SlideShare a Scribd company logo

Container secrets talk from DevSecCon

Download as PPTX, PDF
Liz Rice
Liz Rice

Your container secret's safe with me - a review of secret management from some popular orchestrators (and a glimpse into Aqua Security's capabilities for secrets)

Software
1 of 29
Join the conversation #DevSecCon Your (container) secret’s safe with me Liz Rice, Aqua Security @lizrice
2 Secrets @LizRice | @AquaSecTeam
3 Secrets @LizRice | @AquaSecTeam Secret store Cluster
Desirable attributes for secrets management
5 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
6 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
7 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
Passing secrets to containers
9 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
10 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
11 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Environment variables @LizRice | @AquaSecTeam
12 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
13 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Mounted volume @LizRice | @AquaSecTeam
Orchestrator support for secrets
15 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Encrypted transmission with mutual authentication ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition
16 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ Audit log with events ■ Rotation requires container restart & secret dance Encrypted ✓ Access control ✓ Life-cycle ?
17 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Namespaced ■ RBAC can be turned on --authorization-mode=RBAC ■ Files and env vars ■ Files support updating secret values ■ Need to restart pod to get new env var value
18 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server Encrypted ? Access control ✓ Life-cycle ✓
19 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
20 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
21 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Mesos/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value Encrypted ✓ Access control ✓ Life-cycle ?
22 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Use production mode ■ Encryption & security primitives
23 Nomad @LizRice | @AquaSecTeam ■ Secrets passed as files ■ Nomad takes care of interactions with Vault ■ Tasks get tokens so they can retrieve values ■ Poll for changed values ■ Access control ■ Audit logging Encrypted ✓ Access control ✓ Life-cycle ✓
24 Aqua secrets & external store @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
25 Aqua secrets & external store @LizRice | @AquaSecTeam ■ File system & env var support ■ Update secrets without container restart ■ No env var leak through inspect or /proc ■ Auditing of secret usage ■ User & container access control Encrypted ✓ Access control ✓ Life-cycle ✓
Summary
27 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Access secrets at runtime ■ Not built in ■ Rotate secrets ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
Join the conversation #DevSecCon The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam
29 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io

Recommended

Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me Liz Rice
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meLiz Rice
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 

Recommended

Your (container) secret's safe with me
Your (container) secret's safe with me Your (container) secret's safe with me
Your (container) secret's safe with me Liz Rice
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meLiz Rice
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Securityinovex GmbH
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon HashiCorp User Group
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in KubernetesThomas Fricke
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Outlyer
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor KhoroshchenkoKuberton
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginxSidhartha Mani
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleSidhartha Mani
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OSJosef Adersberger
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
BRISK_Network_Pentest_
BRISK_Network_Pentest_BRISK_Network_Pentest_
BRISK_Network_Pentest_BriskInfosec Solutions
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meAqua Security
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeContainers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeAppDynamics
 

More Related Content

What's hot

London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon HashiCorp User Group
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in KubernetesThomas Fricke
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Outlyer
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor KhoroshchenkoKuberton
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginxSidhartha Mani
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleSidhartha Mani
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...Aqua Security
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift Origin
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 

What's hot (20)

London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in Kubernetes
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution Alex Dias: how to build a docker monitoring solution
Alex Dias: how to build a docker monitoring solution
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Mastering kubernetes ingress nginx
Mastering kubernetes ingress nginxMastering kubernetes ingress nginx
Mastering kubernetes ingress nginx
 
Lessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at ScaleLessons learned and challenges faced while running Kubernetes at Scale
Lessons learned and challenges faced while running Kubernetes at Scale
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OS
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
 
BRISK_Network_Pentest_
BRISK_Network_Pentest_BRISK_Network_Pentest_
BRISK_Network_Pentest_
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for Containers
 
Container Security
Container SecurityContainer Security
Container Security
 

Similar to Container secrets talk from DevSecCon

Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with meAqua Security
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeContainers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeAppDynamics
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3Louis Jacomet
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzureDocker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzurePatrick Chanezon
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmWei-Ting Kuo
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Patrick Chanezon
 
Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis Maturin BADO
 
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleMonitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleAlessandro Gallotta
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework
 
(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep Dive(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep DiveAmazon Web Services
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
The Concierge Paradigm
The Concierge ParadigmThe Concierge Paradigm
The Concierge ParadigmGareth Brown
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzureDevoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzurePatrick Chanezon
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 

Similar to Container secrets talk from DevSecCon (20)

Your secret's safe with me
Your secret's safe with meYour secret's safe with me
Your secret's safe with me
 
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit EuropeContainers: Give Me The Facts, Not The Hype - AppD Summit Europe
Containers: Give Me The Facts, Not The Hype - AppD Summit Europe
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3Caching reboot: javax.cache & Ehcache 3
Caching reboot: javax.cache & Ehcache 3
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzureDocker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
 
Dockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarmDockertaipei 20150528-dockerswarm
Dockertaipei 20150528-dockerswarm
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
 
Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis Discover some "Big Data" architectural concepts with Redis
Discover some "Big Data" architectural concepts with Redis
 
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scaleMonitoring microservices: Docker, Mesos and Kubernetes visibility at scale
Monitoring microservices: Docker, Mesos and Kubernetes visibility at scale
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
 
(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep Dive(DAT407) Amazon ElastiCache: Deep Dive
(DAT407) Amazon ElastiCache: Deep Dive
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
The Concierge Paradigm
The Concierge ParadigmThe Concierge Paradigm
The Concierge Paradigm
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzureDevoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 

More from Liz Rice

The maths behind microscaling
The maths behind microscalingThe maths behind microscaling
The maths behind microscalingLiz Rice
 
Game of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and MicroscalingGame of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and MicroscalingLiz Rice
 
How to build a personalized interface for VOD
How to build a personalized interface for VODHow to build a personalized interface for VOD
How to build a personalized interface for VODLiz Rice
 
Tank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing dataTank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing dataLiz Rice
 
Killing the TV time grid
Killing the TV time gridKilling the TV time grid
Killing the TV time gridLiz Rice
 

More from Liz Rice (7)

The maths behind microscaling
The maths behind microscalingThe maths behind microscaling
The maths behind microscaling
 
Game of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and MicroscalingGame of Hosts - Containers, VMs and Microscaling
Game of Hosts - Containers, VMs and Microscaling
 
How to build a personalized interface for VOD
How to build a personalized interface for VODHow to build a personalized interface for VOD
How to build a personalized interface for VOD
 
Tank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing dataTank Top TV - Netflix viewing data
Tank Top TV - Netflix viewing data
 
Killing the TV time grid
Killing the TV time gridKilling the TV time grid
Killing the TV time grid
 
Cadbury
CadburyCadbury
Cadbury
 
Beatz
BeatzBeatz
Beatz
 

Recently uploaded

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 

Recently uploaded (20)

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 

Container secrets talk from DevSecCon

  • 1. Join the conversation #DevSecCon Your (container) secret’s safe with me Liz Rice, Aqua Security @lizrice
  • 4. Desirable attributes for secrets management
  • 5. 5 Secrets @LizRice | @AquaSecTeam Secrets photo: Katie Tegtmeyer ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory
  • 6. 6 Secrets @LizRice | @AquaSecTeam Secrets photo: James Case ■ Access control ■ Only accessible by containers that need them ■ And users ■ Write-only access
  • 7. 7 Secrets @LizRice | @AquaSecTeam Secrets photo: Irena Jackson ■ Life-cycle ■ Risk of leak increases over time ■ Rotation, revocation, audit logging
  • 8. Passing secrets to containers
  • 9. 9 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images
  • 10. 10 docker run -e VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
  • 11. 11 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Environment variables @LizRice | @AquaSecTeam
  • 12. 12 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
  • 13. 13 ■ docker inspect ■ docker exec ■ /proc directory ■ Leaky logs Mounted volume @LizRice | @AquaSecTeam
  • 15. 15 Docker @LizRice | @AquaSecTeam ■ Secrets support built in for Docker Swarm services ■ Not standalone containers ■ Encrypted transmission with mutual authentication ■ Secret accessible when exposed to service ■ Mounted to a temporary fs (not env vars) ■ RBAC in Enterprise Edition
  • 16. 16 Docker @LizRice | @AquaSecTeam ■ Encrypted in Raft log ■ Lock your Swarm!! ■ Shared to Swarm managers ■ Audit log with events ■ Rotation requires container restart & secret dance Encrypted ✓ Access control ✓ Life-cycle ?
  • 17. 17 Kubernetes secrets @LizRice | @AquaSecTeam ■ Secret configured in pod YAML ■ Namespaced ■ RBAC can be turned on --authorization-mode=RBAC ■ Files and env vars ■ Files support updating secret values ■ Need to restart pod to get new env var value
  • 18. 18 Kubernetes secrets @LizRice | @AquaSecTeam ■ Stored in etcd ■ Make sure secrets are encrypted! ■ --experimental-encryption-provider-config on API Server Encrypted ? Access control ✓ Life-cycle ✓
  • 19. 19 Kubernetes secrets @LizRice | @AquaSecTeam kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: bXlWZXJ5U2VjcmV0RW5jcnlwdGlvbktleQo= - identity: {}
  • 20. 20 Secrets all the way down @LizRice | @AquaSecTeam ■ EncryptionConfig holds a secret key... xkcd.com/1416
  • 21. 21 DC/OS @LizRice | @AquaSecTeam ■ Enterprise DC/OS ■ Plug-ins for Mesos/Marathon ■ Encrypted in ZooKeeper ■ Env vars ■ Access control by service path ■ Restart service to update value Encrypted ✓ Access control ✓ Life-cycle ?
  • 22. 22 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Use production mode ■ Encryption & security primitives
  • 23. 23 Nomad @LizRice | @AquaSecTeam ■ Secrets passed as files ■ Nomad takes care of interactions with Vault ■ Tasks get tokens so they can retrieve values ■ Poll for changed values ■ Access control ■ Audit logging Encrypted ✓ Access control ✓ Life-cycle ✓
  • 24. 24 Aqua secrets & external store @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secret storage in 3rd party backend ■ Hashicorp Vault, Amazon KMS, Azure Key Vault, CyberArk Vault...
  • 25. 25 Aqua secrets & external store @LizRice | @AquaSecTeam ■ File system & env var support ■ Update secrets without container restart ■ No env var leak through inspect or /proc ■ Auditing of secret usage ■ User & container access control Encrypted ✓ Access control ✓ Life-cycle ✓
  • 27. 27 Secrets @LizRice | @AquaSecTeam Secrets photo: Iain Merchant ■ Access secrets at runtime ■ Not built in ■ Rotate secrets ■ Your best option depends on ■ Orchestrator ■ Acceptable level of risk
  • 28. Join the conversation #DevSecCon The Ultimate Guide to Secrets Management in Containers tiny.cc/secrets @LizRice | @AquaSecTeam
  • 29. 29 Kubernetes secrets access @LizRice | @AquaSecTeam ■ RBAC can be turned on --authorization-mode=RBAC # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io