SlideShare a Scribd company logo

Managing secrets at scale

Alex Schoof
Alex Schoof

Slides from "Managing Secrets at scale" at Velocity EU 2015 Secrets come in many shapes and sizes: database API keys, database passwords, private keys. Distributing and managing these secrets is usually an afterthought. It's hard to get right, and can be very expensive if you get it wrong. In this session, we'll look at the core operations and properties that make up a good secret management system, and how these principals can be implemented

Software
1 of 81
Download to read offline
Managing Secrets at Scale Alex Schoof, Fugue - Velocity EU 2015
Secrets are EVERYWHERE
Mishandling secrets can be very bad
We’re really bad at managing secrets
We tend to manage secrets the same way we tell people not to manage software
Secret management should be core infrastructure
Lots of new secret management systems have been released in 2015
There is no one-size-fits-all solution
You have to understand your Threat Model and Trust Boundaries
What are we going to talk about? ● Core principles of modern secret management ● How a modern secret management system works ● Some existing open source secret management systems
Core Principles
Principle Minimal Privilege The set of principals (actors) able to perform an action on a secret should be the smallest set required.
Implications ● We have authentication and authorization on usage of secrets ● We have enforceable access control policy for operations on secrets ● We have an audit trail to make sure we are doing it right
Principle Secrets Expire Secrets expire for a variety of reasons: built-in expiration in protocols, third party policy, internal policy, compromise, etc.
Implications ● Deployment of any given secret is not a one-time event ● We must be able to easily rotate secrets ● A deployment artifact should not be the authoritative source of a secret
Secrets should never be in source control
Corollary: Changing a secret should not require a full deployment
Principle It should be easier to do the right thing than the wrong thing If operations on secrets require human intervention, long waits, or complex ceremony, people will do other things, like hardcode secrets
Implications ● We need to provide easy-to-use programmatic operations on secrets ○ CRUD operations (Create, Read, Update, Delete) ○ List ○ Audit
Principle The Weakest Link The security of a secret is only as strong as the weakest access control mechanism on the storage, transmission, or use of that secret
Implications ● We need strong controls on every secret operation ● Secrets should NEVER be persisted in plain text ● Proper root secret storage is very important ○ Operator laptops are now part of your trust boundary for secrets they can access
Principle Secrets must be highly available For many applications, access to secrets is a requirement for basic functionality
Implications ● Tier-0 service ● Need good operational and deployment practices ● Be aware of circular dependencies and bootstrapping problems
Principles of Secret Management ● Minimal Privilege ● Secrets Expire ● It should be easier to do the right thing than the wrong thing ● Weakest Link ● Secrets must be highly available
So, we need a system that: ● Supports easy-to-use programmatic CRUD operations on secrets ● Provides an audit trail ● Protects secrets at every stage of their lifecycle ● Permits access control to be defined by policy ● Is highly available
Building a Secret Management System
Quick Caveat ● DON’T invent your own crypto ● DON’T implement someone else’s crypto ● Use standard libraries and battle-tested algorithms
Secret Service
Secret Service Secret Store
ID NAME VALUE 1 prod.db.password pass123$ 2 dev.db.password qC$qwf#$FQ3f44q#$ 3 prod.some-api.key foobar
ID NAME VALUE 1 prod.db.password Ek (pass123$) 2 dev.db.password Ek (qC$qwf#$FQ3f44q#$) 3 prod.some-api.key Ek (foobar)
How do we store the key?
Secure key storage
Hardware ● Hardware Security Module (HSM) ● Trusted Platform Module ● Smartcard Provide hardware key storage and usually have hardware-accelerated cryptography All use PKCS#11-style interface Can generate or import keys, can use keys, cannot export keys Generally requires a certificate or password to use
Key Management Services ● Presents an HSM-like interface, typically over the network ● available in public cloud environments (i.e. AWS KMS) ● much less expensive than dedicated HSMs Still need some credential to access the KMS
Or, we could not store the key...
Quorum Systems ● Shamir’s Secret Sharing ○ Make a k-1-degree polynomial with a y-intercept of the secret value ○ Take n points from the polynomial ○ Any k of the n points can recreate the original polynomial via interpolation ● Can keep shares on smartcards, in safes, etc. ● Introduces a collusion requirement
● Other secret servers that are up verify that the new server is trusted, and then transfer the secret to it, directly or via secret sharing ● Need secure boot/remote attestation to do safely ● Completely hands-off, but very hard to do right Peer-to-peer induction of secret servers
Secret Service Master Key Storage Secret Store
Key Wrapping ● Secure key storage is expensive ● We might want arbitrary-sized secrets ● Have one (or more) master key(s) on an HSM, or in a KMS ● For each secret in the secret-store, generate a unique data-encryption key ● encrypt the secret with the data encryption key ● encrypt the data-encryption key with the master key ● store the encrypted (wrapped) data-encryption key next to the encrypted data ● Add message authentication code (MAC) or use AES-GCM to prevent tampering and chosen-ciphertext attacks
ID NAME VALUE DATA_KEY 1 prod.db.password Ek1 (pass123$) Em (k1) 2 dev.db.password Ek2 (qC$..Q3f44q#$) Em (k2) 3 prod.some-api.key Ek3 (foobar) Em (k3)
Secret Service Master Key Storage Secret Store
Secret Servicelog Master Key Storage Secret Store
Secure logging ● Append-only ● Signed logs to detect tampering ○ Signed logs are really, REALLY hard to get right ○ Use an existing secure logging implementation
Secret Servicelog Master Key Storage Secret Store
Secret Servicelog Client Master Key Storage Secret Store
Authenticating the service
Secret Servicelog Client TLS Master Key Storage Secret Store
Authenticating the Client
Client Authentication ● Either API key to sign requests to the secret service, or SSL client certificate ● Created at provision or launch of the instance ○ Can use this token as a root of trust for giving other tokens to the client ● Should try to use some out-of-band mechanism to verify the host ● Examples: ○ IAM Roles for EC2 ○ Chef client certificates ○ Generate CSR at boot and send to CA that can list running instances for verification ○ Keys generated in hardware
Protecting the authentication token ● Agent-based systems ○ Can let you do cool things like FUSE drivers that use POSIX auth ● Control access to certificate or API keys using standard access control mechanisms ○ Filesystem permissions ○ Mandatory Access Control systems (SELinux, AppArmor, etc) ○ Kernel Key Retention Service
Secret Servicelog Client TLS ✅ ✅ Master Key Storage Secret Store
Basic Operations
CREATE(name, value) ● Access control check ● Log the request ● Wrap value and store in secret store ● Set any initial access control policy (i.e. set owner)
READ(name) ● Perform access control check for name ● Log the request ● Unwrap value for name and send it back
UPDATE(name, value) ● Access control check ● Log the request ● Wrap value, overwrite old value
UPDATE(name, value) ● Access control check ● Log the request ● Wrap value, overwrite old value ● Generate new version of value
In general, secrets should be versioned and immutable
Operations with versions ● CREATE(name, value) = UPDATE(name, value, 1) ● READ(name, version=`latest`) ● UPDATE(name, value, version)
ID NAME VERSION VALUE DATA_KEY 1 prod.db.password 1 Ek1 (pass123$) Em (k1) 2 dev.db.password 1 Ek2 (qC$..Q3f44q#$) Em (k2) 3 prod.some-api.key 1 Ek3 (foobar) Em (k3) 4 prod.db.password 2 Ek4 (b3tterPassword!) Em (k4) 5 prod.db.password 3 Ek5 (ce8hq7fq9&^Ae$) Em (k5)
DELETE(name, value, version) ● Access control check ● Log the request ● Distinguish between actual delete and logical delete ○ Will you need to decrypt old data encrypted with a deleted key? ● Revoke asynchronous public keys
LIST(name?, version?) ● Access control check ● Log the request ● Do a scan or prefix search
PUT_POLICY(name, value, policy) ● This is a privilege escalation avenue ● Need to require higher-level interface ● Makes sense to use separate channel or interface ● Policy can range from complex documents to a set of flags ○ IAM policy ○ POSIX-style ACL ○ Booleans for each user
Secret Servicelog Client TLS ✅ ✅ CREATE READ UPDATE DELETE LIST Admin Interface ✅ TLS PUT_POLICY ✅ Master Key Storage Secret Store
Considerations for Interfaces and Libraries ● Make sure you don’t leak secrets outside your trust boundary ○ Logs ○ Core dumps ○ Swap ● Easy-to-use verbs help usability ○ `get_secret(“prod-password”, version=3)`
Availability
High-Availability Secret Services ● Run in multiple Availability Zones or Data Centers ● Want secret service to be close to clients (physically and topologically) ● Data store needs to be highly available ● Need to be able to boot/induct new instances of the secret service ● Spend time hardening your secret servers!
Secret management is Tier-0 ● Operational metrics ● Canaries ● Integration tests ● Code reviews ● ACL on commits/deployment
Client-side caching ● Publish/Subscribe can be a useful semantic here ● Helps with network partition from the secret service ● Can also reduce read-load on the secret service ● Make sure the cache never writes plaintext to disk ○ Or swap, or core dump, etc. ● May need to perform access control check on the client ○ Unless security boundary ~= instance boundary
Secret Servicelog Client TLS ✅ ✅ CREATE READ UPDATE DELETE LIST Admin Interface ✅ ✅ TLS PUT_POLICY Master Key Storage cache Secret Store
Some existing tools
Vault ● Client/Server system for secret management ● Pluggable backend for secret storage (disk or Consul) ● Uses secret splitting (quorum system) to protect master key(s) ● Symmetric tokens or TLS certs for authentication ● HCL (Hashicorp Config Language -- JSON-like language) used for writing authorization policy ● Secret management operations available via CLI or HTTP API ● Nifty “dynamic secret” system https://www.vaultproject.io/
Keywhiz ● Client/Server secret management system ● Uses relational DB for secret storage ● Derivation key(s) stored in memory or an HSM, data keys derived from derivation keys using HKDF (HMAC-based key derivation -- see RFC5869) ● Client TLS certificates used to authenticate for CRUD operations ● LDAP or passwords used to authenticate for admin operations (like ACL management) ● Group-based ACLs ● CLI, API, or sweet FUSE driver https://square.github.io/keywhiz/
CredStash ● Lightweight Python utility for managing secrets on AWS ● Uses DynamoDB for secret store ● Uses KMS to hold master key(s) ● Uses IAM policies for access control ● Uses IAM Roles for EC2 for instance identity ● Secret management operations available via CLI, Python library, or Puppet/Ansible modules https://github.com/fugue/credstash
Sneaker ● Golang utility for managing secrets on AWS ● Uses S3 for secret store ● Uses KMS to hold master key(s) ● IAM and S3 ACLs for access control policy ● Operates on files, rather than values ● Secret management operations available via CLI https://github.com/codahale/sneaker
Most of this is very new
You have to understand your Threat Model and Trust Boundaries
Secret management should be core infrastructure
Q & A
Slides: http://bit.ly/1kXSTaa
Further reading ● Threat modeling: https://msdn.microsoft.com/en-us/library/ff648644.aspx ● Remote attestation: https://courses.cs.washington. edu/courses/csep590/06wi/finalprojects/bare.pdf ● KMS: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html ● Signed syslog: https://tools.ietf.org/html/rfc5848 ● Kernel Key Retention service: https://www.kernel. org/doc/Documentation/security/keys.txt ● Shamir’s Secret Sharing: https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing ● PKCS#11: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2. 40-os.html

Recommended

Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 

Recommended

Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Service mesh
Service meshService mesh
Service meshArnab Mitra
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service meshChandresh Pancholi
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaStarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaVietnam Open Infrastructure User Group
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Vault
VaultVault
Vaultdawnlua
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Vietnam Open Infrastructure User Group
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 

More Related Content

What's hot

2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Vietnam Open Infrastructure User Group
 

What's hot (20)

2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Container Security
Container SecurityContainer Security
Container Security
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Service mesh
Service meshService mesh
Service mesh
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service mesh
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaStarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Vault
VaultVault
Vault
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
Vault 101
Vault 101Vault 101
Vault 101
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
 

Viewers also liked

ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail Bryan Sterling
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudDavid Busby, CISSP
 
Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basicsDavid Busby, CISSP
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureOpenCredo
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Stephane Jourdan
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at OktaAmazon Web Services
 
CloudFormation vs Terraform vs Ansible
CloudFormation vs Terraform vs AnsibleCloudFormation vs Terraform vs Ansible
CloudFormation vs Terraform vs AnsibleMattias Gees
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Radek Simko
 
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...Amazon Web Services
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Nati Shalom
 
dome and vault
dome and vaultdome and vault
dome and vaultkaiwan1996
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Amazon Web Services
 

Viewers also liked (16)

ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-about
 
The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloud
 
Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basics
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructure
 
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
Using Terraform.io (Human Talks Montpellier, Epitech, 2014/09/09)
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta
 
CloudFormation vs Terraform vs Ansible
CloudFormation vs Terraform vs AnsibleCloudFormation vs Terraform vs Ansible
CloudFormation vs Terraform vs Ansible
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)
 
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
 
dome and vault
dome and vaultdome and vault
dome and vault
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 

Similar to Managing secrets at scale

Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarTeleport
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH AccessDevOps.com
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckRundeck
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementMary Racter
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
Securing Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-MotionSecuring Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-MotionPrecisely
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherPanther Labs
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Xiaoman DONG
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best PracticesFederico Razzoli
 
Security_Practices_with_CFEngine-cfgcamp_2016
Security_Practices_with_CFEngine-cfgcamp_2016Security_Practices_with_CFEngine-cfgcamp_2016
Security_Practices_with_CFEngine-cfgcamp_2016Nick Anderson
 
Security practices with CFEngine: Config Management Camp 2016
Security practices with CFEngine: Config Management Camp 2016Security practices with CFEngine: Config Management Camp 2016
Security practices with CFEngine: Config Management Camp 2016Michael Clelland
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021Suresh Rathore
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...AWS Chicago
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)Alastair Irvine
 

Similar to Managing secrets at scale (20)

Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH Access
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in Rundeck
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Securing Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-MotionSecuring Sensitive IBM i Data At-Rest and In-Motion
Securing Sensitive IBM i Data At-Rest and In-Motion
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Hyderabad MuleSoft Meetup
Hyderabad MuleSoft MeetupHyderabad MuleSoft Meetup
Hyderabad MuleSoft Meetup
 
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
 
Security_Practices_with_CFEngine-cfgcamp_2016
Security_Practices_with_CFEngine-cfgcamp_2016Security_Practices_with_CFEngine-cfgcamp_2016
Security_Practices_with_CFEngine-cfgcamp_2016
 
Security practices with CFEngine: Config Management Camp 2016
Security practices with CFEngine: Config Management Camp 2016Security practices with CFEngine: Config Management Camp 2016
Security practices with CFEngine: Config Management Camp 2016
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)
 

Recently uploaded

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 

Recently uploaded (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 

Managing secrets at scale

  • 1. Managing Secrets at Scale Alex Schoof, Fugue - Velocity EU 2015
  • 4. We’re really bad at managing secrets
  • 5. We tend to manage secrets the same way we tell people not to manage software
  • 6. Secret management should be core infrastructure
  • 7. Lots of new secret management systems have been released in 2015
  • 8. There is no one-size-fits-all solution
  • 9. You have to understand your Threat Model and Trust Boundaries
  • 10. What are we going to talk about? ● Core principles of modern secret management ● How a modern secret management system works ● Some existing open source secret management systems
  • 12. Principle Minimal Privilege The set of principals (actors) able to perform an action on a secret should be the smallest set required.
  • 13. Implications ● We have authentication and authorization on usage of secrets ● We have enforceable access control policy for operations on secrets ● We have an audit trail to make sure we are doing it right
  • 14. Principle Secrets Expire Secrets expire for a variety of reasons: built-in expiration in protocols, third party policy, internal policy, compromise, etc.
  • 15. Implications ● Deployment of any given secret is not a one-time event ● We must be able to easily rotate secrets ● A deployment artifact should not be the authoritative source of a secret
  • 16. Secrets should never be in source control
  • 17. Corollary: Changing a secret should not require a full deployment
  • 18. Principle It should be easier to do the right thing than the wrong thing If operations on secrets require human intervention, long waits, or complex ceremony, people will do other things, like hardcode secrets
  • 19. Implications ● We need to provide easy-to-use programmatic operations on secrets ○ CRUD operations (Create, Read, Update, Delete) ○ List ○ Audit
  • 20. Principle The Weakest Link The security of a secret is only as strong as the weakest access control mechanism on the storage, transmission, or use of that secret
  • 21. Implications ● We need strong controls on every secret operation ● Secrets should NEVER be persisted in plain text ● Proper root secret storage is very important ○ Operator laptops are now part of your trust boundary for secrets they can access
  • 22. Principle Secrets must be highly available For many applications, access to secrets is a requirement for basic functionality
  • 23. Implications ● Tier-0 service ● Need good operational and deployment practices ● Be aware of circular dependencies and bootstrapping problems
  • 24. Principles of Secret Management ● Minimal Privilege ● Secrets Expire ● It should be easier to do the right thing than the wrong thing ● Weakest Link ● Secrets must be highly available
  • 25. So, we need a system that: ● Supports easy-to-use programmatic CRUD operations on secrets ● Provides an audit trail ● Protects secrets at every stage of their lifecycle ● Permits access control to be defined by policy ● Is highly available
  • 26. Building a Secret Management System
  • 27. Quick Caveat ● DON’T invent your own crypto ● DON’T implement someone else’s crypto ● Use standard libraries and battle-tested algorithms
  • 30. ID NAME VALUE 1 prod.db.password pass123$ 2 dev.db.password qC$qwf#$FQ3f44q#$ 3 prod.some-api.key foobar
  • 31. ID NAME VALUE 1 prod.db.password Ek (pass123$) 2 dev.db.password Ek (qC$qwf#$FQ3f44q#$) 3 prod.some-api.key Ek (foobar)
  • 32. How do we store the key?
  • 34. Hardware ● Hardware Security Module (HSM) ● Trusted Platform Module ● Smartcard Provide hardware key storage and usually have hardware-accelerated cryptography All use PKCS#11-style interface Can generate or import keys, can use keys, cannot export keys Generally requires a certificate or password to use
  • 35. Key Management Services ● Presents an HSM-like interface, typically over the network ● available in public cloud environments (i.e. AWS KMS) ● much less expensive than dedicated HSMs Still need some credential to access the KMS
  • 36. Or, we could not store the key...
  • 37. Quorum Systems ● Shamir’s Secret Sharing ○ Make a k-1-degree polynomial with a y-intercept of the secret value ○ Take n points from the polynomial ○ Any k of the n points can recreate the original polynomial via interpolation ● Can keep shares on smartcards, in safes, etc. ● Introduces a collusion requirement
  • 38. ● Other secret servers that are up verify that the new server is trusted, and then transfer the secret to it, directly or via secret sharing ● Need secure boot/remote attestation to do safely ● Completely hands-off, but very hard to do right Peer-to-peer induction of secret servers
  • 40. Key Wrapping ● Secure key storage is expensive ● We might want arbitrary-sized secrets ● Have one (or more) master key(s) on an HSM, or in a KMS ● For each secret in the secret-store, generate a unique data-encryption key ● encrypt the secret with the data encryption key ● encrypt the data-encryption key with the master key ● store the encrypted (wrapped) data-encryption key next to the encrypted data ● Add message authentication code (MAC) or use AES-GCM to prevent tampering and chosen-ciphertext attacks
  • 41. ID NAME VALUE DATA_KEY 1 prod.db.password Ek1 (pass123$) Em (k1) 2 dev.db.password Ek2 (qC$..Q3f44q#$) Em (k2) 3 prod.some-api.key Ek3 (foobar) Em (k3)
  • 44. Secure logging ● Append-only ● Signed logs to detect tampering ○ Signed logs are really, REALLY hard to get right ○ Use an existing secure logging implementation
  • 50. Client Authentication ● Either API key to sign requests to the secret service, or SSL client certificate ● Created at provision or launch of the instance ○ Can use this token as a root of trust for giving other tokens to the client ● Should try to use some out-of-band mechanism to verify the host ● Examples: ○ IAM Roles for EC2 ○ Chef client certificates ○ Generate CSR at boot and send to CA that can list running instances for verification ○ Keys generated in hardware
  • 51. Protecting the authentication token ● Agent-based systems ○ Can let you do cool things like FUSE drivers that use POSIX auth ● Control access to certificate or API keys using standard access control mechanisms ○ Filesystem permissions ○ Mandatory Access Control systems (SELinux, AppArmor, etc) ○ Kernel Key Retention Service
  • 54. CREATE(name, value) ● Access control check ● Log the request ● Wrap value and store in secret store ● Set any initial access control policy (i.e. set owner)
  • 55. READ(name) ● Perform access control check for name ● Log the request ● Unwrap value for name and send it back
  • 56. UPDATE(name, value) ● Access control check ● Log the request ● Wrap value, overwrite old value
  • 57. UPDATE(name, value) ● Access control check ● Log the request ● Wrap value, overwrite old value ● Generate new version of value
  • 58. In general, secrets should be versioned and immutable
  • 59. Operations with versions ● CREATE(name, value) = UPDATE(name, value, 1) ● READ(name, version=`latest`) ● UPDATE(name, value, version)
  • 60. ID NAME VERSION VALUE DATA_KEY 1 prod.db.password 1 Ek1 (pass123$) Em (k1) 2 dev.db.password 1 Ek2 (qC$..Q3f44q#$) Em (k2) 3 prod.some-api.key 1 Ek3 (foobar) Em (k3) 4 prod.db.password 2 Ek4 (b3tterPassword!) Em (k4) 5 prod.db.password 3 Ek5 (ce8hq7fq9&^Ae$) Em (k5)
  • 61. DELETE(name, value, version) ● Access control check ● Log the request ● Distinguish between actual delete and logical delete ○ Will you need to decrypt old data encrypted with a deleted key? ● Revoke asynchronous public keys
  • 62. LIST(name?, version?) ● Access control check ● Log the request ● Do a scan or prefix search
  • 63. PUT_POLICY(name, value, policy) ● This is a privilege escalation avenue ● Need to require higher-level interface ● Makes sense to use separate channel or interface ● Policy can range from complex documents to a set of flags ○ IAM policy ○ POSIX-style ACL ○ Booleans for each user
  • 65. Considerations for Interfaces and Libraries ● Make sure you don’t leak secrets outside your trust boundary ○ Logs ○ Core dumps ○ Swap ● Easy-to-use verbs help usability ○ `get_secret(“prod-password”, version=3)`
  • 67. High-Availability Secret Services ● Run in multiple Availability Zones or Data Centers ● Want secret service to be close to clients (physically and topologically) ● Data store needs to be highly available ● Need to be able to boot/induct new instances of the secret service ● Spend time hardening your secret servers!
  • 68. Secret management is Tier-0 ● Operational metrics ● Canaries ● Integration tests ● Code reviews ● ACL on commits/deployment
  • 69. Client-side caching ● Publish/Subscribe can be a useful semantic here ● Helps with network partition from the secret service ● Can also reduce read-load on the secret service ● Make sure the cache never writes plaintext to disk ○ Or swap, or core dump, etc. ● May need to perform access control check on the client ○ Unless security boundary ~= instance boundary
  • 72. Vault ● Client/Server system for secret management ● Pluggable backend for secret storage (disk or Consul) ● Uses secret splitting (quorum system) to protect master key(s) ● Symmetric tokens or TLS certs for authentication ● HCL (Hashicorp Config Language -- JSON-like language) used for writing authorization policy ● Secret management operations available via CLI or HTTP API ● Nifty “dynamic secret” system https://www.vaultproject.io/
  • 73. Keywhiz ● Client/Server secret management system ● Uses relational DB for secret storage ● Derivation key(s) stored in memory or an HSM, data keys derived from derivation keys using HKDF (HMAC-based key derivation -- see RFC5869) ● Client TLS certificates used to authenticate for CRUD operations ● LDAP or passwords used to authenticate for admin operations (like ACL management) ● Group-based ACLs ● CLI, API, or sweet FUSE driver https://square.github.io/keywhiz/
  • 74. CredStash ● Lightweight Python utility for managing secrets on AWS ● Uses DynamoDB for secret store ● Uses KMS to hold master key(s) ● Uses IAM policies for access control ● Uses IAM Roles for EC2 for instance identity ● Secret management operations available via CLI, Python library, or Puppet/Ansible modules https://github.com/fugue/credstash
  • 75. Sneaker ● Golang utility for managing secrets on AWS ● Uses S3 for secret store ● Uses KMS to hold master key(s) ● IAM and S3 ACLs for access control policy ● Operates on files, rather than values ● Secret management operations available via CLI https://github.com/codahale/sneaker
  • 76. Most of this is very new
  • 77. You have to understand your Threat Model and Trust Boundaries
  • 78. Secret management should be core infrastructure
  • 79. Q & A
  • 81. Further reading ● Threat modeling: https://msdn.microsoft.com/en-us/library/ff648644.aspx ● Remote attestation: https://courses.cs.washington. edu/courses/csep590/06wi/finalprojects/bare.pdf ● KMS: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html ● Signed syslog: https://tools.ietf.org/html/rfc5848 ● Kernel Key Retention service: https://www.kernel. org/doc/Documentation/security/keys.txt ● Shamir’s Secret Sharing: https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing ● PKCS#11: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2. 40-os.html