Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secret Management Journey - Here Be Dragons aka Secret Dragons

0 views

Published on

Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.

Published in: Technology
  • Get access to 16,000 woodworking plans, Download 50 FREE Plans... ◆◆◆ http://tinyurl.com/yy9yh8fu
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Secret Management Journey - Here Be Dragons aka Secret Dragons

  1. 1. Secret Dragons Secret Dragons
  2. 2. Secret Dragons whoami Marcus Maxwell Technical Consultant ● AWS Certified Solutions Architect - Professional ● Certified Kubernetes Administrator https://twitter.com/mindful_monk marcus.maxwell@contino.io
  3. 3. Secret Dragons
  4. 4. Secret Dragons Agenda ● History of Secrets ( plain text files, encrypted spreadsheet, pwman, keypass, passwordstore) ● Keeping secrets with ansible-vault ● Keeping secrets with Jenkins ● Trying to use Enterprise Secret Stores(CyberArk) ● DevOps Secret Stores 2.0 (HashiCorp Vault, Conjur, Keywhiz)
  5. 5. Secret Dragons Who uses HashiCorp Vault?
  6. 6. Secret Dragons History of Secrets
  7. 7. Secret Dragons
  8. 8. Secret Dragons Physical Secrets ● Post-it notes ● Notebook ● Single password in your head
  9. 9. Secret Dragons
  10. 10. Secret Dragons Plaintext files ● Still in use ● Sometimes base64 encoded ● Sometimes hashed ● Sometimes on NFS ● Post-it note on the windows desktop ● OneNote
  11. 11. Secret Dragons Confluence/Sharepoint ● Locked down access ● Sometimes with a fancy plugin https://www.servicerocket.com/add-on/security-and-encryption
  12. 12. Secret Dragons Spreadsheets ● Usually on an NFS ● Hopefully password protected ● Outdated like hell ● Pretty much used by everyone not in the IT department
  13. 13. Secret Dragons Old apps still in use ● Password Safe pwsafe.org probably most common solution inside of teams, made by Bruce Shneier ● Keepass
  14. 14. Secret Dragons The various git methods ● git-crypt ● BlackBox https://github.com/StackExchange/blackbox ● pass - gpg file
  15. 15. Secret Dragons CM Tools ● Puppet - Hiera eyaml ● Chef - encrypted databags ● Ansible Vault
  16. 16. Secret Dragons Enterprise Solution ● CyberArk ● Thycotic Secret Server ● Pleasant Password Server
  17. 17. Secret Dragons Browser based password managers ● Lastpass ● Dashlane ● 1Password
  18. 18. Secret Dragons Jenkins
  19. 19. Secret Dragons Cloud Based ● CredStash https://github.com/fugue/credstash ● AWS Secret Store(Parameter Store) ● Azure Key Vault ● Confidant (secrets in dynamodb) ● Sneaker (secrets in s3 buckets)
  20. 20. Secret Dragons Container Native ● Kubernetes Secrets ● Docker Secrets ● Rancher Secrets ● Aquasec Secrets
  21. 21. Secret Dragons The New Wave ● HashiCorp Vault ● Keywhiz ● Conjur
  22. 22. Secret Dragons Problems with Secret Management ● If it gets compromised, how do I rotate all my secrets? Most don’t have support for that ● Lack of granular permissions ● Chicken and egg problem, where do you keep the password to decrypt the passwords? (Secure Introduction) ● Start to completely break down once you try to use them in a more dynamic atmosphere ● Usually no AD integration ● Enterprise solutions cost an arm and a leg
  23. 23. Secret Dragons A note on SSL Certificates ● Usually out of scope ● Usually managed by some team nobody really knows about ● Rarely an API to get one ● Usually takes 1-2 weeks and requires filling out a 10 page .doc ● People just don’t bother and have invalid cert errors all the time ● curl -k yo ● Many better options available: HashiCorp Vault, Lemur, cloudflare ssl
  24. 24. Secret Dragons Some tips ● APIs or GTFO ● Dynamic > Static ● Optimize for rotating secrets in the whole estate ● Ensure self-service ● Validate container use-case as most solutions won’t fit and can be discarded
  25. 25. Secret Dragons Summary ● Talk to the developers ● Find out how secrets are currently being stored in your organization ● Come up with a transition plan ● Start on-boarding teams to the new secret store ● and most importantly don’t end up like this
  26. 26. Secret Dragons Learn more ● Modern Secret Managements with Vault https://www.youtube.com/watch?v=iqigxGccezI ● Vault vs other products https://www.vaultproject.io/intro/vs/index.html ● [Webinar] Securing Ansible Deployments With HashiCorp Vault https://www.youtube.com/watch?v=wCTgi6fKXcM
  27. 27. Secret Dragonscontino.io info@contino.io @ContinoHQ @ContinoHQ Contino QUESTIONS ? London 1 Fore Street, Moorgate, London, EC2Y 9DT, UK New York 404 5th Avenue, New York NY 10018 United States Melbourne Level 2, Hub Southern Cross, 696 Bourke St, Melbourne VIC 3000, Australia — — — london@contino.io newyork@contino.io melbourne@contino.io Sydney 5 Martin Place Sydney NSW 2000, Australia sydney@contino.io — Boston 745 Atlantic Ave Boston MA 02111 United States hello@contino.io Atlanta 3340 Peachtree Rd NE STE 1010 Atlanta GA 30326 United States hello@contino.io

×