Simple Steps to Protect Your DevOps Tools From Crypto Miners

Published February 23rd, 2018 by Jonah Goldstein

 

What happened at Tesla?

Tesla’s Amazon cloud accounts were breached recently by hackers who put the stolen servers to work mining crypto-currency like Bitcoin. “Cryptojacking” attacks are becoming more and more common, but in the DevOps world, the real story here was in the details of the infiltration.

The attack’s entry point was an unsecured Kubernetes console which displayed Tesla’s secret Amazon Web Services credentials in plain text – a simple case of improper secrets management. And that’s a problem with a known solution, built from a handful of best practices:

  1. Keep the secrets encrypted in a secure location
  2. Make them visible to applications and people that use them only as needed
  3. Change them regularly
  4. Control and audit access to them

If secrets management is a solved problem, why doesn’t everyone do it?

Even among experienced developers and DevOps admins, secrets management is often seen as a beast whose unleashing requires a costly, time-consuming commitment. Many organizations don’t think it’s worth the effort.

This reputation for complexity is undeserved. Simple solutions can be up and running in thirty minutes. And like much in software development, the cost of waiting far exceeds the cost of getting it right early.

What I can do right now?

Secrets management with Conjur is easy to get working in only minutes. Depending on your tools, systems, and needs, there are different options available:

  • Try Conjur using our step-by-step guide. Conjur provides audited, role based permissions for security across your entire organization. We offer a free, powerful open-source version as well as an enterprise version with additional features.
  • Summon. A simple way to inject secrets safely into an existing app using environment variables, with almost no setup. Summon could likely have prevented the Tesla breach.
  • Secure your Jenkins server with Conjur. Is your Jenkins server secure? If not, find out why it should be.

Conjur also integrates seamlessly with Pivotal CloudFoundry, Ansible, and Puppet:

Finally, for a deeper understanding of the benefits of DevOps Security and the types of problems it solves, check out:

Getting Help

All of the Conjur engineers hang out in on the CyberArk Commons, and we’d love to help you.

Conclusion

Secrets management doesn’t have to be scary. With the right tools it’s easy to do, and as a community embracing the best practices of modern DevOps security, we can avoid breaches like the recent one at Tesla.