One issue that has plagued IT since its inception is adding and removing authorized users. Most network and application security rely on somehow validating credentials to confirm that an individual is authorized to access the resources, but in a rapidly changing environment it is a serious challenge to keep authorization and authentication systems up to date. Conjur hopes to solve that problem.
What is Conjur? In a nutshell, Conjur is an API-backed virtual appliance that makes cloud infrastructure projects possible by giving DevOps teams the ability to manage permissions and authorizations in a secure, automated, and well-audited way. In other words, Conjur allows for automated authorization management.
Kevin O’Brien, part of the founding team at Conjur, shared some thoughts on Conjur, the issues the company seeks to address, and how Conjur can make life easier for DevOps teams. “As we’ve grown into the market, we’ve seen a lot of DevOps teams struggling with the same kind of authorizations problems, either slowing or killing cloud initiatives outright. For the ones that make it off the ground, they have to build a tangled web of handwritten scripts or hacked together key/certificate/user/access management inside of toolchains that are designed for other purposes (things like Puppet, Ansible, Docker, Chef, Salt, GitHub, etc.).”
Conjur provides a dedicated platform for conducting authorizations without relying on insecure alternatives. Rather than trying to force old authorization technologies and ideas—like Active Directory—into a radically new environment—like an agile DevOps infrastructure, organizations can leverage Conjur.
Conjur helps simplify and automate tasks like moving SSH keys out of insecure locations such as on-disk storage, or in Docker images, or GitHub repositories, and consolidating them on the secure, encrypted Conjur server. Conjur can manage secrets, including SSL certificates, across their entire lifecycle—from provisioning to replacement—with minimal downtime. And, Conjur maintains a comprehensive audit log of its activities.
O’Brien relayed the story of one Conjur customer. This customer provides data analytics products for healthcare organizations, and solves complex computational problems with a focus on reducing health costs. The customer wanted to integrate DevOps concepts and culture into its business model, but ran into some stumbling blocks.
“They were running into an issue where they wanted to begin using an AWS-based clustered genomics product, which would have allowed them to automate a large portion of their analytics, but were being told by their insurance payers that moving client data into that environment would be an impediment to doing business, because they couldn’t provide sufficiently granular access rights (the product used passwordless SSH keys),” explained O’Brien. “The insurance companies saw that as an ePHI issue, and absent a more sophisticated control and auditing, it was a no-go.”
This company used Conjur to replace the default authorization mechanism in the project with a “Conjurized” access check, which allowed it to store the relevant keys in ephemeral storage and manage permissions through Conjur rather than by embedding them in code throughout their product set. Along with the audit capabilities, this meant that it had effectively taken a show-stopping design and circumvented it in a matter of weeks, without relying on key distribution or having to spend any time building an in-house solution.
Conjur even has a solution dedicated to “DevOps and User Enablement.” O’Brien described it, “At a macro level, we’re solving a problem that is unique to DevOps and cloud: unlike the on-premise infrastructure of 20 years ago, protected by an Active Directory/LDAP system that handled authorization, role-based access control, and so on, there’s no way to translate that to the rapidly changing infrastructure that teams deal with today.”
User enablement, in the end, is about driving innovation and speed. Conjur claims to make that possible (and more automated), without sacrificing security or auditability, or requiring a lot of custom work to use.