOps Secrets Safe also provides a complete audit of all secrets operations, making it easy to meet compliance mandates.
BeyondTrust DevOps Secrets Safe’s advanced secrets management capabilities enable enterprises to accelerate their digital transformation projects. These advances were highlighted in the February 2021 KuppingerCole PAM for DevOps debut report, earning BeyondTrust the #1 spot in product leadership and highest marks for security, functionality, usability, and deployment.
To learn more about DevOps Secrets Safe and this release, check out these resources:
> What’s New Documentation- DevOps Secrets Safe 21.1
> Release Notes – DevOps Secrets Safe 21.1
> DevOps Secrets Safe Datasheet
Alex Leemon, Director, Product Marketing
Alex Leemon is Director, Product Marketing at BeyondTrust. She has over fifteen years of experience working with enterprise-level and Critical Infrastructure organizations solving safety and security challenges. Before joining BeyondTrust, Alex served in various roles related to the development of operational technology (OT) products and the Industrial Internet of Things (IIoT).
