Technical Overview

This lesson provides a technical overview of the CyberArk

Conjur Secrets Manager solution.

Upon completion of this lesson the participant will be able to:

► Describe what Conjur is and how it fits into the CyberArk

Lesson Privileged Access Manager (PAM) solution stack

► Understand the risks associated with hard-coded

Objectives credentials and how Conjur can provide a solution to
protect enterprise applications

► Learn a technical overview of Conjur infrastructure,

architecture, and features

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Securing Applications:
Business Challenges

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 No Centralized Enterprise Secrets Management

No rotation or security governance

String user = “env”;
No audit or logs String Pass = “Rfvss%#x132”;

No centralized control

No visibility to security team

Secrets stored in multiple vaults APPS CI/CD CLOUD

(some not secure)

Hard coded credentials in code or config files 4

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Homegrown CI/CD Cloud native Cloud
RPA / COTS
Apps Automation apps workloads

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Hard-coded
No rotation or Security
credentials in code
governance
or config files

No centralized No visibility to security

control team (shadow IT)

Developers
Audit & compliance
prefer native tools and
challenges
current experience

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

Decisions, Decisions
Where will the secrets live?
What secret store?

Will the application

be ported? How can I increase my
application’s security?

How will I audit

account usage?
How will secrets
management impact
my applications?

Will developers use the

secrets management
solution?
7

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Brand and reputation damage Delays in deploying new applications
and services

Operational efficiency lags Burdensome to get audit data, 8

lack timely centralized view

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
Over two million corporate secrets detected on public GitHub

GitGuardian announced the results of its 2021 State of Secrets TYPES OF SECRETS FOUND:
Sprawl on GitHub report.
The report, which is based on GitGuardian’s constant monitoring 27.6% Google keys
of every single commit pushed to public GitHub, indicates an 15.9% Development Tools
alarming growth of 20% year-over-year in the number
15.4% Data Storage
of secrets found.
A growing volume of sensitive data – or secrets – such as 12% CRM, PCI, Identity Providers
API keys, private keys, certificates, username and 11.1% Messaging systems
passwords end up publicly exposed on GitHub,
8.4% Cloud provider
putting corporate security at risk as the vast
majority of organizations are either ignoring the 6.7% Private keys
problem or poorly equipped to cope with it.
Others
Ref: https://www.securitymagazine.com/articles/94776-over-two-million- 9

corporate-secrets-detected-on-public-github-in-2020

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Cost of a data breach 2022
A million-dollar race to detect and respond

Average cost of a data Global average total cost of

breach in the United States a data breach

Ref: https://www.ibm.com/reports/data-breach

10

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Fact: Attacks Can Be Simple

11

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 12

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Consequences of data breaches are
both familiar and painful:
Brand Damage, Loss of Customer Confidence,
Potentially Costly Litigation, and Regulatory Fines

GOALS & INITIATIVES:

CISO VIEW: • Eliminate (significantly reduce) susceptibility to cyber attacks

APPLICATION • Prevent compromise of sensitive customer, employee, and

business critical data
SECURITY
APPLICATION SECURITY:
• Protect sensitive data from leaks that could damage reputation
and impact the business bottom line
• Minimize risk and security defects in software build cycles
(SDLC) effectively
13

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Username = “app”
Password = “y7qef$1”
AGE
Host = “10.10.3.56”

They exist everywhere Secrets are hard-coded Secrets values are static Secrets are stored locally
(On-prem, cloud, hybrid) In clear-text and aging on the filesystem

Secrets leaked to public Lack of accountability for Security islands caused by Pursued by attackers
repositories accidentally non-human and humans multiple secret stores (Insider and external)
14

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 CyberArk Secrets Manager
is the Key
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
 Complete End-to-End Secrets Management

Centralized Secrets Management

Secures ALL Application Types, Everywhere

Strong Authentication and Authorization

Automated Secrets Rotation

Full Audit & Compliance

APPS CI/CD CLOUD

16

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 SECURELY STORE AND DELIVER ENTERPRISE
ELIMINATE HARD-CODED AUTHENTICATE LEVERAGE EXTENSIVE
ROTATE APPLICATION SCALE AND
CREDENTIALS APPLICATIONS PARTNER INTEGRATIONS
CREDENTIALS AVAILABILITY
Make embedded passwords Store application Use application Deliver high performance. Offer validated
and credentials inaccessible credentials and characteristics to ensure Offer flexible and integrations with leading
to attackers and malicious automatically rotate based only authorized enterprise scale development platforms,
users by eliminating them on policies without applications can access deployment options, and with existing security
from scripts, application impacting application the requested credentials including agent and systems including
code and configuration files. performance. – including path, hash agentless. AD/LDAP and SIEM.
Remove SSH keys from signature, and OS user.
servers.

Securely retrieve and manage credentials for applications, scripts,

configuration files, and other non-human processes 17

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 REMOVAL OF HARD-CODED ESTABLISH IDENTITY CREDENTIAL
CREDENTIALS TO APPLICATIONS ROTATION

Limits Discovery &

Create Auditable Regularly Perform
Reduces Attack
Identity for Apps Secrets Rotation
Surface

Enables Compliance No Updates to Files,

with Audit & Access is Authorized,
Code or DBs when
Best Practices Logged and Auditable
Secrets Rotated

No Application
Removes Security Enforce Strong
Downtime Required
Island Dilemma Authn for Apps
to Rotate Secrets 18

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Solution Description
Agent & Agentless integration with CyberArk Privileged Access Manager to secure third-
Credential Providers party software such as vulnerability scanners, RPA, automation tools, and IT management
platforms by managing the credentials they need to complete their jobs.
Self-Hosted Secrets Management to securely authenticate, centrally control and audit
Conjur Secrets Manager
how applications, DevOps and automation tools use secrets and privileged credentials to
(Enterprise & Open Source) access databases, cloud environments and other sensitive resources.

SaaS Secrets Management that manages nonhuman access and machine identity
Conjur Cloud across multi cloud and hybrid environments with a uniform experience for security and
developers, no matter where your secrets are.

Securely integrate with AWS Secrets Manager to gain all the advantages of CyberArk’s
Secrets Hub centralized secrets management without impacting developer workflows.

Solutions for All Enterprise Application Workloads! 19

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Keep Your Secrets Safe With CyberArk Secrets Manager!

Security at the Speed of Innovation!

Enable the Digital Business! Defend Against Attacks!

20

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Conjur Architecture

21

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Conjur

Passwords API Keys Tokens

MEET CONJUR
• Application & Machine Identity
Management Solution → Remove
Hard-Coded Secrets
• High Security w/ Encryption At-Rest
and In-Transit
• Frequent / Automatic Secrets Rotation
• Policy and Role-Based Access
• Custom Environment Specific
Controls
22

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Supports full read/write operations such as:

LEADER • Permission checks as well as management of policies,

secrets and hosts, users and groups, host-factories, public keys, token vending,
and all Conjur services

• Standby server runs as a warm standby ready to take over operations if the
leader (master) server fails
STANDBY
• Recommended to implement 2 standby servers (synchronous and asychrounous)

• Distributed across data centers and geographies to locally support application read
FOLLOWER requests and distribute load from the leader (master)

• Each follower can perform all read-only functions, but also support creation of new
hosts by proxying host factory requests to the leader (master)
23

• Can scale horizontally, and each additional follower adds read capacity
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Conjur Server
• Linux Operating System Front End Back End

• PostgreSQL Database
– Secure Secrets Storage
AUTHN AUTHZ
• HTTPS w/ REST API Users

– Authentication, Permissions, Secrets

Management, Auditing

Admin Conjur Audit DB Auditors

(Leader)

24

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 External
• Tamperproof Audit Log for Accountability Applications
Reports
and Forensics

• Easy-to-Read Format and JSON Support

• Easy, Seamless Integration w/ SIEM Follower Leader

Platforms and Monitoring Tools Web UI

(i.e. Splunk, syslog, LogRhythm, etc.) Retrieve

• Customized Records for Granular Audit Event Audit Event

Accountability

Replicate Stream

Audit Log Audit Log SIEM 25

(Optional)

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

Conjur: Supported Platforms

Environments
On-Premises Cloud Hybrid

Platforms
Container Platforms Amazon AWS AMI

Operating
Systems
GNU / Linux Ubuntu 26

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Conjur Cluster
• Conjur Cluster comprises of the Leader and
at least 2 Standby nodes.
Route requests to Leader

• Network load balancers are used to route Load Balancer

Async replication from Async replication from
HTTPS and database replication service Leader (Through LB) Leader (Through LB)

traffic between the Leader, Standby, and

Follower nodes. Region 1 Region 2 Region 3

Asynchronous Asynchronous Asynchronous

Followers Followers … Followers

• Followers are deployed into separate

availability zones to service secret retrieval
requests by the applications and other Load Balancer Load Balancer Load Balancer

non-human processes. Read Read Read

Clients Clients Clients

27

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Conjur: Interfaces By Persona
Business
Owner
Ops

Security
Owner

CLI and Multiple native

integrations with the
Dashboards for central "New IT Department“
security management tools

Developer Auditor

"Everything as code” Dashboards for

Community Edition and reporting full audit.
APIs designed to be easy
for developers to use 28

Copyright © 2023 CyberArk Software Ltd. All rights reserved. When ready select “Next” to continue NEXT
cyberark.com
 Enterprise Vault
or Privilege Cloud

Synchronizer

Primary Cluster DR
Leader
Async Sync

Follower
Load Balancer w/
Health Check

Standby
Cloud OnPrem / K8s /
Hybrid OpenShift

Load Load Load

Balancer Balancer Balancer

29
CI-CD Tools / Applications CI-CD Tools / Applications CI-CD Tools / Applications

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

Resources:
Additional Information
Visit www.CyberArk.com
https://www.cyberark.com/products/devsecops/

Secrets Manager Datasheets

CyberArk Secrets Manager
Conjur Secrets Manager Enterprise
Comparison Conjur Enterprise vs. Open Source

Developer resources & community, hands

on tutorials (Ansible, K8s, Jenkins, etc.),
technical blogs, Open Source
www.conjur.org

Privilege Cloud
30
Privilege Cloud

Copyright © 2023 CyberArk Software Ltd. All rights reserved. When ready select “Next” to continue NEXT
cyberark.com
 Summary

31

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 In this session we discussed:

• Risks associated with hard-coded

credentials and how Conjur can provide a
solution to protect enterprise applications

• What Conjur is and how it fits into the

CyberArk Privileged Access Manager
solution

• Provided a technical overview of Conjur

infrastructure, architecture, and features

32

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

 Thank You

33

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com