Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

London HUG 14/3

622 views

Published on

Amir Jerbi - AquaSec CTO

Published in: Technology
  • Be the first to comment

London HUG 14/3

  1. 1. Copyright @ 2016 Aqua Security Software Ltd. All Rights Reserved. Who’s Keeping your Secrets? Amir Jerbi, CTO and co-founder Aqua Security
  2. 2. 2 DO YOU HAVE SECRETS?  Encryption keys  Database passwords  SSH Keys  Cloud service tokens
  3. 3. 3 SECRET ARE HEAVILY USED IN CONTAINERS
  4. 4. 4 AND SOME TIMES CAN BE USED INSECURELY…
  5. 5. 5 PASSING SECRETS TO CONTAINERS – WRONG WAY  Cleartext environment variables  Mounted volumes  Unauthenticated Services (e.g. S3)  Saving secrets into images (please don’t)
  6. 6. 6 CAN EXPOSE SECRETS TO THE HOST  “docker inspect …”  /proc/<pid>/environ
  7. 7. 7 PASSING SECRETS IS NOT THE ONLY CHALLENGE…  Controlling who can access a secret  Monitoring secret usage  Rotating secret values  De-provisioning a secret
  8. 8. 8 AVAILABLE SOLUTIONS  Kubernetes Secrets  https://kubernetes.io/docs/user-guide/secrets/  Docker Swarm Secrets  https://blog.docker.com/2017/02/docker-secrets-management/  DC/OS Secrets  https://docs.mesosphere.com/1.8/administration/secrets/  Keywiz  https://github.com/square/keywhiz  Hashicorp Vault  https://www.vaultproject.io/ https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret- management-2017-c82ec9136a3d#.86vfvlk1t
  9. 9. 9 WHY HASHICORP VAULT?  Purpose built for secrets  Key Rolling  Comprehensive Access control  Expiration policies  Extendable  Easy to integrate
  10. 10. 10 CASE STUDY: AQUA SECURITY INTEGRATION WITH HASHICORP VAULT  Solution Highlights  Central management  Secrets are never persisted to disk outside of Vault  Secured communications Host 1 Host 2 Command Center Hashicorp Vault
  11. 11. 11 SECRETS ARE INJECTED INTO CONTAINERS  Through environment variables  Or tmpfs mounted volume
  12. 12. 12 SECRET ACCESS CONTROL  Control user and group access to secrets
  13. 13. 13 USAGE TRACKING  Track which containers are using secrets
  14. 14. 14 SECRET ROTATION & REVOCATION  Container secrets can be updated in runtime  No need to restart container  Deleting a secret removes it from all running containers
  15. 15. Q&A

×