TalkingTrust with Thales and CyberArk – DevSecOps

TalkingTrust Series – Thales and CyberArk – DevSecOps

00:07 Hello everyone. My name is Blair Canavan, and I work for Thales Cloud Protection and Licensing.

00:14 With me today is Brandon Traffanstedt. Hi Brandon, it's nice to have you on today. Welcome.

00:19 Hi Blair. Hi everybody great to be here.

00:23 Well, we've been talking over the last few days and I think we've got a pretty good TalkingTrust video in the series today.

00:31 I'm pretty excited because as you and I both know we've been figuring out what's

00:35 the best way to explain how our two companies have come together. What

00:39 we're going to do today is at a very high level and very lighthearted level

00:43 we're going to explain a little bit

00:45 about how DevSecOps and encryption and tokenization can come

00:49 together. It's not something that rolls

00:51 off the tongue but it's something that

00:53 as we've obviously discussed, a lot of

00:56 organizations are wondering how do these

00:58 two companies figure it out. So what I’d

01:00 like to do is, I’d like to pull up a few slides and we're not going to slide

01:04 this thing to death today so

01:07 let's hope that we don't go too deep,

01:09 but I’ll pull up a couple slides, ask a

01:11 few questions, give you the opportunity

01:13 to explain a little bit about what CyberArk is doing and of course with Thales as

01:18 your partner maybe we'll finish up by describing

01:22 why did you decide to use Thales in your solution and why are we

01:26 working together in the market.

01:27 So let me pull up some slides just to

01:29 get things going and talk a little bit about our history working together.

01:35 Maybe a few folks that are joining us today know a little bit about CyberArk and Thales independently but we've

01:42 been actually working together now for

01:44 quite a number of years and we're two of the largest security vendors in this

01:48 space on the cyber side of things and we initially got our technologies

01:53 together with what our products are

01:55 referred to as Thales Luna HSMs

01:58 (Hardware Security Modules) with the

02:00 CyberArk privileged access management solution or PAM for short, and we got

02:05 back together in 2016 so this has been

02:07 going on just over five years, and as you can see here on the slide

02:11 we've got a few integrations already earmarked in our

02:15 joint offerings on our websites and our resource areas within those, so if you wanted to

02:21 download or grab any of these documents

02:23 post conversation today we can certainly do that

02:30 but here's what we're here to talk about

02:31 today Brandon. We're going to talk a

02:33 little bit about what's called Conjur

02:36 and so I’ll let you take the baton in just a moment and talk a

02:39 little bit about how working with the

02:42 CipherTrust product or the

02:44 CipherTrust Data Security Platform specific to

02:46 DevSecOps and also how we

02:50 work the Luna HSMs into this as a root of trust

02:53 and so I know that we've

02:55 got a few areas to cover so if you're

02:57 comfortable taking the slide to the next one,

03:02 I’ll give you this opportunity to walk through a little bit.

03:04 Awesome and thank you again, Blair.

03:06 I’ll tell you 2016, I mean, you said five

03:10 years ago but it feels like

03:12 just forever. I realize it's not

03:15 forever in the grand scheme of CyberArk

03:18 and Thales’ existence. CyberArk came

03:20 around in 1999, I think, and slap my hand if

03:23 I'm out of line, but Thales was

03:25 around the same time around 2000

03:27 something like that but, the world's

03:29 changed significantly since then but

03:31 even since 2016 there was a

03:34 presidential election, there was the

03:36 Brexit referendum, Zika was a thing,

03:38 I remember talking about Zika virus

03:40 that was a thing back in 2016.

03:43 And interestingly enough one of the

03:46 big things that happened around that

03:48 time was we'd had years to learn this beforehand

03:51 but security vendors like us we started

03:54 seeing that security in a vacuum, non-integrated

03:59 security, sort of staying in all of our

04:02 own lanes, which we'll talk about more in the session here

04:05 it didn't make good sense. Because then

04:08 our customers would have to say hey

04:10 CyberArk to integrate with Thales they

04:11 tell us to integrate with CyberArk can

04:13 you guys talk to each other please.

04:15 So in 2016 we started working together

04:18 it wasn't just us, it was security

04:21 vendors realizing that we must build

04:24 strong integration partnerships to

04:26 establish a strong security foundation

04:30 and I think that is the cornerstone,

04:36 that's the lifeblood, whatever you want

04:37 to call it of sort of how our

04:39 partnership has grown over the years

04:41 with kind of what you're seeing here you

04:43 know we'll talk about both sides I think,

04:44 Blair, the foundation but also taking

04:48 that very strong and solid foundation of trust

04:51 and then iterating it to be a little bit

04:54 closer to applications instead of humans

04:58 to put encryption in motion

05:01 versus serving as the powerful backbone

05:04 of a strong security practice. So as you

05:06 can tell I'm super excited about kind of where

05:09 the partnership began

05:11 but also how it's how it's been

05:13 growing over the years.

05:15 That's great and you know this dovetails

05:16 really nicely into the foundation of

05:18 digital trust or digital transformation

05:21 two of the elements in our go to market

05:24 strategy so when you when you use these

05:27 terms I think what we're really trying

05:29 to highlight here is that as we're

05:31 migrating away or to or from

05:34 we're all trying to work out what's the

05:36 best way to accomplish this with partners like

05:39 CyberArk, like Thales, are we in sync and

05:42 so I'm happy to see and hear what you

05:44 think about how we can make that happen.

05:48 Certainly glad to chat on it.

05:52 You mentioned digital transformation right

05:54 and I feel like that's the beginning

05:56 of every presentation you hear

05:58 these days like the world has shifted rightfully so

06:03 coming up from time to time it still is

06:05 shifting right it's a growing process

06:08 but you know even looking in and I’ll

06:10 talk specific to CyberArk for a second

06:12 for us like the thing that we do like our foundation

06:17 is the idea of managing strong access

06:21 but I’ll submit to you all who are

06:22 watching - strong access itself has

06:25 changed - from you know back in

06:29 2016 back in 2000 even

06:32 folks like domain admin, local admin, UID 0

06:35 accounts, stuff like that like, we

06:38 started to manage those things to vault

06:41 them to rotate them but that started to

06:43 shift from humans to non-humans

06:46 applications now had powerful identities

06:48 too. As your organizations continue to

06:51 grow and procure more security solutions

06:54 those also require powerful access to

06:56 run, so for us we saw that shift we saw

07:00 the sort of change of developers who

07:03 need strong access, their code that needs

07:05 strong access too, as well as this idea

07:08 of portability of security from on-prem

07:12 to hybrid to cloud. Yt's interesting

07:15 because that's also how our integration

07:18 with Thales Luna HSMs evolved from looking at things

07:21 in a very self-hosted manner to seeing

07:24 both CyberArk and Thales deployments

07:26 move to things that were hosted by CyberArk

07:29 and Thales to become more cloud aware

07:32 so you know even at the

07:34 foundational level when we started, we

07:36 had to prepare ourselves for the

07:37 evolution not only of identity and

07:40 access but also of where our customers

07:42 chose to consume and leverage our services too.

07:46 It's kind of nifty.

07:49 Before you go onto this slide in great detail

07:54 I think what I’d really like to

07:56 tease out on that point is

07:58 there an assumption or is there a

08:00 presumption that all of this is just

08:02 built in - it's automatic - it's just

08:03 happening and are you seeing that

08:06 presumption still persist in

08:08 DevSecOps today and I think you had

08:11 mentioned you know what we're trying to

08:13 achieve here is we're trying to secure

08:15 the security maybe I’ll let you speak to

08:17 that as you walk through this slide with us.

08:20 Blair that's just it. The

08:22 idea of transparent security that's one

08:26 of the big themes that has sort of been

08:28 morphing since we first started working

08:30 together. It used to be back

08:32 then you could get away on the

08:35 security side with adding in percent of

08:39 I’ll call it operational slowdown

08:42 in honor of good security right it was

08:44 it was something that we all knew it's

08:46 going happen but then

08:49 DevOps started to happen and folks began

08:51 to expect this transparent security by design.

08:56 any security that caused .1 % of operational slowdown

09:01 was a constraint and that word started

09:03 to float around so, Blair, to your point,

09:06 the idea of something being built in

09:09 something being effortless from a

09:11 security standpoint it used to be a

09:13 thing that we were just like oh that'd

09:14 be really cool to something that's

09:16 necessary and my favorite part is

09:19 we seeded this in terms of our

09:21 partnership in the very beginning. There

09:24 was no lag there was no wait and

09:27 when it came to securing the security

09:29 that's the beauty here as organizations

09:31 like those of you who are watching

09:35 started to manage all those secrets to bring them

09:37 into CyberArk to rotate them you brought

09:39 in your vulnerability scanners you

09:41 brought in your robotic process

09:42 automation all that came in

09:45 one of the questions became wait a minute

09:48 how do you secure

09:50 secret zero of CyberArk, how do you see

09:54 the encryption stack of the thing

09:56 that you're putting all the keys to your

09:58 kingdom in how do you secure the kingdom

10:01 that's holding your keys to the kingdom

10:03 and that's where Thales Luna HSMs came in.

10:05 So really the keys we've talked about

10:08 keys you hear the expression keys but in

10:11 terms of managing and storing and

10:13 generating and securing them and sharing

10:16 those keys it's our two organizations

10:18 that have figured this out.

10:20 I think what really is elemental

10:22 here is that whether you're doing

10:25 something on-prem whether you're doing

10:27 something in the cloud whether you're

10:28 doing something in a hybrid this this is

10:31 one of the biggest challenges

10:32 organizations have is the afterthought

10:34 is geez how do we manage those keys and

10:37 what are we going to do so I think this

10:39 is a great segue here so if you speak to

10:41 this slide and walk us through a little

10:43 bit and then of course the root of trust

10:47 which we all understand to some degree how does that

10:49 factor in. And that's the beauty of it kind of

10:53 the approach that I took of

10:56 whether you're consuming something like

10:58 CyberArk self-hosted or as a service or

11:02 sort of in your own clouds as an example

11:04 all those secrets that are being managed

11:08 we've got what I believe to be an

11:10 incredible encryption stack multiple

11:12 layers but there's always the one seed.

11:16 The key we call it the Server Key is our

11:19 is our name for it the key that starts

11:22 the decryption process and forms the

11:24 foundation of encryption operations at the very beginning.

11:28 Where that key should live and where it

11:30 does live is inside of Thales Luna HSMs either

11:34 Luna on-prem or Luna cloud so every

11:37 single decryption operation in the

11:40 initial chain to the intermediate to the

11:43 very end of it is leveraging Luna to

11:46 store that sort of key to the

11:48 proverbial kingdom right the one key to

11:50 rule them all I know it's a Lord of the

11:51 Rings reference but I think it's very

11:53 much applicable here and I’ll tell you

11:55 it's a no-brainer that's what

11:57 we have to do at the beginning of every

12:00 single deployment of something as

12:02 powerful as CyberArk not to mention the

12:04 other security tools you have in the mix, too.

12:06 Right, so really it's this simple

12:10 you can choose to do it like we said we

12:11 said on-prem you can move it to the

12:13 cloud you can have a combination of but

12:15 you're not you're not deciding at the

12:18 at the beginning and not able to

12:21 change it you're doing exactly

12:23 the opposite, you can transition you can

12:25 migrate and you can move portions of

12:27 your enterprise but nothing changes in

12:29 terms of the root of trust because as

12:31 it should be described the Luna HSMs

12:34 whether it's in our cloud offering it's

12:36 still a Luna and the nice thing about going to the cloud

12:39 is you don't have to have a whole lot of

12:41 cryptographic sensibility and

12:43 know-how and expertise in your

12:45 organization but I digress what we're

12:47 really seeing is as long as there's a

12:49 Luna at the back end where it's located

12:51 is almost secondary.

12:53 I think that's an incredibly

12:55 important note because we talked about transformation

12:58 there shouldn't be a question to

13:00 your organization about whether to if it

13:02 makes sense for you continue

13:04 utilizing existing data centers that you

13:07 have but if you see that value whether it's

13:12 automation value whether it's cost value

13:14 whatever it is of moving something like

13:17 our platforms to the cloud or as

13:19 infrastructure as a service

13:21 do it. You shouldn't have to choose

13:23 you shouldn't have to sacrifice and

13:25 again another piece of the beauty of

13:27 evolving together and listening to

13:30 mutual customer asks and even customer

13:32 challenges in order to make sure that

13:35 we're actually putting stuff together

13:37 that you can use not just stuff that we

13:39 think is really cool but yeah it's also pretty neat too.

13:43 You had mentioned to me as well in our

13:44 conversations prior to our discussion

13:46 today that there could be an element from the

13:50 DevOps point of view or the DevSecOps

13:52 which is a bit of a challenge is

13:55 do I or do I rely on waterfall am I

13:58 moving to agile what I'm doing from

14:00 a developmental point of view

14:02 this probably in the sense of this slide

14:04 speaks a little bit to that maybe you

14:06 can walk us through a little bit about

14:07 how the developers

14:09 who are looking to build these solutions

14:10 with our solutions how does that affect them?

14:17 So you know we talked a little bit about

14:19 I’ll call it the migration of

14:23 application development models and even

14:25 application or sort of architecture

14:27 from the more monolithic apps of

14:29 yesteryear right your J2V

14:32 application servers stuff like that to

14:35 the services that make up your pipelines

14:37 these days we've sort of changed the

14:39 way we look at obviously the operational

14:42 elements but also security too and what

14:45 I mean by that is once we've established a strong

14:49 foundation, that sort of route of trust securing all

14:54 the secrets that are part of the org

14:57 why not take it a step further both from

15:00 an application integration perspective a

15:01 developer experience perspective too but

15:05 also, making that encryption a little bit more portable.

15:09 What you're seeing here is sort of the

15:11 evolution of on the CyberArk side,

15:15 our view of application security

15:20 we used to look at app to app as a

15:24 secret zero problem. So for instance,

15:27 you take the secret that's hard-coded

15:30 in your application code maybe it's a

15:32 vulnerability scan or something like

15:33 that you place it into CyberArk of

15:36 course backed by Luna HSM

15:39 security, but then how do you authenticate your

15:42 application to CyberArk to then pull the secret that

15:47 you originally put into CyberArk right.

15:50 The challenge there was

15:52 authenticating the application and we

15:54 looked at things in a very wholistic way

15:56 let's authenticate an app based on

15:58 what it is not what it knows

16:01 stuff like where it's running from what

16:03 user it's running as actually taking a

16:06 signature or a hash of the calling stack

16:08 or individual classes and pardon my Java

16:11 ease, I realize that's a little

16:12 bit old school but that had to shift

16:15 into modern days because we have new

16:17 layers of trust as an example and new context

16:21 your apps are running in the cloud

16:23 authenticate them using cloud native

16:25 stuff roles as an example managed identity

16:28 you've got applications running in

16:30 Openshift or Kubernetes well they're

16:31 native mechanisms of trust so as

16:34 applications miniaturized and became

16:36 services based there became this whole

16:39 new realm of mechanisms of trust of

16:42 secrets delivery and what that birthed

16:44 was CyberArk Conjur our way to be sure

16:47 that no matter what sort of age the

16:50 application happened to be created in

16:52 that we had this notion of strong

16:54 authentication and of strong access and

16:58 secrets delivery for those apps too and

17:00 the best part that didn't change here

17:03 was that we had the root of trust secure

17:06 so this was an additive mechanism on top

17:09 of all the work that we've done together, Blair.

17:12 Absolutely and I think the evolution or

17:16 the “change that is inevitable”,

17:19 is the underlying premise that things

17:21 have to be able to change on the fly and

17:23 I think this is this you mentioned

17:25 hard-coded - the two dirtiest words in

17:28 in security development -

17:30 that's one of the things that we talk a

17:32 lot about with our customers is how do

17:34 we future-proof our solutions, how do we

17:37 design them so that we don't have to

17:38 make massive rip and replace changes to

17:41 our code base and how do we migrate

17:43 things back and forth because as you

17:44 said you know there's a lot of change

17:47 that's coming and not everybody's going

17:49 to be on the exact same page the same

17:51 song sheet per se from a development

17:53 point of view and from a delivery of an

17:54 application point of view so I think

17:56 this is a really good way to just say to

17:59 people it's okay you're all right we've

18:01 got this covered we're better together

18:04 we're a little bit like PB and J

18:06 you know I don't know what you feel but

18:08 that's kind of a common thing if they work as good as

18:11 peanut butter and jelly I had to explain

18:13 it out loud I guess then we're in

18:16 pretty good shape

18:17 I do want to make sure that we

18:19 have enough time to walk through a

18:21 little bit about what are we here

18:22 to talk about today and you can see in

18:24 this slide here that we talk a little

18:25 bit about the Conjur side a little bit

18:27 about the Thales or the CipherTrust

18:29 Platform let's move to the next slide

18:31 and let's walk through a little bit of the actual

18:34 solution set that we're talking about

18:36 today again rooted in trust with

18:39 Luna so I'm happy to walk you through

18:41 these points but you know being that

18:43 you're with CyberArk and I've got the mouse ready to go

18:47 here, I'm just going to click on the

18:49 button here. I can definitely step through

18:53 it so we talked about the foundation of trust

18:57 we'll get more to that later but that

18:59 idea of encryption the idea of

19:01 delivering secrets to applications

19:04 those of you who have been sort of

19:06 reading the previous you probably

19:07 thought all right well let's put this

19:09 stuff in action let's see how something

19:11 like secrets management and secure

19:14 delivery can also help us secure encryption and

19:18 tokenization that you're potentially

19:20 going to be doing with

19:22 CipherTrust so it's those same recipes

19:24 right it's the peanut butter it's

19:26 the jelly it's the bread but Blair now

19:28 we're now we're like grilling it right

19:30 now we're making it this artisan PBJ

19:33 versus the one that that you had like

19:35 when you were eight so here's how

19:37 this kind of new element of our

19:39 partnership works together and Blair I

19:41 can click you can click one of us can

19:43 click it'll all work out but it

19:45 starts with that idea of managing the

19:48 secret in this case we've just added one

19:52 more to the hundreds that we manage the

19:55 credential that's used as an example to

19:57 authenticate CipherTrust by

19:59 applications to perform encryption and

20:02 tokenization tasks so

20:05 managed within CyberArk we're actually

20:07 doing rotations so you don't have to do

20:09 that manual anymore.

20:11 If our applications are a little bit

20:14 more modern, containerized as an example,

20:16 microservices based that's cool what

20:19 they can do is they can do that same

20:21 attribute authentication I mentioned

20:23 earlier to authenticate to the CyberArk Conjur service,

20:27 grab the secret they need to do those

20:30 encryption and tokenization tasks, and

20:33 then actually authenticate to

20:35 CipherTrust to perform the work

20:38 you never have to worry about managing

20:41 that secret again you never have to

20:42 worry about manual invocation, your apps

20:45 reach up grab it down, knob it around and

20:48 use it to perform the tasks they need so

20:51 you can automate this stuff and make it

20:53 the foundation of the pipeline versus

20:55 something that might need some sort of

20:58 human intervention which as we all know

21:01 you put a human into the equation of a

21:02 pipeline, things tend to get a little a little lopsided.

21:07 Now the best part is some of the

21:10 transparent security that's going on

21:13 because just as we had started our conversation

21:17 every single piece of this where the

21:19 secret is stored, to the elements of

21:22 CipherTrust, to even sort of the what

21:25 I’ll call the central secret delivery

21:28 mechanism of Conjur,

21:30 all backed by Thales Luna HSMs.

21:33 Great, I think it's the perfect world

21:36 that we've tried to establish here.

21:39 You know, when I when I look at this

21:41 diagram and I think for the person who is

21:43 considering this approach I think what's

21:45 what's interesting here is that our the

21:47 genesis of the solution was actually our

21:50 two companies looking at each other and

21:51 figuring out how do we provide an

21:53 enterprise DevSecOps environment that

21:55 has the CyberArk elements and that has the Thales elements

21:59 but also one how do we make them work together so

22:04 to add to this the way that this

22:05 actually works is the CyberArk engine

22:08 is actually making the calls through our

22:09 rest APIs to the CipherTrust platform

22:12 for the encryption, for the

22:14 tokenization, as you described so that's

22:17 phase one we haven't really we're only

22:19 you know at the tip of the iceberg in

22:21 terms of how this is going to evolve and

22:23 so our customers that are using this and

22:25 looking at this are actually giving us

22:27 feedback in real time and explaining to

22:30 us and describing back to us how it

22:33 would be best to work together so we're

22:34 really excited about a number of large

22:37 enterprise customers who are who are

22:40 working with this as we speak

22:42 and as I said better to have their

22:44 feedback as to how it should and would

22:46 work as much as we design and hope that they

22:49 use it the way that we've designed it so

22:51 I just want to bring that to light

22:53 that this is available today and that

22:55 customers can reach out to us or

22:57 prospects I should say if you're a sales

22:59 organization you can reach out and we

23:01 can fill in some of the gaps.

23:04 Yeah, incredibly well spoken and while I

23:06 do like to think that

23:08 both our partnership as well as all

23:11 of our kind of new integrations came

23:14 about because we decided to mutually go

23:16 out for ice cream one day which we

23:18 actually should do at some point what

23:21 it really was what it was it was driven

23:23 by all of you who are watching

23:25 challenging us to be better even looking

23:26 at existing integrations and say CyberArk/Thales,

23:28 did you all think about this

23:30 or any considered that like

23:33 again we come up with our own good

23:35 ideas but they are nothing compared to

23:37 the feedback that you all give us so

23:40 whether it's pat's on the back

23:42 whether it's things that you like

23:44 or whether it's things we can do better

23:45whether you're, to Blair's point, if

23:47 you're an existing customer let us know

23:49 but even if you're not these are

23:51 things that we always look at improving because

23:55 no matter how we look at it we're

23:57 security companies and our goal

24:00 is to sell software and hardware but

24:03 it's to secure everything that we

24:05 possibly can to make the organizations

24:07 that Blair you and me patronize a

24:09 little bit more secured to because

24:11 that's our data that many of you have as

24:13 well so vested interest in in making

24:15 this stuff better and making the world a

24:17 more secure place for sure

24:19 yeah exactly Brandon so these resource

24:21 links are available at any time so I’ll

24:23 I’ll leave that to the people that

24:26 download this and want to watch it afterwards so

24:29 let's wrap up and on a high note and

24:31 if we could just kind of summarize that

24:33 the two organizations which we

24:35 represent like I said and you've said

24:37 we've been working together for a number

24:39 of years, we're continuing to

24:42 work together to solve some of these problems

24:45 never has there been a better time for a

24:47 DevSecOps enterprise to look at this problem

24:53 through our lens and we'll

24:55 work with those joint

24:57 customers to solve for those problems.

25:00 How would you want if you had to leave

25:02 one thing behind from maybe a thought

25:04 that a provocative thought is there

25:06 anything Brandon that comes to mind.

25:08 I think, Blair, you're a

25:11 hard act to follow when it comes to

25:12 parting thoughts but if I could

25:14 regardless of where you happen to be

25:17 on your security or app journey, if

25:19 it's still human stuff that

25:21 you're managing, look at

25:24 the integrations that we've built long

25:26 term as you start to evolve even if

25:28 you're at the very beginning,

25:30 you're wondering hey do we use

25:32 Kubernetes or do we pop over to Red Hat

25:35 and do something with Openshift -

25:38 let us know, let your vendors help out,

25:40 challenge us to assist, for some

25:42 this notion of DevSecOps is a whole

25:45 new language and folks like CyberArk and

25:48 Thales are here to help you out as well

25:50 so don't let the change in language

25:52 sort of stop you from building

25:55 security into the design early or

25:58 implementing it into the existing design

26:00 that's what we're here for that's what

26:01 we talk about all the time so let us

26:04 help you out if it's an area that you're

26:05 looking at. Great parting thoughts, Brandon, as

26:10 you mentioned Red Hat, a joint partner of

26:12 all of ours, we're more than happy to

26:14 discuss these things at any time so

26:16 again just want to say thank you for

26:17 attending today and participating enlightening us

26:20 and we look forward to working with you

26:23 and as those who are watching

26:26 please reach out to us the details are

26:28 there and wanted to say thank you for listening.

26:32 Thank you all, thanks Blaire.