Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vault and Security as a Service

44 views

Published on

Slides for Vault talk at The Lead Dev conference in Austin 2018. Given as a 10-minute lightning talk on what Vault is, security-through-observability, and how to get started with secret management.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Vault and Security as a Service

  1. 1. Vault + Security as a Service Pat Shields Bronto Software twitter.com/patrickmshields linkedin.com/in/ihavenoideawhatimdoinggif
  2. 2. A Developer’s Perspective
  3. 3. A Developer’s Perspective • Database Password Storage • Data Encryption • Production Access Control
  4. 4. I. The Pickle We’re In II. Secret Management III. Audit Trails IV. Where To Go From Here
  5. 5. Monolithic Web Architecture Load Balancer monolith-prod-001 monolith-prod-002 monolith-prod-003 DB
  6. 6. Monolithic Web Architecture Load Balancer monolith-prod-001 monolith-prod-002 monolith-prod-003 DB
  7. 7. Current Web Architecture Container Container Container Container Container Container Container Cluster Managed Env DB DB Kafka No SQL Random VM Random VM Analytics Cluster Spark Job MR Job
  8. 8. https://arstechnica.com/information-technology/2013/01/psa-dont-upload-your-important-passwords-to-github/
  9. 9. https://arstechnica.com/information-technology/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/
  10. 10. DevOps Security as a Service
  11. 11. Secret Management
  12. 12. Secret Management “If I can’t put the password in the config file then where does it go?” or
  13. 13. Prototypical Secret Management service-prod-001 vault DB
  14. 14. Prototypical Secret Management service-prod-001 vault DB authenticate token write /secrets/my_app {db-pass: temp123}
  15. 15. Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123}
  16. 16. service-prod-001 vault DB Prototypical Secret Management read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123
  17. 17. Dynamically Generated Secrets Oracle MongoDB Consul Cassandra MSSQL MySQL SSH PKI
  18. 18. Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123
  19. 19. Authentication Humans Machines LDAP Github AWS Google Cloud Okta AppRole TLS Kubernetes AWS EC2 Google Cloud
  20. 20. Detection enables less restriction
  21. 21. Vault Audit Trail A record of every operation against Vault
  22. 22. Audit Trails
  23. 23. { "time": "2017-10-24T15:49:36Z", "type": "response", "auth": { "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "display_name": "ldap-bill.gates", "policies": ["windoze-95"], "metadata": { "username": "bill.gates" } }, "request": { "id": "69d4258a-fc3e-d247-d471-769a27bcd755", "operation": "list", "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "client_token_accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "path": “secret/redmond/windoze/", "data": null, "remote_address": "192.168.1.1", "wrap_ttl": 0, "headers": {} }, "response": { "data": { "keys": ["hmac-sha256:3c90f99095c7f16cfeaaa7471922912cb7d1280161eddb9a94c4dfe16a7f998e"] } }, "error": "" }
  24. 24. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json
  25. 25. Response Wrapping Example deployer-prod-001vault service-prod-001 read /secrets/passwd audit-log.json
  26. 26. Response Wrapping Example deployer-prod-001vault service-prod-001 read /secrets/password audit-log.json vault/links/123 deployer-prod-001 requested /secrets/passwd wrapped TTL 15 seconds Only one use!
  27. 27. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json vault/links/123
  28. 28. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json read vault/links/123
  29. 29. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json read vault/links/123 password! service-prod-001 read links/123
  30. 30. Start Today
  31. 31. Start Today Use as a team or organizational password manager
  32. 32. Start Today Use a “seed” secrets system or cloud provider auth backend
  33. 33. Start Today Expose your applications to Vault
  34. 34. Key Management + Encryption as a Service RSA AES HMACSHA Secure Random Bytes!
  35. 35. I. What Problems Does Vault Solve?
  36. 36. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password
  37. 37. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault
  38. 38. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault IV. Audit Trails and Response Wrapping
  39. 39. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault IV. Audit Trails and Response Wrapping V. How To Get Started
  40. 40. David Helms for helping me deploy Vault at Bronto Lead Dev for inviting me and helping me with this talk You for listening https://www.vaultproject.io/

×