Am the Sword in the Darkness I Am the Watcher on the Walls I Am the Fire That Burns Again

If you are reading this, you probably got sucked into watching Game of Thrones when information technology first aired on HBO in 2011.  Information technology is amazing how much has inverse during the eight seasons of the series, merely, as a developer and security guy, I observe the Night's Lookout story the most interesting.  The series debuts with the men in black – a.k.a the Night'due south Watch – patrolling the wall. Soon nosotros learn that, opposite to popular belief, there actually are supernatural threats lurking in the darkness that put all of Westeros at risk.

The Wall that the Nighttime's Spotter is guarding is the merely affair standing betwixt the country of Westeros and the deadly White Walkers. However, rather than immediately getting all the resources they need to tackle this danger, the people of the Night's Watch spend the next seven seasons convincing the balance of Westeros that these threats are real and that leaving the Wall  woefully understaffed and poorly defended endangers everyone.  Hmm…sounds familiar?

As the dramatic serial unfolds, nosotros run into lots of lip-service paid to how important the work of the men in black is, but we too learn that virtually people really doubt the seriousness of the threats beyond the wall. They view joining the Night's Watch as a penalty instead of an honor because the White Walkers haven't attacked in a long time.

Watching Game of Thrones, I noticed an interesting correlation betwixt the Night'south Watch and how DevOps security is perceived and found some potential lessons there.  I take worked in the cybersecurity infinite all of my career and no one has ever said that security isn't important, but I have constitute that other concerns are oft prioritized over security or that organizations try to get away with using only the minimum amount of security.  Inevitably, this mental attitude changes once a breach occurs.  I realized how like this is to of the plight of the heroes of Westeros while I listened to Sarah Allen introduce the new CNCF cybersecurity SIG and saw how sparsely populated the room was. Sarah said that, while the security-related SIG isn't as popular as others, it is still really of import.  That is when I started to retrieve about the Night's Watch Oath and realized that sharing these parallels could help organizations commit more resources to protect themselves before the White Walkers are at the wall.

For those of yous who don't sentinel the bear witness or don't think here is a recap of the adjuration:

The Dark'southward Sentinel Oath

"Night gathers, and now my watch begins. Information technology shall not cease until my decease. I shall take no wife, agree no lands, male parent no children. I shall wear no crowns and win no glory. I shall live and die at my mail. I am the sword in the darkness. I am the watcher on the walls. I am the shield that guards the realms of men. I pledge my life and accolade to the Night's Watch, for this night and all the nights to come."

The essence of the oath is accolade, duty and sacrifice, but non in the name of celebrity or budgetary reward. For the brave men of the sentinel, protecting the realm is its own reward.  If you're a developer in the cybersecurity space yous can near certainly relate to this – without all the overly-dramatic sacrifice, of course.  If you are a security developer, you've probably worked on several products that most people have never heard of, even though they have benefited indirectly from your labor. This work helps protect ATM transactions, bank transfers, credit cards and other sensitive information and secrets. If you lot are similar me, y'all've stopped telling people exactly what product you've worked on during casual conversations and instead tell them how they do good from the unseen sword in the darkness, the watcher on the wall of cybersecurity.

In that location isn't every bit much glory or recognition in cybersecurity work as there is working on the newest Madden NFL game or an iPhone app, only people do good just as much, if not more. Although, with all the ongoing stories of credit card breaches, stolen personal data, healthcare Information technology and city infrastructure held hostage to ransomware – we're getting a lot more awareness.

If you drill down into the oath and take it more literally, you probably know a few cybersecurity nerds that have committed to "…have no married woman, hold no lands, begetter no children." I assure you that this is purely coincidental.  Regardless, as with the crows (some other name for the men of the Dark'south Watch), we all benefit from their sword in the darkness.  However, the oath and the Picket are a little likewise male-centric, so let'southward agree that other genders and nerds are free to have no wives or husbands.  Apologies on behalf of Westeros for being even further behind than George R.R. Martin's next publication date.

Why DevOps Security Needs a New Oath

As with all things DevOps, the goal is velocity, but you still demand to take into business relationship protecting your realm (system) from run a risk (White Walkers).  There is, at least, an unspoken understanding or oath between developers and cybersecurity teams, but information technology'due south not widely adopted.  This agreement between developers and security should facilitate understanding and increase productivity while mitigating risk.  Allow's face it, a massive breach will ready back velocity much more than working in developer-focused security polices at the start of the Software Evolution Lifecycle (SDLC) – shifting security left.  So let'due south update the Dark'south Watch adjuration for a modern DevOps organisation.

The DevOps Security Adjuration

"Ransomware, phishing attacks, malware, and security breaches get together, and now my lookout begins.  It shall not cease until the realm is free from cybersecurity threats – never. I shall work with my developer and DevOps teams to empathize their needs and work to adapt them to arrangement security policies.  We will shift security polices to the left to piece of work more efficiently and securely.  Together, we shall win glory and crush back the threats to our realm.  We are the sword in the darkness.  We are the watchers on the walls.  Nosotros pledge our lives and honor to the Night's Cybersecurity Watch, for this night and all the nights to come."

The White Walkers of DevOps – Threats

Now that developers and security teams have stopped warring like the inhabitants of Westeros during the War of the Five Kings, let's focus on the threats to the DevOps realm, a.grand.a. our own personal White Walkers.  DevOps encourages integration and automation amongst software developers and IT operations (DevOps teams) to ameliorate the speed and quality of software commitment.  However, software automation requires secrets, lots of secrets.

Secrets in many dissimilar forms are necessary to permit autonomous processes to talk to each other, admission code repositories, spin up VMs and containers in cloud environments, etc.  These secrets literally hold the keys to the kingdom and they are frequently stored in GitHub, Jenkins, applications, configuration files and other insecure places.  This can pb to an assailant gaining access to sensitive client information, credit card information, proprietary information or more than secrets – breaking through the Wall and spreading the breach.  Take a look at the infographic below, created by the CyberArk threat research squad, for more than details on the attack flow and nosotros'll walk through it more after the jump.

Looking at the infographic, you can run across the DevOps realm is divided into two kingdoms – the Dev Kingdom and the Ops Kingdom – just a risk to one kingdom impacts both kingdoms.

Example One

A programmer lord pushes code to Castle GIT that contains the keys (secrets) to Database (DB) Tower. This code, and the DB Tower secrets, is now accessible to anybody with access to Castle GIT, potentially exposing all of the knights' credit card information.

Example 2

Castle Supreme Jenkins is at the centre of your DevOps pipeline, requiring a lot of secrets to access sensitive resource.  By gaining control of Castle Supreme Jenkins, an assailant can gain access to other castles and towers within the realm, compromising everything inside both kingdoms.

Protecting Your Realm

The proficient news is that there are open source tools that can aid you lot mitigate the risks to your realm and control who has access to the keys to your kingdom.  Every bit we saw in Game of Thrones, a behemothic wall isn't the best means of defense force, because walls become breached.  The best way to end the lateral spread of a White Walker set on or a security breach is to control who has admission to the secrets and limit the amount of privilege to knights and lords (or ladies) with RBAC.

An open source centralized secrets management solution like Conjur provides a holistic view of exactly who has access to what and keeps secrets out of code, configuration files and tools like Jenkins, Kubernetes, Ansible, Boob, Terraform and so on.  This makes it easier to enforce RBAC polices, provision or revoke access, inspect access and authenticate requests.

Learn more

• Remove secrets from Jenkinsfiles and Jenkins with the Conjur plugin tutorial.
• Larn how to use Conjur to implement RBAC for secrets in Kubernetes clusters.
• New to using Conjur open up source, endeavour our new quick showtime.

Determination

Throughout the Game of Thrones serial, the Night'south Watch is both mocked and praised in a disingenuous tone for their of import piece of work.  Don't be fooled into thinking DevOps security isn't important plenty to prioritize or to invest the correct resources from the offset.  Don't await until the White Walkers are at the Wall.

Nearly the Author

John Walsh has served the realm equally a lord security developer, product manager and open source customs director for more than 15 years, working on cybersecurity products such as Conjur, LDAP, Firewall, Coffee Cyptography, SSH, and PrivX.  He has a wife, ii kids, and a small patch of state in the greater Boston area, which makes him ineligible to take the black and join the Knight's Scout, but he's still an experienced cybersecurity professional and developer.

John Walsh has served the realm equally a lord security developer, production director and open source community manager for more than than xv years, working on cybersecurity products such every bit Conjur, LDAP, Firewall, Coffee Cyptography, SSH, and PrivX. He has a wife, two kids, and a pocket-sized patch of land in the greater Boston expanse, which makes him ineligible to take the black and join the Knight's Watch, only he's still an experienced cybersecurity professional and developer.

boydthateg1959.blogspot.com

Source: https://www.conjur.org/blog/the-sword-in-the-darkness-the-watcher-on-the-wall/

Share this post