SlideShare a Scribd company logo

Automation Patterns for Scalable Secret Management

M
Mary Racter

So you’ve scaled your app up to 1000 instances. Do they all share the same credentials for access to stateful resources? Then the attack surface for your stateful resources just got scaled up too. Automated secret management lets you focus on scaling up your app, not your risk of data compromise. This talk aims to introduce some important considerations in attack surface management at scale, and provide some patterns and tips on integrating secret management workflows into Continuous Deployment infrastructure.

1 of 63
Download to read offline
Mary Racter ScaleConf Cape Town March 2018
About ● mary@praekelt.org ● medium.com/@racter ● Security Engineer at Praekelt.org http://www.supermegacomics.com
Contents ● Secrets and Secret Management ● Secret Management at Scale ● Automating Secret Management in Continuous Deployment
Secrets and Secret Management
A secret is some knowledge, or piece of data, whose access should be restricted. Knowledge of a secret is commonly used to validate the holder’s identity (ie. Authentication).
Secrets grant access to resources, and are often generated by the resources they grant access to. Substrate: Short-hand for “resource that a secret grants access to”. Examples of secrets in computing: ● Passwords ● RSA Private Keys ● Encryption Keys ● API Tokens
A policy is applied after authentication with a secret. If a secret maps to an identity on a resource, then a policy maps to the privileges that identity has on that resource, (ie. Authorisation). Examples of policies in computing: ● File Permissions ● Access Control Lists (ACLs) ● Role-Based Access Control (RBAC) Policies
Attack Surface Map
1. Spatial Attack Surface 2. Temporal Attack Surface 3. Algorithmic Attack Surface
Secret Management Goals ● Prevent unauthorised discovery of secrets ● Prevent misuse of discovered secrets / elevation of privilege
Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ● Storage ○ Encrypted at rest ● Distribution ○ Encrypted transmission ○ Secrets are only held by their rightful consumer(s) ● Revocation / Renewal ○ Secrets can be revoked and renewed
General Principles in Secret Management ● DON’T roll your own crypto or secret generation algorithms ● DON’T reinvent the wheel if you don’t have to
General Principles in Secret Management ● DO have a central source of truth for your secrets and who has what kind of access to them ● DO have an audit trail for secrets requests
Secret Management Services ● eg. HashiCorp’s Vault, Square’s KeyWhiz ● Benefits ○ Modular, dedicated secret storage and creation mechanisms ○ Support for centralised ledger of secrets and audit logging of secret requests ○ Useful primitives and abstractions for secret management at scale (see later) ○ Unified, standard API for accessing and managing all secrets ○ Optimised for cloud-based architectures ● Trade-offs ○ Single point of leakage for a large number of credentials ○ Critical internal target for Denial of Service (DoS) This talk assumes usage of a Secret Management Service.
A Secret Management Service maps an identity to the resources they should have access to, and the level of access the identity has on that resource. It also brokers secrets on the resource’s behalf.
Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ✓ ● Storage ○ Encrypted at rest ✓ ● Distribution ○ Encrypted transmission ✓ ○ Secrets are only held by their rightful consumer(s) ● Revocation / Renewal ○ Secrets can be revoked and renewed ✓ +1 Secret Management Service
Secret Management Work lows at Scale
Assumptions ● You’re containerising your applications ● You’re using a container orchestration platform ● You’re using a secret management service
Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ✓ ● Storage ○ Encrypted at rest ✓ ● Distribution ○ Encrypted Transmission ✓ ○ Secrets are only held by their rightful consumer(s) ● Revocation / Renewal ○ Secrets can be revoked and renewed ✓
Distributing Secrets • If we can securely get the initial secret granting the container access to the Secret Management service, then the container can securely fetch all subsequent secrets from the service. • But how do we fetch this first secret?
A Secure Introduction Service is coupled with the cluster scheduler, and maintains a mapping of container properties to access policies on the Secret Management service. Jeff Mitchell, Secure Introduction At Scale: Think Like A Vault Developer, ContainerDays NYC 2016 Talk: https://www.youtube.com/watch?v=R-jJXm3QGLQ
Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ✓ ● Storage ○ Encrypted at rest ✓ ● Distribution ○ Encrypted Transmission ✓ ○ Secrets are only held by their rightful consumer(s) ✓ ● Revocation / Renewal ○ Secrets can be revoked and renewed ✓
Secrets Scaling Poorly
Secrets Scaling Poorly 1
Secrets Scaling Poorly 1 Secret re-use for different applications using the same resource ○ n-fold increase in spatial attack surface for n applications on which secret is re-used ○ Increases temporal attack surface to the combined lifetime of all apps ○ Potentially violates Principle of Least Privilege
Secrets Scaling Poorly 2
Secret re-use for different resource instances ○ n-fold increase in spatial attack surface for n resource instances on which secret is re-used Secrets Scaling Poorly 2
Secrets Scaling Poorly 3
Secrets Scaling Poorly 3 Secret re-use for all instances of an application ○ Increases temporal attack surface to the combined lifetime of all app instances
Secret Management Issues Happen At Scale Because Manual Secret Management is Tedious • Manually creating secrets at scale ⇒ Tedious • Manually distributing secrets at scale ⇒ Tedious • Manually revoking/renewing secrets at scale ⇒ Tedious
Ideal Scenario ● Unique secrets for each application on a resource ○ And each application instance on a resource ● Upholding the Principle of Least Privilege for every application instance ○ On the resource ○ On the Secret Management service
Tools for Managing Secrets at Scale ● Secure Introduction ● Dynamic Secrets ● Leases
Secure Introduction ● Manual distribution of secrets assume the developer is trusted to use those secrets for their app ● Secure Introduction creates a pipeline for that trust to percolate to the application itself ● SI authorises an application to fetch its own secrets from the Secret Management Service
Dynamic Secrets • Supported by HashiCorp Vault • Dynamic secrets are lazily generated on-demand from one “master” secret • Supports automated renewal and rotation of secrets • Scales well for unique passwords in 1:∞ resource:client scenarios • Requires instructions to Secret Management Service on how to generate and revoke new credentials (eg. CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT ALL ON db1 TO '{{name}}'@'%'; )
Leases • Supported by HashiCorp Vault • Metadata on dynamic secrets that give them a validity period ● The consumer must renew the lease by checking in with Secret Management service ● Dynamic secrets that are no longer used are revoked automatically with the lease expiry mechanism
Secure Introduction + Dynamic Secrets + Leases = Better Secret Management Practices At Scale
Integrating Secret Management at Scale with Continuous Deployment
Continuous Deployment Platforms Infrastructure platform that ensures software can be reliably deployed at any time. Configure once ⇒ Deploy infinite times Automation, instrumentation, set-up/tear-down, and QA phases are incorporated into continuous development pipelines. Reducing lead time on deployment of new code by automating the steps leading up to deployment.
Unfortunately, secret management best practices often don’t integrate seamlessly with Continuous Deployment setups. Configure once ⇒ Static secret for all app instances? Configure once ⇒ One extremely permissive policy for the static secret?
Pattern 1: Assume the resource exists and the secret is in the target deployment environment. Existing Secret Management Patterns in CD
Existing Secret Management Patterns in CD Pattern 2: Bake secrets into application images and/or binaries
Existing Secret Management Patterns in CD Pattern 3: Developer configures secret store with existing secret, CD pipeline injects during deployment.
Existing Secret Management Patterns in CD Pattern 4: Existing secret is packaged and injected during deployment
In all 4... ● Resources are manually created outside of the pipeline ● Secrets are manually created outside of the pipeline ● Low manual action in assigning secrets, but other secret management actions (creation, distribution, revocation/renewal) is manual ● Baking secrets into deployment images increases attack surface of secrets to image and any repositories the image may reside in
Reminder: Manual administration of secret management does not scale well proportionally to the number of consumers, nor does it scale well to the number of secrets.
In-band vs. Out-of-band Configuration ● In-band configuration ○ Happens in sequence within deployment pipeline ● Out-of-band configuration ○ Happens outside of sequence of deployment pipeline ● Out-of-band configuration is most commonly done manually ○ If it’s automated, there is more overhead in making it compatible with the CD workflow Reducing manual action == Reducing out-of-band configurations
Ideal Scenario ● Dynamic Secrets and Secure Introduction is incorporated into the app deployment workflow and abstracted away from the developer ● (Almost) all configuration is carried out in Continuous Deployment pipeline
Manual Configuration ● Deployment Target ● Deployment Parameters ● Network ● Container Settings ● Environment Variables ● Required Resources and Access Modes
Resource Creation ● Resource creation requires additional action to integrate newly-created resource ● Ownership of Secret Management service registration and resource lifecycle management should reside with the resource management module
Configuring Application Access to SM service ● The Secure Introduction service is the module that maps an application to its permissions on the Secret Management service ● Application access configured by updating the SI service with the required mappings for the application to fetch its required credentials. These are derived from the deployment parameters ● Ownership with CD platform or resource manager
Remaining Out-of-Band Configuration Per Deploy ● Storing the master secrets for resource creation on the Secret Management service and configuring the resource management module to read from the Secret Management service ○ Once per resource host/fleet
Possible Challenges ● Updating app mappings on Secure Introduction Service before knowing what the app name will be ○ Generate app name with a known prefix and use a wildcard mapping on the SI service ● Mapping access modes on the resource to its corresponding policy on the Secret Management Service ○ Use clearly-established naming conventions for Secret Management service policies ● Managing secret life cycles ○ Wrap the application in a supervising process that can fetch, renew, and revoke secrets
Conclusion ● Newer Secret Management services are built to be used at scale - use them ● Secret Management is most useful when integrated into Continuous Deployment ○ Automate fully by reducing out-of-band configurations for secret management ○ Unify Resource and Secret Management APIs with a broker architecture ● Automating Secret Management frees up your team to do great things
Thank You

Recommended

Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Deep Dive Amazon EC2
Deep Dive Amazon EC2Deep Dive Amazon EC2
Deep Dive Amazon EC2
Amazon Web Services
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Amazon Web Services
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Amazon Web Services
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study material
Nagesh Ramamoorthy
 
Introduction to AWS KMS
Introduction to AWS KMSIntroduction to AWS KMS
Introduction to AWS KMS
Akesh Patil
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink Fundamentals
Amazon Web Services
 

Recommended

Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Deep Dive Amazon EC2
Deep Dive Amazon EC2Deep Dive Amazon EC2
Deep Dive Amazon EC2
Amazon Web Services
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Amazon Web Services
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Amazon Web Services
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study material
Nagesh Ramamoorthy
 
Introduction to AWS KMS
Introduction to AWS KMSIntroduction to AWS KMS
Introduction to AWS KMS
Akesh Patil
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink Fundamentals
Amazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
Amazon Web Services
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep Dive
Andrzej Komarnicki
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
 
All You Need to Know about AWS Elastic Load Balancer
All You Need to Know about AWS Elastic Load BalancerAll You Need to Know about AWS Elastic Load Balancer
All You Need to Know about AWS Elastic Load Balancer
Cloudlytics
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
AWSKRUG - AWS한국사용자모임
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
zekeLabs Technologies
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
Scott Arveseth
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
Akeyless
 
Aws VPC
Aws VPCAws VPC
Aws VPC
Abhishek Amralkar
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
Amazon ECS
Amazon ECSAmazon ECS
Amazon ECS
Amazon Web Services
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain
 

More Related Content

What's hot

Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
Amazon Web Services
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep Dive
Andrzej Komarnicki
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
 
All You Need to Know about AWS Elastic Load Balancer
All You Need to Know about AWS Elastic Load BalancerAll You Need to Know about AWS Elastic Load Balancer
All You Need to Know about AWS Elastic Load Balancer
Cloudlytics
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
AWSKRUG - AWS한국사용자모임
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
zekeLabs Technologies
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
Scott Arveseth
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
Akeyless
 
Aws VPC
Aws VPCAws VPC
Aws VPC
Abhishek Amralkar
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
Amazon ECS
Amazon ECSAmazon ECS
Amazon ECS
Amazon Web Services
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 

What's hot (20)

Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep Dive
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
All You Need to Know about AWS Elastic Load Balancer
All You Need to Know about AWS Elastic Load BalancerAll You Need to Know about AWS Elastic Load Balancer
All You Need to Know about AWS Elastic Load Balancer
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
 
Aws VPC
Aws VPCAws VPC
Aws VPC
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
 
Amazon ECS
Amazon ECSAmazon ECS
Amazon ECS
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 

Similar to Automation Patterns for Scalable Secret Management

Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
RogerChaucaZea
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 
Netflix Architecture and Open Source
Netflix Architecture and Open SourceNetflix Architecture and Open Source
Netflix Architecture and Open Source
All Things Open
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
BeyondTrust
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
Panther Labs
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern Application
Rahul Kumar Gupta
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
Big Data Security: Facing the challenge
Big Data Security: Facing the challengeBig Data Security: Facing the challenge
Big Data Security: Facing the challenge
Stratio
 
Sql_DG_presentation.pptx
Sql_DG_presentation.pptxSql_DG_presentation.pptx
Sql_DG_presentation.pptx
ArunRangrej1
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
201504 securing cassandraanddse
201504 securing cassandraanddse201504 securing cassandraanddse
201504 securing cassandraanddse
Johnny Miller
 
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
DataStax Academy
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)
Rick Hwang
 
RightScale: Single Pane of Glass at Computerworld 2013
RightScale: Single Pane of Glass at Computerworld 2013RightScale: Single Pane of Glass at Computerworld 2013
RightScale: Single Pane of Glass at Computerworld 2013
RightScale
 

Similar to Automation Patterns for Scalable Secret Management (20)

Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
Netflix Architecture and Open Source
Netflix Architecture and Open SourceNetflix Architecture and Open Source
Netflix Architecture and Open Source
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern Application
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Big Data Security: Facing the challenge
Big Data Security: Facing the challengeBig Data Security: Facing the challenge
Big Data Security: Facing the challenge
 
Sql_DG_presentation.pptx
Sql_DG_presentation.pptxSql_DG_presentation.pptx
Sql_DG_presentation.pptx
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
201504 securing cassandraanddse
201504 securing cassandraanddse201504 securing cassandraanddse
201504 securing cassandraanddse
 
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)
 
RightScale: Single Pane of Glass at Computerworld 2013
RightScale: Single Pane of Glass at Computerworld 2013RightScale: Single Pane of Glass at Computerworld 2013
RightScale: Single Pane of Glass at Computerworld 2013
 

Recently uploaded

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 

Recently uploaded (20)

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 

Automation Patterns for Scalable Secret Management

  • 1. Mary Racter ScaleConf Cape Town March 2018
  • 2. About ● mary@praekelt.org ● medium.com/@racter ● Security Engineer at Praekelt.org http://www.supermegacomics.com
  • 3. Contents ● Secrets and Secret Management ● Secret Management at Scale ● Automating Secret Management in Continuous Deployment
  • 5. A secret is some knowledge, or piece of data, whose access should be restricted. Knowledge of a secret is commonly used to validate the holder’s identity (ie. Authentication).
  • 6. Secrets grant access to resources, and are often generated by the resources they grant access to. Substrate: Short-hand for “resource that a secret grants access to”. Examples of secrets in computing: ● Passwords ● RSA Private Keys ● Encryption Keys ● API Tokens
  • 7. A policy is applied after authentication with a secret. If a secret maps to an identity on a resource, then a policy maps to the privileges that identity has on that resource, (ie. Authorisation). Examples of policies in computing: ● File Permissions ● Access Control Lists (ACLs) ● Role-Based Access Control (RBAC) Policies
  • 9. 1. Spatial Attack Surface 2. Temporal Attack Surface 3. Algorithmic Attack Surface
  • 10. Secret Management Goals ● Prevent unauthorised discovery of secrets ● Prevent misuse of discovered secrets / elevation of privilege
  • 11. Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ● Storage ○ Encrypted at rest ● Distribution ○ Encrypted transmission ○ Secrets are only held by their rightful consumer(s) ● Revocation / Renewal ○ Secrets can be revoked and renewed
  • 12. General Principles in Secret Management ● DON’T roll your own crypto or secret generation algorithms ● DON’T reinvent the wheel if you don’t have to
  • 13. General Principles in Secret Management ● DO have a central source of truth for your secrets and who has what kind of access to them ● DO have an audit trail for secrets requests
  • 14. Secret Management Services ● eg. HashiCorp’s Vault, Square’s KeyWhiz ● Benefits ○ Modular, dedicated secret storage and creation mechanisms ○ Support for centralised ledger of secrets and audit logging of secret requests ○ Useful primitives and abstractions for secret management at scale (see later) ○ Unified, standard API for accessing and managing all secrets ○ Optimised for cloud-based architectures ● Trade-offs ○ Single point of leakage for a large number of credentials ○ Critical internal target for Denial of Service (DoS) This talk assumes usage of a Secret Management Service.
  • 15. A Secret Management Service maps an identity to the resources they should have access to, and the level of access the identity has on that resource. It also brokers secrets on the resource’s behalf.
  • 16. Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ✓ ● Storage ○ Encrypted at rest ✓ ● Distribution ○ Encrypted transmission ✓ ○ Secrets are only held by their rightful consumer(s) ● Revocation / Renewal ○ Secrets can be revoked and renewed ✓ +1 Secret Management Service
  • 18. Assumptions ● You’re containerising your applications ● You’re using a container orchestration platform ● You’re using a secret management service
  • 19. Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ✓ ● Storage ○ Encrypted at rest ✓ ● Distribution ○ Encrypted Transmission ✓ ○ Secrets are only held by their rightful consumer(s) ● Revocation / Renewal ○ Secrets can be revoked and renewed ✓
  • 20.
  • 21. Distributing Secrets • If we can securely get the initial secret granting the container access to the Secret Management service, then the container can securely fetch all subsequent secrets from the service. • But how do we fetch this first secret?
  • 22. A Secure Introduction Service is coupled with the cluster scheduler, and maintains a mapping of container properties to access policies on the Secret Management service. Jeff Mitchell, Secure Introduction At Scale: Think Like A Vault Developer, ContainerDays NYC 2016 Talk: https://www.youtube.com/watch?v=R-jJXm3QGLQ
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Secret Management Tasks ● Creation ○ Randomly-generated keys of sufficient length ✓ ● Storage ○ Encrypted at rest ✓ ● Distribution ○ Encrypted Transmission ✓ ○ Secrets are only held by their rightful consumer(s) ✓ ● Revocation / Renewal ○ Secrets can be revoked and renewed ✓
  • 33. Secrets Scaling Poorly 1 Secret re-use for different applications using the same resource ○ n-fold increase in spatial attack surface for n applications on which secret is re-used ○ Increases temporal attack surface to the combined lifetime of all apps ○ Potentially violates Principle of Least Privilege
  • 35. Secret re-use for different resource instances ○ n-fold increase in spatial attack surface for n resource instances on which secret is re-used Secrets Scaling Poorly 2
  • 37. Secrets Scaling Poorly 3 Secret re-use for all instances of an application ○ Increases temporal attack surface to the combined lifetime of all app instances
  • 38. Secret Management Issues Happen At Scale Because Manual Secret Management is Tedious • Manually creating secrets at scale ⇒ Tedious • Manually distributing secrets at scale ⇒ Tedious • Manually revoking/renewing secrets at scale ⇒ Tedious
  • 39. Ideal Scenario ● Unique secrets for each application on a resource ○ And each application instance on a resource ● Upholding the Principle of Least Privilege for every application instance ○ On the resource ○ On the Secret Management service
  • 40.
  • 41. Tools for Managing Secrets at Scale ● Secure Introduction ● Dynamic Secrets ● Leases
  • 42. Secure Introduction ● Manual distribution of secrets assume the developer is trusted to use those secrets for their app ● Secure Introduction creates a pipeline for that trust to percolate to the application itself ● SI authorises an application to fetch its own secrets from the Secret Management Service
  • 43. Dynamic Secrets • Supported by HashiCorp Vault • Dynamic secrets are lazily generated on-demand from one “master” secret • Supports automated renewal and rotation of secrets • Scales well for unique passwords in 1:∞ resource:client scenarios • Requires instructions to Secret Management Service on how to generate and revoke new credentials (eg. CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT ALL ON db1 TO '{{name}}'@'%'; )
  • 44. Leases • Supported by HashiCorp Vault • Metadata on dynamic secrets that give them a validity period ● The consumer must renew the lease by checking in with Secret Management service ● Dynamic secrets that are no longer used are revoked automatically with the lease expiry mechanism
  • 45. Secure Introduction + Dynamic Secrets + Leases = Better Secret Management Practices At Scale
  • 46. Integrating Secret Management at Scale with Continuous Deployment
  • 47. Continuous Deployment Platforms Infrastructure platform that ensures software can be reliably deployed at any time. Configure once ⇒ Deploy infinite times Automation, instrumentation, set-up/tear-down, and QA phases are incorporated into continuous development pipelines. Reducing lead time on deployment of new code by automating the steps leading up to deployment.
  • 48. Unfortunately, secret management best practices often don’t integrate seamlessly with Continuous Deployment setups. Configure once ⇒ Static secret for all app instances? Configure once ⇒ One extremely permissive policy for the static secret?
  • 49. Pattern 1: Assume the resource exists and the secret is in the target deployment environment. Existing Secret Management Patterns in CD
  • 50. Existing Secret Management Patterns in CD Pattern 2: Bake secrets into application images and/or binaries
  • 51. Existing Secret Management Patterns in CD Pattern 3: Developer configures secret store with existing secret, CD pipeline injects during deployment.
  • 52. Existing Secret Management Patterns in CD Pattern 4: Existing secret is packaged and injected during deployment
  • 53. In all 4... ● Resources are manually created outside of the pipeline ● Secrets are manually created outside of the pipeline ● Low manual action in assigning secrets, but other secret management actions (creation, distribution, revocation/renewal) is manual ● Baking secrets into deployment images increases attack surface of secrets to image and any repositories the image may reside in
  • 54. Reminder: Manual administration of secret management does not scale well proportionally to the number of consumers, nor does it scale well to the number of secrets.
  • 55. In-band vs. Out-of-band Configuration ● In-band configuration ○ Happens in sequence within deployment pipeline ● Out-of-band configuration ○ Happens outside of sequence of deployment pipeline ● Out-of-band configuration is most commonly done manually ○ If it’s automated, there is more overhead in making it compatible with the CD workflow Reducing manual action == Reducing out-of-band configurations
  • 56. Ideal Scenario ● Dynamic Secrets and Secure Introduction is incorporated into the app deployment workflow and abstracted away from the developer ● (Almost) all configuration is carried out in Continuous Deployment pipeline
  • 57. Manual Configuration ● Deployment Target ● Deployment Parameters ● Network ● Container Settings ● Environment Variables ● Required Resources and Access Modes
  • 58. Resource Creation ● Resource creation requires additional action to integrate newly-created resource ● Ownership of Secret Management service registration and resource lifecycle management should reside with the resource management module
  • 59. Configuring Application Access to SM service ● The Secure Introduction service is the module that maps an application to its permissions on the Secret Management service ● Application access configured by updating the SI service with the required mappings for the application to fetch its required credentials. These are derived from the deployment parameters ● Ownership with CD platform or resource manager
  • 60. Remaining Out-of-Band Configuration Per Deploy ● Storing the master secrets for resource creation on the Secret Management service and configuring the resource management module to read from the Secret Management service ○ Once per resource host/fleet
  • 61. Possible Challenges ● Updating app mappings on Secure Introduction Service before knowing what the app name will be ○ Generate app name with a known prefix and use a wildcard mapping on the SI service ● Mapping access modes on the resource to its corresponding policy on the Secret Management Service ○ Use clearly-established naming conventions for Secret Management service policies ● Managing secret life cycles ○ Wrap the application in a supervising process that can fetch, renew, and revoke secrets
  • 62. Conclusion ● Newer Secret Management services are built to be used at scale - use them ● Secret Management is most useful when integrated into Continuous Deployment ○ Automate fully by reducing out-of-band configurations for secret management ○ Unify Resource and Secret Management APIs with a broker architecture ● Automating Secret Management frees up your team to do great things