The document discusses the 5 stages of secrets management grief: denial, anger, bargaining, depression, and acceptance. It then provides examples of approaches organizations can take to securely manage secrets when using configuration management tools like Puppet, including storing secrets in source control versus alternative approaches. It emphasizes the importance of involving information security teams and considering both "masterful" and "masterless" options. The document recommends resources for further learning on tools that can help, like Conjur and Summon, and calls readers to evaluate their own organization's secrets management approach.

1. The 5 Stages of Secrets Management Grief
(And How to Prevail)
Josh Bregman
Conjur

2. Josh has 20 years experience successfully architecting, evangelizing, and delivering
innovative identity management and security products to customers. Prior to joining
Conjur , Josh spent a decade as a solutions and pre-sales leader in the Oracle ecosystem. A
developer at heart, early in his career Josh worked as a software engineer at IBM, GTE
Labs, and Netegrity. He has 3 U.S. patents and received a B.A. in Math from the University
of Rochester in 1995.

3. Thanks
Dave!

4. Denial - We don’t have a problem
Anger - Why is this my problem?
Bargaining - A series of trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem

5. Denial - We don’t have a problem
Anger - Why is this my problem?
Bargaining - A series of trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem

6. You’re at Puppet Camp, so your
infrastructure is coded, and
your code is in source control.

7. class { 'wordpress':
db_user => 'wordpress',
db_password => 'hvyH(S%t("0"16',
db_host => 'db.example.com',
create_db => false,
create_db_user => false,
}

8. If you put your secrets in
source control, then anyone
who has access to the repo can
access all the secrets.

9. 3/10/16

10. “Searching GitHub for AWS and
Azure credentials reveals that many
people are making the same
mistake as Ashley Madison, Uber
and D-Link.”

11. “Ashley Madison’s leaked code
included hard-coded AWS tokens,
database credentials, certificate
private keys and other credentials.

12. “Uber had a database containing
personal information about drivers
compromised in 2014, after storing
the key in a publicly available
repo”

13. “...and D-Link recently published its
private code signing keys in the
open source code for a firmware
update.”

14. “Your cloud credentials are likely to
end up subsidizing Bitcoin miners, who
scan GitHub for keys and use them to
run up hundreds or thousands of
dollars of bills.”

15. (Sound of everyone
making sure that repo
is private)

16. Should everyone at your
company who has read access
to the repo have access to the
database?

18. If you put your secrets in
source control, then anyone
who has access to the repo can
access all the secrets.

19. Denial - We don’t have a problem
Anger - Why is it my problem?
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem

20. Typical conversation BEFORE
something bad happens…
20

21. Question to Information Security:
I’m concerned that storing secrets in
source control isn’t safe. Is there a
recommended approach that I should
be following?
21

22. Answer from Information Security:
We’re super busy right now
protecting the company from APT,
passing our ISO 27001 audit, and
assessing our compliance NIST CSF…
22

23. Question to Information Security:
Well, this initiative is super important
to the business. Is there anything that
you can recommend?
23

24. Answer from Information Security:
We’ll we have an existing system that
we use to manage privileged
accounts. You just open a
ServiceNow ticket and…
24

25. That’s OK….we’ll just figure it out
25

26. Typical conversation AFTER
something bad happens…
26

27. “I’m going to automate those *@!
out of a job.” – Anonymous DevOps
“Those *@! are running with
scissors” – Anonymous InfoSec
27

28. Few organizations practice blame
free post-mortems, if they are on the
front page of the Wall Street Journal.
This is a huge cultural change for
Information Security.
28

29. SecDevOps or DevSecOps or
RuggedDevOps are all terms for the
inclusion of information security in
the DevOps workflow
29

30. Automated testing that includes
security tests like code scanning,
application security testing,
automated patching of vulnerabilities
are all pretty easy…
30

31. …because they can be added without
the direct cooperation of information
security teams.
31

32. Question: How many people here
have information security
professionals as part of their DevOps
teams?
32

33. Question: How many people here
ACTIVELY seek out the information
security professionals in their
organization?
33

34. NIST CyberSecurity Framework - The
Framework Implementation Tiers
(“Tiers”) provide context on how an
organization views
cybersecurity risk and the processes
34

35. NIST CSF Tiers:
Tier 1 -> Partial
Tier 2 -> Risk Informed
Tier 3 -> Repeatable
Tier 4 -> Adaptive
35

36. Go Find your Security Engineering
Team. This is the team that owns
and operates security solutions. Tell
them you can help them with
automation.
36

37. Denial - We don’t have a problem
Anger - It’s their fault!
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem

38. Two main camps on secrets
management with Puppet: Masterful
and Masterless

39. Masterful: I’m OK if all of my secrets
are on the master; my master is a
hardened command bunker.
Masterless: Secrets are ‘need to
know’ and my master doesn’t.

40. The “Masterful” approaches can be
accomplished with little commitment
from information security.

41. If you don’t engage them, and
something goes wrong, it’s all on you.

42. Masterful - E-Yaml

43. If you use E-YAML, secrets are
encrypted in source control, and in
the catalog.

44. If you use E-YAML, you have to figure
out how to secure the keys, and
rotate the keys, and work with
encrypted files...

45. Another “Masterful” approach that
some customers use is to deploy
separate Production and Non-
Production Puppet Masters

46. This keeps production information
limited to only those that need
access to production. By design, this
pattern makes Continuous Delivery
hard.

47. If you use DSL extensions or Hiera
backend, then secrets are in the
catalog, but not in source control.

48. Retrieves a Secret from Conjur
programmatically
https://github.com/dgrstl/puppet_conjurdemo/blob/master/lib/
puppet/functions/conjur_secret.rb

49. See it in action
https://github.com/dgrstl/puppet_conjurdemo/
blob/master/tests/notify.pp

50. Masterless approach - a.k.a - Node
Side Secrets - secrets aren’t in source
control and they are not on the
master

51. Scenario 1 - Write a configuration file
on the node that has a list of secrets

52. Puppet::conjur_demo {‘/opt/foo.conf’:
secrets =>
[‘/production/db/user’,
’/production/db/password’],
}

53. Scenario 2 - Control the value of an
attribute via Conjur

54. Puppet::conjurdemo_secert_value { ‘foo’:
secret_key_name => ‘bar’,
resource => Wordpress[‘server1’],
field => ‘db_password’,
}

55. datacat_collector { "$title Conjur secret":
template_body =>
template('puppet_conjurdemo/conjur_simple_secret.erb'),
target_resource => $resource,
target_field => $field,
notify => $resource,
}

56. <%% require 'conjur/cli'
require 'yaml'
Conjur::Config.load
Conjur::Config.apply
api = Conjur::Authn.connect
-%>
<% @secrets.each do |secret_key| %>
<%% secret = api.variable "<%=secret_key%>" %><%=secret_key%> =
<%%=secret.value-%>
<%end%>

57. Want to learn more?
Request a Conjur Demo

58. Denial - We don’t have a problem
Anger - It’s their fault!
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem

59. In both the masterful and masterless
models, the secrets wind up on the
nodes.

60. This represents a whole new threat
surface - a way that your secret
information can be compromised

61. Applications and services, not just
infrastructure also need access to
credentials. And applications are
stored in source control.

62. Summon is an open-source project
that allows for the retrieval of secrets
safely without checking the secrets
into source control

63. Summon works well with 12 factor
apps - those that expect to get their
configuration from the environment -
e.g. Java Application

64. secrets.yaml
MYSECRET: !var secret/path
MYSECRET2: !var secret/path2

65. USAGE:
summon [global options] command
[command options] [arguments...]
Ex: summon -f /opt/secrets.yaml
printenv

66. Supports simple provider interface
variable = sys.argv[1]
value = keyring.get_password(
os.environ.get('SUMMON_KEYRING_SERVICE', 'summon'),
variable
)

67. https://github.com/jbregman/puppet-
summon/tree/master/jbregman-summon/tests
Test 1 - Simple secrets.yaml
Test 1a - Parameterized secrets.yaml
Test 2a - Creating Config
Test 3 - facter

68. Denial - We don’t have a problem
Anger - It’s their fault!
Bargaining - A Series of Trade-offs?
Depression - This isn’t fixed?
Acceptance - We have a problem

69. This is an evolution from the Conjur Puppet
integration that I presented at Puppet Conf in
2015

70. Integration with Puppet is an
important but emerging area. These
modules and repos are works in
progress.

71. Customers are very interested in
additional capabilities such as
rotation, versioning, secure service
lifecycle

72. Resources:
https://github.com/dgrstl/puppet_conjurdemo
https://puppetlabs.com/blog/using-node-side-
secrets-with-puppet
https://conjurinc.github.io/summon/

73. Call to action:
• Have a discussion “Are we a
masterless or masterful shop?”
• Make friends with information
security

74. QUESTIONS?

75. Want to learn more?
Request a Conjur Demo

76. THANK
YOU