Secret Management Journey - Here Be Dragons aka Secret Dragons

1. Secret Dragons Secret Dragons

2. Secret Dragons whoami Marcus Maxwell Technical Consultant ● AWS Certified Solutions Architect - Professional ● Certified Kubernetes Administrator https://twitter.com/mindful_monk marcus.maxwell@contino.io

3. Secret Dragons

4. Secret Dragons Agenda ● History of Secrets ( plain text files, encrypted spreadsheet, pwman, keypass, passwordstore) ● Keeping secrets with ansible-vault ● Keeping secrets with Jenkins ● Trying to use Enterprise Secret Stores(CyberArk) ● DevOps Secret Stores 2.0 (HashiCorp Vault, Conjur, Keywhiz)

5. Secret Dragons Who uses HashiCorp Vault?

6. Secret Dragons History of Secrets

7. Secret Dragons

8. Secret Dragons Physical Secrets ● Post-it notes ● Notebook ● Single password in your head

9. Secret Dragons

10. Secret Dragons Plaintext files ● Still in use ● Sometimes base64 encoded ● Sometimes hashed ● Sometimes on NFS ● Post-it note on the windows desktop ● OneNote

11. Secret Dragons Confluence/Sharepoint ● Locked down access ● Sometimes with a fancy plugin https://www.servicerocket.com/add-on/security-and-encryption

12. Secret Dragons Spreadsheets ● Usually on an NFS ● Hopefully password protected ● Outdated like hell ● Pretty much used by everyone not in the IT department

13. Secret Dragons Old apps still in use ● Password Safe pwsafe.org probably most common solution inside of teams, made by Bruce Shneier ● Keepass

14. Secret Dragons The various git methods ● git-crypt ● BlackBox https://github.com/StackExchange/blackbox ● pass - gpg file

15. Secret Dragons CM Tools ● Puppet - Hiera eyaml ● Chef - encrypted databags ● Ansible Vault

16. Secret Dragons Enterprise Solution ● CyberArk ● Thycotic Secret Server ● Pleasant Password Server

17. Secret Dragons Browser based password managers ● Lastpass ● Dashlane ● 1Password

18. Secret Dragons Jenkins

19. Secret Dragons Cloud Based ● CredStash https://github.com/fugue/credstash ● AWS Secret Store(Parameter Store) ● Azure Key Vault ● Confidant (secrets in dynamodb) ● Sneaker (secrets in s3 buckets)

20. Secret Dragons Container Native ● Kubernetes Secrets ● Docker Secrets ● Rancher Secrets ● Aquasec Secrets

21. Secret Dragons The New Wave ● HashiCorp Vault ● Keywhiz ● Conjur

22. Secret Dragons Problems with Secret Management ● If it gets compromised, how do I rotate all my secrets? Most don’t have support for that ● Lack of granular permissions ● Chicken and egg problem, where do you keep the password to decrypt the passwords? (Secure Introduction) ● Start to completely break down once you try to use them in a more dynamic atmosphere ● Usually no AD integration ● Enterprise solutions cost an arm and a leg

23. Secret Dragons A note on SSL Certificates ● Usually out of scope ● Usually managed by some team nobody really knows about ● Rarely an API to get one ● Usually takes 1-2 weeks and requires filling out a 10 page .doc ● People just don’t bother and have invalid cert errors all the time ● curl -k yo ● Many better options available: HashiCorp Vault, Lemur, cloudflare ssl

24. Secret Dragons Some tips ● APIs or GTFO ● Dynamic > Static ● Optimize for rotating secrets in the whole estate ● Ensure self-service ● Validate container use-case as most solutions won’t fit and can be discarded

25. Secret Dragons Summary ● Talk to the developers ● Find out how secrets are currently being stored in your organization ● Come up with a transition plan ● Start on-boarding teams to the new secret store ● and most importantly don’t end up like this

26. Secret Dragons Learn more ● Modern Secret Managements with Vault https://www.youtube.com/watch?v=iqigxGccezI ● Vault vs other products https://www.vaultproject.io/intro/vs/index.html ● [Webinar] Securing Ansible Deployments With HashiCorp Vault https://www.youtube.com/watch?v=wCTgi6fKXcM

27. Secret Dragonscontino.io info@contino.io @ContinoHQ @ContinoHQ Contino QUESTIONS ? London 1 Fore Street, Moorgate, London, EC2Y 9DT, UK New York 404 5th Avenue, New York NY 10018 United States Melbourne Level 2, Hub Southern Cross, 696 Bourke St, Melbourne VIC 3000, Australia — — — london@contino.io newyork@contino.io melbourne@contino.io Sydney 5 Martin Place Sydney NSW 2000, Australia sydney@contino.io — Boston 745 Atlantic Ave Boston MA 02111 United States hello@contino.io Atlanta 3340 Peachtree Rd NE STE 1010 Atlanta GA 30326 United States hello@contino.io

Secret Management Journey - Here Be Dragons aka Secret Dragons

Michael Man

Secret Management Journey - Here Be Dragons aka Secret Dragons