How Conjur uses Linkurious and graphs to solve passwords management

A few months ago, we had the opportunity to get in touch with Conjur, a Massachusetts based cloud security company. Among their cloud security offerings are IT and developer focused tools that perform infrastructure password management and key escrow.  They are using Linkurious to better understand the relationships between the people who use their tools and the infrastructure assets being protected.

We recently had the chance to talk with Kevin Gilpin and Elizabeth Lawler, the two co-founders of Conjur. Here is what they had to say about their business and Linkurious.

Conjur is a security and governance solution for cloud infrastructure and service-oriented architecture. It is a developer and IT framework that provides a web service API and tools for storing secrets, managing permissions rules, checking permissions, recording infrastructure events, and integration with other cloud / DevOps tools.

Conjur unifies application layer security controls so that all of the stakeholders can work from a common platform.  Given that “security controls” is a very broad category, for the purposes of illustration let’s focus in on describing one specific application of Conjur’s technology : securing access to service keys and credentials.

Anyone on an agile development team using cloud resources can tell you that password and secrets management is a both chore and a security vulnerability.  There are simply lots of things to keep track of, for example:

• the public and private keys (and passwords) that you use to log in to servers;
• SSL certificates that protect your web servers;
• cloud identities that you use to make cloud API calls;
• API keys and tokens that your apps use to call third-party services;
• encryption keys used for files and storage volumes.

Conjur can do all of this in an automated and audited fashion, eliminating human error.

There are lots of “make it up solutions” to manage password clutter and provide password sharing functionality for developers.

A common scenario we encounter is repurposing of consumer oriented solutions designed for end user password management and sharing.  However these systems cannot be securely integrated into applications and do not have programmatic access to the secrets under management that developers need.  So although the credentials are stored safely, they cannot be retrieved safely.

Some groups use solutions repurposed from enterprise IT vendors, but these just don’t work for cloud.  They can’t be integration to cloud native tools, such as configuration management software.

And some groups invent their own systems, such as using encrypted S3 buckets, wikis, or chat logs to share keys (a big security no, no).

Poor password management is a security and operational liability.  It can result in serious security breaches with business and sometimes legal consequences.

Small, medium, large companies starting cloud initiatives or companies operating multi-cloud SaaS products, and anyone working with regulated data.

They appreciate the fact that Conjur is a password manager and key escrow service built for developers. For us it means :

• Centralized location – so you can protect and secure your password “vault.”
• Highly available and durable – so they are always there when you need them.
• Encrypted – to avoid accidental exposure.
• Group-accessible – passwords should NOT be owned by one single user; they should be owned by a group. You don’t want critical system access to depend on one individual.
• Versioned – so that critical keys won’t accidentally be over-written.
• Searchable – to prevent loss, duplication, and general inefficiency.
• No credential sharing to enable identity tracking, revocation, and rotation.
• API-accessible – so they can be distributed into the infrastructure via scripts and programs.
• Separation of duties – so that one group can update the passwords and another group can use them.

Conjur’s passwords management system recognizes various roles, role grants, and permissions rules. Collectively, these entities have a natural graph structure.

As the complexity of the systems increases, it becomes very important to use every available tool to understand how the permissions model is going to behave, and how it is observed to behave to troubleshoot unexpected behavior.  Also, when decommissioning users from permissions grants it is important to be able to catalogue the network of accessible resources and identify any dependencies.

To be able to manage a complex secrets management problem we need to see the network of associations between the resources under management and the users (either a host identity or a developer/admin identity who can make changes to the secret).  The mapping that Linkurious creates helps bring out these relationships in the data so we create rules for tagging specific behavior that can be shared with our users.

Linkurious gives us a powerful and flexible way to explore the permissions model graphically, without having to write any code. Using Linkurious we are able to navigate through permissions models and gain hands-on experience creating useful visualizations. It helps us and our customers understand their data better.

We would like to take what we’ve learned using Linkurious and put visualization capabilities directly in the hands of our customers. We can export any permissions model to neo4j and enable our customers to directly explore their model with Linkurious and integrate more task-specific visualizations into our web UI.

Security is one of the many level that generates complex connected data. Conjur show how much graph and graph visualization can help make sense of it. If you’re struggling with security controls, we strongly encourage you to check out Conjur.