Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Vault and Security as a Service Slide 1 Vault and Security as a Service Slide 2 Vault and Security as a Service Slide 3 Vault and Security as a Service Slide 4 Vault and Security as a Service Slide 5 Vault and Security as a Service Slide 6 Vault and Security as a Service Slide 7 Vault and Security as a Service Slide 8 Vault and Security as a Service Slide 9 Vault and Security as a Service Slide 10 Vault and Security as a Service Slide 11 Vault and Security as a Service Slide 12 Vault and Security as a Service Slide 13 Vault and Security as a Service Slide 14 Vault and Security as a Service Slide 15 Vault and Security as a Service Slide 16 Vault and Security as a Service Slide 17 Vault and Security as a Service Slide 18 Vault and Security as a Service Slide 19 Vault and Security as a Service Slide 20 Vault and Security as a Service Slide 21 Vault and Security as a Service Slide 22 Vault and Security as a Service Slide 23 Vault and Security as a Service Slide 24 Vault and Security as a Service Slide 25 Vault and Security as a Service Slide 26 Vault and Security as a Service Slide 27 Vault and Security as a Service Slide 28 Vault and Security as a Service Slide 29 Vault and Security as a Service Slide 30 Vault and Security as a Service Slide 31 Vault and Security as a Service Slide 32 Vault and Security as a Service Slide 33 Vault and Security as a Service Slide 34 Vault and Security as a Service Slide 35 Vault and Security as a Service Slide 36 Vault and Security as a Service Slide 37 Vault and Security as a Service Slide 38 Vault and Security as a Service Slide 39 Vault and Security as a Service Slide 40 Vault and Security as a Service Slide 41
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Vault and Security as a Service

Download to read offline

Slides for Vault talk at The Lead Dev conference in Austin 2018. Given as a 10-minute lightning talk on what Vault is, security-through-observability, and how to get started with secret management.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Vault and Security as a Service

  1. 1. Vault + Security as a Service Pat Shields Bronto Software twitter.com/patrickmshields linkedin.com/in/ihavenoideawhatimdoinggif
  2. 2. A Developer’s Perspective
  3. 3. A Developer’s Perspective • Database Password Storage • Data Encryption • Production Access Control
  4. 4. I. The Pickle We’re In II. Secret Management III. Audit Trails IV. Where To Go From Here
  5. 5. Monolithic Web Architecture Load Balancer monolith-prod-001 monolith-prod-002 monolith-prod-003 DB
  6. 6. Monolithic Web Architecture Load Balancer monolith-prod-001 monolith-prod-002 monolith-prod-003 DB
  7. 7. Current Web Architecture Container Container Container Container Container Container Container Cluster Managed Env DB DB Kafka No SQL Random VM Random VM Analytics Cluster Spark Job MR Job
  8. 8. https://arstechnica.com/information-technology/2013/01/psa-dont-upload-your-important-passwords-to-github/
  9. 9. https://arstechnica.com/information-technology/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/
  10. 10. DevOps Security as a Service
  11. 11. Secret Management
  12. 12. Secret Management “If I can’t put the password in the config file then where does it go?” or
  13. 13. Prototypical Secret Management service-prod-001 vault DB
  14. 14. Prototypical Secret Management service-prod-001 vault DB authenticate token write /secrets/my_app {db-pass: temp123}
  15. 15. Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123}
  16. 16. service-prod-001 vault DB Prototypical Secret Management read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123
  17. 17. Dynamically Generated Secrets Oracle MongoDB Consul Cassandra MSSQL MySQL SSH PKI
  18. 18. Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123
  19. 19. Authentication Humans Machines LDAP Github AWS Google Cloud Okta AppRole TLS Kubernetes AWS EC2 Google Cloud
  20. 20. Detection enables less restriction
  21. 21. Vault Audit Trail A record of every operation against Vault
  22. 22. Audit Trails
  23. 23. { "time": "2017-10-24T15:49:36Z", "type": "response", "auth": { "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "display_name": "ldap-bill.gates", "policies": ["windoze-95"], "metadata": { "username": "bill.gates" } }, "request": { "id": "69d4258a-fc3e-d247-d471-769a27bcd755", "operation": "list", "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "client_token_accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "path": “secret/redmond/windoze/", "data": null, "remote_address": "192.168.1.1", "wrap_ttl": 0, "headers": {} }, "response": { "data": { "keys": ["hmac-sha256:3c90f99095c7f16cfeaaa7471922912cb7d1280161eddb9a94c4dfe16a7f998e"] } }, "error": "" }
  24. 24. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json
  25. 25. Response Wrapping Example deployer-prod-001vault service-prod-001 read /secrets/passwd audit-log.json
  26. 26. Response Wrapping Example deployer-prod-001vault service-prod-001 read /secrets/password audit-log.json vault/links/123 deployer-prod-001 requested /secrets/passwd wrapped TTL 15 seconds Only one use!
  27. 27. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json vault/links/123
  28. 28. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json read vault/links/123
  29. 29. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json read vault/links/123 password! service-prod-001 read links/123
  30. 30. Start Today
  31. 31. Start Today Use as a team or organizational password manager
  32. 32. Start Today Use a “seed” secrets system or cloud provider auth backend
  33. 33. Start Today Expose your applications to Vault
  34. 34. Key Management + Encryption as a Service RSA AES HMACSHA Secure Random Bytes!
  35. 35. I. What Problems Does Vault Solve?
  36. 36. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password
  37. 37. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault
  38. 38. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault IV. Audit Trails and Response Wrapping
  39. 39. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault IV. Audit Trails and Response Wrapping V. How To Get Started
  40. 40. David Helms for helping me deploy Vault at Bronto Lead Dev for inviting me and helping me with this talk You for listening https://www.vaultproject.io/

Slides for Vault talk at The Lead Dev conference in Austin 2018. Given as a 10-minute lightning talk on what Vault is, security-through-observability, and how to get started with secret management.

Views

Total views

216

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

2

Shares

0

Comments

0

Likes

0

×