SlideShare a Scribd company logo
Managing Secrets in
Container Environments
Jeff Mitchell
HashiCorp
@jefferai
About Me
● Project Lead on Vault
○ A HashiCorp tool for managing secrets
○ https://vaultproject.io
● Previously, Architect at Akamai
○ Heavy focus on containerization and managing container security
What this talk is...
● A discussion of paradigms and considerations necessary
for managing secrets in container environments
● Applied security, not crypto theory
○ Goal: “Know what you need to know” when figuring out your
organization’s security policy
...and what this talk isn’t
● One True Answer™
○ Support requirements impact available technology/workflows
○ Each organization must set their own security policy and
implement practices that satisfy it
● A discussion of container/hypervisor/OS security
○ Let’s talk Linux containerization
...and what this talk isn’t
● Not a deep dive into security rabbit holes
(3-4 turtles max)
...and what this talk isn’t
● Not a deep dive into security rabbit holes
(3-4 turtles max)
Scheduler
Secret Management Tool
Scheduler Agent
Container
Problem Space
Bear with me for four slides while I wax
philosophical…
What is “Security”?
● Security is the practice of risk management
○ Accepting some risks, guarding against violations of norms
● Anything that can elevate risk is a threat
○ Modeling threats informs security policy
● Risk increases with system complexity
○ More points of failure, confusion, and ingress = harder to secure
What is a “Secret”?
● A secret is something that will elevate your risk if exposed
to unauthorized entities
○ Undesired consequences are harm
○ Harm may come in many forms
■ Unauthorized data access
■ Identity spoofing
■ Private data egress
■ Regulatory fines
● An exposed secret is a threat
Secrets vs. Identifiers
● Not all things that can be disclosed are secrets, some are
identifiers
○ Username (identifier) vs. Password (secret)
○ TLS certificate (identifier) vs. TLS Key (secret)
○ GitHub user name (identifier) vs. API key (secret)
● Identifiers aren’t completely risk-free
○ Have chosen to ignore that risk
What is “Trust”?
● A trusted entity is one that will not divulge the secrets it
has access to
● Modeling trusted entities is companion to modeling threats
● Two concepts:
○ Circle of trust
○ Chain of trust
Circle of Trust
Entities we trust with any secret. For this talk:
RAM
root
Secret
Management
ToolEmployees?
CPU
Cloud?
Circle of Trust
Only allowed long-term storage is in circle of trust
RAM
root
Secret
Management
Tool
Persistent
Storage
Random
Users
General
apps/services
NSA
Random Wi-
Fi Hotspot
Your Mother’s
Notepad.txt Employees?
CPU
Cloud?
Chain of Trust
● The set of links (e.g. network hops) that any particular
secret travels through from entity A to entity B
○ Source/destination must be in circle of trust
● Any link is an access point/interception point
○ Accidental logging
○ Exploitation by attacker
○ Lookup by operator
○ Employee Post-It™
○ Conspiracy of One/Compromised employee
Problem Space
● We can now establish the problem space:
○ Managing secrets in an environment means establishing trust
chains in the environment
○ Links in the chains have associated risk
■ Minimize hops and minimize risk-per-link
■ Risk cannot be fully mitigated; must assume any given secret will
eventually be divulged
● Ultimate goal: zero trust
○ Don’t give the opportunity for risks to occur in the first place
Scheduler
Secret Management Tool
Scheduler Agent
Container
Goal: Securely
move secret from
originator to new
container’s RAM
Scheduler
Secret Management Tool
Scheduler Agent
Container
?
Scheduler
Secret Management Tool
Scheduler Agent
Container
?
Scheduler
Secret Management Tool
Scheduler Agent
Container
?
Secret Protection
● Establishing a train of trust requires defining the
requirements it must fulfill to keep secrets protected
● Good news: we only need to do this for one secret!
Secure Introduction
● First secret authenticates us to allow direct access to
more
● If you can protect this secret, you can protect any secret
○ (Generally)
● This concept is secure introduction (SI)
Secret Protection
● How do you protect secrets (perform SI)?
○ First establish success criteria based on acceptable risk
● For this talk:
○ Don’t let them live forever (rotate/expire)
○ Distribute them securely
○ Limit exposure if disclosed
○ Have a break-glass procedure
○ Detect unauthorized access
Rotation
● As lifetime increases, chance for exposure → ∞
○ Caches/logs
○ Cracked over time/enough packets
○ Debugging
● Secrets should be rotated “frequently”
○ User passwords vs. machine secrets
■ xkcd’s ______ ______ ______ ______ → bad policies + frequent
rotation = written down user passwords
■ Less frequently/more used = more likely overseen
■ Machines: it’s just data - plan/build for rotation and rotate often
Distribution
● The literal movement along the chain of trust
○ To/From
■ People
■ Machines
● Base level: never plaintext, always covered
○ Encryption
○ Wrapping
○ Etc.
Limit Exposure
● Principle of least privilege
○ DB credentials: only specific tables/operations
○ Login credentials: not root
○ API credentials: minimal function set
Access Detection
● Things have a way of being leaky
● Env vars: common way to pass in secrets. Also:
○ Often logged, sometimes multiple places
○ Easily discoverable by operator
■ Both Docker commands and non-Docker commands can spill the
beans
Access Detection
● Equally as important as protecting a secret is knowing if
an unintended party has intercepted it
● Audit logs are great…
○ ...but do you look at them?
● Active detection (when possible) is even better
Break-Glass
● Compromised?
○ Stop all further access to protected resources
○ Perform forensics
○ Rotate all secrets after re-establishing identities of legitimate
secret-holders
○ …
● Figure this out during the planning process -- not after!
● So...this is complicated…
● ...but there’s good news!
● Recent explosion of FOSS Secret Management (SM) tools
○ Vault
○ KeyWhiz
○ Knox
○ Conjur (Docker only)
○ Many more (apologies if I missed your favorite)...
Secret Management Tools
● If you only take away two things from this talk, make sure
they are the following:
● If you only take away two things from this talk, make sure
they are the following:
1. Write your own crypto
● If you only take away two things from this talk, make sure
they are the following:
1. Write your own crypto
2. Use it in a Secret Management tool
● If you only take away two things from this talk, make sure
they are the following:
1. Write your own crypto
2. Use it in a Secret Management tool
NO!
NO!
● If you only take away two things from this talk, make sure
they are the following:
1. Use a Secret Management tool
2. Don’t roll your own
Secret Management Tools
● Why?
○ Central, secure storage (avoid sprawl)
○ Central management
○ Codified, secure access mechanisms
○ Centralized auditing
■ Ensure knowledge of what secrets have been seen by what
users/services
○ Secret rotation/revocation/expiration
Big Caveat
● This isn’t a vendor talk, but I have a bias
● I don’t have exhaustive knowledge of non-Vault SMs
● Anything I say a SM can do can be done with Vault, and
may or may not be possible with other solutions
○ They may absolutely do things Vault can’t
SM + SI
● Explicit focus on the secure introduction problem
○ Core competency from ground up
○ Necessary tools/capabilities/primitives
● Containers can support existing SI paradigms
○ If you can securely get credentials to it, but imagine…
■ Managing 100k LDAP/AD users churning at high rate
■ Generating/dropping 100k Kerberos keytabs
○ ...and you’ve solved SI anyways
SM + SI
● Platform agnostic (with platform-based enhancements)
○ Change authentication mechanism “front-end”
■ Containers
■ EC2
■ Bare metal
■ Users
SMs <3 Schedulers
● Anyone working with containers at scale uses a scheduler
○ Nomad
○ Mesos
○ Fleet
○ Swarm
○ Kubernetes (All-In-One)
SMs <3 Schedulers
● Schedulers are sources of truth and provide hooks
● SM tools and schedulers can be a magical combination
○ May not be direct integration, glue code needed
○ OTOH avoiding tight coupling means better reuse across
environments
Scheduler
Secret Management Tool
Scheduler Agent
Container
Scheduler
Secret Management Tool
Scheduler Agent
Container
SI #1 (Traditional)
Scheduler
Secret Management Tool
Scheduler Agent
Container
SI #1 (Traditional)
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Scheduler
Secret Management Tool
Scheduler Agent
Container
SI #2 (New)
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Preconditions
● Suppose a SM authentication token has:
○ Unlimited or limited use-count
○ Limited time-to-live (TTL), possibly renewable
○ Set of authorization policies
■ e.g. use first secret (auth token) to get application secrets
○ Consistent ID in audit logs
○ Token-scoped secure storage tied to token lifetime
● Claim: These primitives allow excellent SI for containers
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Scheduler
App: db_writer
Security Policy: app_db_rw_pol
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Scheduler
App: db_writer
Security Policy: app_db_rw_pol
Secret Management Tool
Create Token:
Policy: app_db_rw_pol
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Scheduler
Secret Management Tool
Create Token:
Policy: app_db_rw_pol
Uses: 1
TTL: 30s (non-renewable)
Policy: none
Private storage:
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
App: db_writer
Security Policy: app_db_rw_pol
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
ContainerImage: db_writer
TOKEN: (outer token)
Uses: 1
TTL: 30s (non-renewable)
Policy: none
Private storage:
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Uses: 1
TTL: 30s (non-renewable)
Policy: none
Private storage:
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Unwrap
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Get DB
Creds
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
User: db_user
Password: db_pass
Expiration: 24h
Container
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Get S3
Creds
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
ACCESS_KEY: ...
SECRET_KEY: ...
Expiration: 24h
Container
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Get TLS
Cert
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Certificate: ...
Private Key: ...
Issuing CA: ...
Container
How’d we do?
● Look at previous list:
○ Don’t let them live forever (rotate/expire)
✓ Outer token expires (use limit) with only copy of inner token value
○ Distribute them securely
✓ Inner token covered the entire way
○ Limit exposure if disclosed
✓ Only specific policies granted, can only access specific secrets
○ Have a break-glass procedure
✓ Can lock down access at SM tool
✓ Audit logs ensure we know area of exposure
○ Detect unauthorized access
Scheduler
Secret Management Tool
Scheduler Agent
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Container
Uses: 1
TTL: 30s (non-renewable)
Policy: none
Private storage:
Uses: ∞
TTL: 1h (renewable)
Policy: app_db_rw_pol
Uses: ∞
TTL: 8h (renewable)
Policy: create_app_tokens
Unwrap
How’d we do?
● Can detect unauthorized access of “real” authentication token due to
time and use limit
● Application:
○ Reads inner token: success
○ Reads storage but no inner token found: log error and recover (e.
g. fail job)
○ Denied access from invalid token: raise high-priority security alert
and check audit logs:
■ Access of outer token storage in audit logs? Unauthorized use
■ No access? Probably timing issue, but investigate carefully
How’d we do?
● Mechanism not container-specific
○ CM tool drops wrapping/outer token on EC2 instance
○ File injected into chroot
○ Etc.
Other Paradigms
● Remember, security is risk management
● Depending on your tech stack:
○ Different primitives might be available
○ May be constrained
● Never forget your success criteria
Wrap-Up
● Plan your risk tolerance/security policy/success criteria in
advance
○ Do it now!
● Use a secret management tool
○ You’re smart, but it’s hard
● Schedulers provide perfect integration points
Questions
Thanks!

More Related Content

What's hot

Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019
Taswar Bhatti
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
Nicolas Corrarello
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
Cloudflare
 
Owasp crypto tools and projects
Owasp crypto tools and projectsOwasp crypto tools and projects
Owasp crypto tools and projects
OwaspCzech
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
Cloudflare
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
Nicolas Corrarello
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
Cloudflare
 

What's hot (20)

Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019
 
Vault 101
Vault 101Vault 101
Vault 101
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
 
Owasp crypto tools and projects
Owasp crypto tools and projectsOwasp crypto tools and projects
Owasp crypto tools and projects
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
 

Viewers also liked

Hashicorp Tooling: Value, efficiency & security
Hashicorp Tooling: Value, efficiency & securityHashicorp Tooling: Value, efficiency & security
Hashicorp Tooling: Value, efficiency & security
continohq
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructure
OpenCredo
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
Sean Chittenden
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester:  Security, Microservces and Vault by Nicki WattMicroservices Manchester:  Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
OpenCredo
 
Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...
Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...
Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...
Chris Fregly
 
dome and vault
dome and vaultdome and vault
dome and vault
kaiwan1996
 

Viewers also liked (6)

Hashicorp Tooling: Value, efficiency & security
Hashicorp Tooling: Value, efficiency & securityHashicorp Tooling: Value, efficiency & security
Hashicorp Tooling: Value, efficiency & security
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructure
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester:  Security, Microservces and Vault by Nicki WattMicroservices Manchester:  Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
 
Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...
Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...
Spark on Kubernetes - Advanced Spark and Tensorflow Meetup - Jan 19 2017 - An...
 
dome and vault
dome and vaultdome and vault
dome and vault
 

Similar to ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Container Environment" (Jeff Mitchell)

Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
CloudOps2005
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
CTruncer
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
Mary Racter
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019
MarcVilanova1
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdf
Hacken
 
Windows Domains Part 2
Windows Domains Part 2Windows Domains Part 2
Windows Domains Part 2
UTD Computer Security Group
 
Rust Primer
Rust PrimerRust Primer
Rust Primer
Knoldus Inc.
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application Security
Guille -bisho-
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application Security
Tuenti
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!
Dwolla
 
Bsdtw17: theo de raadt: mitigations and other real security features
Bsdtw17: theo de raadt: mitigations and other real security featuresBsdtw17: theo de raadt: mitigations and other real security features
Bsdtw17: theo de raadt: mitigations and other real security features
Scott Tsai
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
Andreas Schranzhofer
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
MLconf
 
10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems
Xavier Amatriain
 
10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf
Xavier Amatriain
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
Omid Vahdaty
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
Michael Man
 

Similar to ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Container Environment" (Jeff Mitchell) (20)

Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret ManagementAutomation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
 
Pentester++
Pentester++Pentester++
Pentester++
 
Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019
 
The Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdfThe Risks of YOLOing-2.pdf
The Risks of YOLOing-2.pdf
 
Windows Domains Part 2
Windows Domains Part 2Windows Domains Part 2
Windows Domains Part 2
 
Rust Primer
Rust PrimerRust Primer
Rust Primer
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application Security
 
Tuenti: Web Application Security
Tuenti: Web Application SecurityTuenti: Web Application Security
Tuenti: Web Application Security
 
Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!Dev Ops & Secops & Bears, oh my!
Dev Ops & Secops & Bears, oh my!
 
Bsdtw17: theo de raadt: mitigations and other real security features
Bsdtw17: theo de raadt: mitigations and other real security featuresBsdtw17: theo de raadt: mitigations and other real security features
Bsdtw17: theo de raadt: mitigations and other real security features
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
Xavier Amatriain, VP of Engineering, Quora at MLconf SF - 11/13/15
 
10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems10 more lessons learned from building Machine Learning systems
10 more lessons learned from building Machine Learning systems
 
10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf10 more lessons learned from building Machine Learning systems - MLConf
10 more lessons learned from building Machine Learning systems - MLConf
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 

More from DynamicInfraDays

ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
DynamicInfraDays
 
ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...
ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...
ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...
DynamicInfraDays
 
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
DynamicInfraDays
 
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
DynamicInfraDays
 
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
DynamicInfraDays
 
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
DynamicInfraDays
 
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
DynamicInfraDays
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
DynamicInfraDays
 
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
DynamicInfraDays
 
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
DynamicInfraDays
 
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
DynamicInfraDays
 
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
DynamicInfraDays
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
DynamicInfraDays
 
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
DynamicInfraDays
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
DynamicInfraDays
 
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
DynamicInfraDays
 

More from DynamicInfraDays (16)

ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
ContainerDays NYC 2016: "From Hello World to Real World: Building a Productio...
 
ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...
ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...
ContainerDays NYC 2016: "Securing Your Docker Image Registry for Production" ...
 
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
ContainerDays NYC 2016: "OpenWhisk: A Serverless Computing Platform" (Rodric ...
 
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
ContainerDays NYC 2016: "State of the Persistence Art: Present Best Practices...
 
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
ContainerDays NYC 2016: "Observability and Manageability in a Container Envir...
 
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
ContainerDays NYC 2016: "Containers in Azure: Understanding the Microsoft Con...
 
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
ContainerDays NYC 2016: "Introduction to Application Automation with Habitat"...
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
 
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...
 
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
ContainerDays NYC 2015: "Container Orchestration Compared: Kubernetes and Doc...
 
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
ContainerDays NYC 2015: "What It Really Takes to Build a Container Platform" ...
 
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
ContainerDays NYC 2015: "How Yodle Cleaned Up the Mess Using Containers and M...
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
 
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
ContainerDays Boston 2015: "CoreOS: Building the Layers of the Scalable Clust...
 
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
ContainerDays Boston 2015: "Continuous Delivery with Containers" (Nick Gauthier)
 
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
ContainerDays Boston 2015: "A Brief History of Containers" (Jeff Victor & Kir...
 

Recently uploaded

Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
Priyanka Aash
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 

Recently uploaded (20)

Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 

ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Container Environment" (Jeff Mitchell)

  • 1. Managing Secrets in Container Environments Jeff Mitchell HashiCorp @jefferai
  • 2. About Me ● Project Lead on Vault ○ A HashiCorp tool for managing secrets ○ https://vaultproject.io ● Previously, Architect at Akamai ○ Heavy focus on containerization and managing container security
  • 3. What this talk is... ● A discussion of paradigms and considerations necessary for managing secrets in container environments ● Applied security, not crypto theory ○ Goal: “Know what you need to know” when figuring out your organization’s security policy
  • 4. ...and what this talk isn’t ● One True Answer™ ○ Support requirements impact available technology/workflows ○ Each organization must set their own security policy and implement practices that satisfy it ● A discussion of container/hypervisor/OS security ○ Let’s talk Linux containerization
  • 5. ...and what this talk isn’t ● Not a deep dive into security rabbit holes (3-4 turtles max)
  • 6. ...and what this talk isn’t ● Not a deep dive into security rabbit holes (3-4 turtles max)
  • 7. Scheduler Secret Management Tool Scheduler Agent Container Problem Space
  • 8. Bear with me for four slides while I wax philosophical…
  • 9. What is “Security”? ● Security is the practice of risk management ○ Accepting some risks, guarding against violations of norms ● Anything that can elevate risk is a threat ○ Modeling threats informs security policy ● Risk increases with system complexity ○ More points of failure, confusion, and ingress = harder to secure
  • 10. What is a “Secret”? ● A secret is something that will elevate your risk if exposed to unauthorized entities ○ Undesired consequences are harm ○ Harm may come in many forms ■ Unauthorized data access ■ Identity spoofing ■ Private data egress ■ Regulatory fines ● An exposed secret is a threat
  • 11. Secrets vs. Identifiers ● Not all things that can be disclosed are secrets, some are identifiers ○ Username (identifier) vs. Password (secret) ○ TLS certificate (identifier) vs. TLS Key (secret) ○ GitHub user name (identifier) vs. API key (secret) ● Identifiers aren’t completely risk-free ○ Have chosen to ignore that risk
  • 12. What is “Trust”? ● A trusted entity is one that will not divulge the secrets it has access to ● Modeling trusted entities is companion to modeling threats ● Two concepts: ○ Circle of trust ○ Chain of trust
  • 13. Circle of Trust Entities we trust with any secret. For this talk: RAM root Secret Management ToolEmployees? CPU Cloud?
  • 14. Circle of Trust Only allowed long-term storage is in circle of trust RAM root Secret Management Tool Persistent Storage Random Users General apps/services NSA Random Wi- Fi Hotspot Your Mother’s Notepad.txt Employees? CPU Cloud?
  • 15. Chain of Trust ● The set of links (e.g. network hops) that any particular secret travels through from entity A to entity B ○ Source/destination must be in circle of trust ● Any link is an access point/interception point ○ Accidental logging ○ Exploitation by attacker ○ Lookup by operator ○ Employee Post-It™ ○ Conspiracy of One/Compromised employee
  • 16. Problem Space ● We can now establish the problem space: ○ Managing secrets in an environment means establishing trust chains in the environment ○ Links in the chains have associated risk ■ Minimize hops and minimize risk-per-link ■ Risk cannot be fully mitigated; must assume any given secret will eventually be divulged ● Ultimate goal: zero trust ○ Don’t give the opportunity for risks to occur in the first place
  • 17. Scheduler Secret Management Tool Scheduler Agent Container Goal: Securely move secret from originator to new container’s RAM
  • 21. Secret Protection ● Establishing a train of trust requires defining the requirements it must fulfill to keep secrets protected ● Good news: we only need to do this for one secret!
  • 22. Secure Introduction ● First secret authenticates us to allow direct access to more ● If you can protect this secret, you can protect any secret ○ (Generally) ● This concept is secure introduction (SI)
  • 23. Secret Protection ● How do you protect secrets (perform SI)? ○ First establish success criteria based on acceptable risk ● For this talk: ○ Don’t let them live forever (rotate/expire) ○ Distribute them securely ○ Limit exposure if disclosed ○ Have a break-glass procedure ○ Detect unauthorized access
  • 24. Rotation ● As lifetime increases, chance for exposure → ∞ ○ Caches/logs ○ Cracked over time/enough packets ○ Debugging ● Secrets should be rotated “frequently” ○ User passwords vs. machine secrets ■ xkcd’s ______ ______ ______ ______ → bad policies + frequent rotation = written down user passwords ■ Less frequently/more used = more likely overseen ■ Machines: it’s just data - plan/build for rotation and rotate often
  • 25. Distribution ● The literal movement along the chain of trust ○ To/From ■ People ■ Machines ● Base level: never plaintext, always covered ○ Encryption ○ Wrapping ○ Etc.
  • 26. Limit Exposure ● Principle of least privilege ○ DB credentials: only specific tables/operations ○ Login credentials: not root ○ API credentials: minimal function set
  • 27. Access Detection ● Things have a way of being leaky ● Env vars: common way to pass in secrets. Also: ○ Often logged, sometimes multiple places ○ Easily discoverable by operator ■ Both Docker commands and non-Docker commands can spill the beans
  • 28. Access Detection ● Equally as important as protecting a secret is knowing if an unintended party has intercepted it ● Audit logs are great… ○ ...but do you look at them? ● Active detection (when possible) is even better
  • 29. Break-Glass ● Compromised? ○ Stop all further access to protected resources ○ Perform forensics ○ Rotate all secrets after re-establishing identities of legitimate secret-holders ○ … ● Figure this out during the planning process -- not after!
  • 30. ● So...this is complicated… ● ...but there’s good news!
  • 31. ● Recent explosion of FOSS Secret Management (SM) tools ○ Vault ○ KeyWhiz ○ Knox ○ Conjur (Docker only) ○ Many more (apologies if I missed your favorite)... Secret Management Tools
  • 32. ● If you only take away two things from this talk, make sure they are the following:
  • 33. ● If you only take away two things from this talk, make sure they are the following: 1. Write your own crypto
  • 34. ● If you only take away two things from this talk, make sure they are the following: 1. Write your own crypto 2. Use it in a Secret Management tool
  • 35. ● If you only take away two things from this talk, make sure they are the following: 1. Write your own crypto 2. Use it in a Secret Management tool NO! NO!
  • 36. ● If you only take away two things from this talk, make sure they are the following: 1. Use a Secret Management tool 2. Don’t roll your own
  • 37. Secret Management Tools ● Why? ○ Central, secure storage (avoid sprawl) ○ Central management ○ Codified, secure access mechanisms ○ Centralized auditing ■ Ensure knowledge of what secrets have been seen by what users/services ○ Secret rotation/revocation/expiration
  • 38. Big Caveat ● This isn’t a vendor talk, but I have a bias ● I don’t have exhaustive knowledge of non-Vault SMs ● Anything I say a SM can do can be done with Vault, and may or may not be possible with other solutions ○ They may absolutely do things Vault can’t
  • 39. SM + SI ● Explicit focus on the secure introduction problem ○ Core competency from ground up ○ Necessary tools/capabilities/primitives ● Containers can support existing SI paradigms ○ If you can securely get credentials to it, but imagine… ■ Managing 100k LDAP/AD users churning at high rate ■ Generating/dropping 100k Kerberos keytabs ○ ...and you’ve solved SI anyways
  • 40. SM + SI ● Platform agnostic (with platform-based enhancements) ○ Change authentication mechanism “front-end” ■ Containers ■ EC2 ■ Bare metal ■ Users
  • 41. SMs <3 Schedulers ● Anyone working with containers at scale uses a scheduler ○ Nomad ○ Mesos ○ Fleet ○ Swarm ○ Kubernetes (All-In-One)
  • 42. SMs <3 Schedulers ● Schedulers are sources of truth and provide hooks ● SM tools and schedulers can be a magical combination ○ May not be direct integration, glue code needed ○ OTOH avoiding tight coupling means better reuse across environments
  • 44. Scheduler Secret Management Tool Scheduler Agent Container SI #1 (Traditional)
  • 45. Scheduler Secret Management Tool Scheduler Agent Container SI #1 (Traditional) Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens
  • 46. Scheduler Secret Management Tool Scheduler Agent Container SI #2 (New) Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens
  • 47. Preconditions ● Suppose a SM authentication token has: ○ Unlimited or limited use-count ○ Limited time-to-live (TTL), possibly renewable ○ Set of authorization policies ■ e.g. use first secret (auth token) to get application secrets ○ Consistent ID in audit logs ○ Token-scoped secure storage tied to token lifetime ● Claim: These primitives allow excellent SI for containers
  • 48. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container
  • 49. Scheduler App: db_writer Security Policy: app_db_rw_pol Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container
  • 50. Scheduler App: db_writer Security Policy: app_db_rw_pol Secret Management Tool Create Token: Policy: app_db_rw_pol Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container
  • 51. Scheduler Secret Management Tool Create Token: Policy: app_db_rw_pol Uses: 1 TTL: 30s (non-renewable) Policy: none Private storage: Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens App: db_writer Security Policy: app_db_rw_pol Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container
  • 52. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens ContainerImage: db_writer TOKEN: (outer token) Uses: 1 TTL: 30s (non-renewable) Policy: none Private storage: Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens
  • 53. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container Uses: 1 TTL: 30s (non-renewable) Policy: none Private storage: Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Unwrap
  • 54. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol
  • 55. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Get DB Creds
  • 56. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens User: db_user Password: db_pass Expiration: 24h Container
  • 57. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Get S3 Creds
  • 58. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens ACCESS_KEY: ... SECRET_KEY: ... Expiration: 24h Container
  • 59. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Get TLS Cert
  • 60. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Certificate: ... Private Key: ... Issuing CA: ... Container
  • 61. How’d we do? ● Look at previous list: ○ Don’t let them live forever (rotate/expire) ✓ Outer token expires (use limit) with only copy of inner token value ○ Distribute them securely ✓ Inner token covered the entire way ○ Limit exposure if disclosed ✓ Only specific policies granted, can only access specific secrets ○ Have a break-glass procedure ✓ Can lock down access at SM tool ✓ Audit logs ensure we know area of exposure ○ Detect unauthorized access
  • 62. Scheduler Secret Management Tool Scheduler Agent Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Container Uses: 1 TTL: 30s (non-renewable) Policy: none Private storage: Uses: ∞ TTL: 1h (renewable) Policy: app_db_rw_pol Uses: ∞ TTL: 8h (renewable) Policy: create_app_tokens Unwrap
  • 63. How’d we do? ● Can detect unauthorized access of “real” authentication token due to time and use limit ● Application: ○ Reads inner token: success ○ Reads storage but no inner token found: log error and recover (e. g. fail job) ○ Denied access from invalid token: raise high-priority security alert and check audit logs: ■ Access of outer token storage in audit logs? Unauthorized use ■ No access? Probably timing issue, but investigate carefully
  • 64. How’d we do? ● Mechanism not container-specific ○ CM tool drops wrapping/outer token on EC2 instance ○ File injected into chroot ○ Etc.
  • 65. Other Paradigms ● Remember, security is risk management ● Depending on your tech stack: ○ Different primitives might be available ○ May be constrained ● Never forget your success criteria
  • 66. Wrap-Up ● Plan your risk tolerance/security policy/success criteria in advance ○ Do it now! ● Use a secret management tool ○ You’re smart, but it’s hard ● Schedulers provide perfect integration points