Hi and welcome to the HashiCorp User Group meetup. We'd like to thank both Flux7 and Q2 for hosting us. In tonight's presentation we'll show you how to use HashiCorp Vault to manage dynamic database credentials.
My name is Sean Carolan and I'm a recovering sysadmin. Now I'm a solutions engineer, which means I spend a lot of time visiting folks who do the job I used to do, and helping them learn how to use Vault and our other open source tools.
Just a quick background since some are probably more familiar than others with our company, we were founded a little over 4 years ago. What Mitchell and Armon observed as Ops practitioners was that as the world was shifting to cloud infrastructure, there was a real gap in the tools available to Ops professionals to help them provision, secure and run this infrastructure. Each of the cloud providers had their own tooling, but that had 2 obvious challenges:
using them would lock your applications into that particular environment (cue Oracle all over again) and
it left the natural gap of heterogeneity: how to manage the reality that this just introduced one more technology platform to manage — rather than a replacement it was an ‘and’.
To them, the tasks required of the ops practitioner to provision, secure and run this infrastructure were pretty clear — in principle the same as those performed for traditional infrastructure, but with tools more attuned to the challenges of cloud and distributed topologies. That was the genesis for Hashicorp: building a product suite for the practitioner to help them provision, secure and run hybrid cloud application infrastructure without tying themselves to a particular platform or technology.
The company is really much better known by its products — and in fact most people are unaware that these are all provided by a single company (it is a branding challenge that we are hard at work on addressing). The most popular of those is Vagrant which was the first product built and has more than 30,000 unique downloads each week. But Terraform, Vault, Consul and Nomad have grown incredibly in usage as well, to the point that between them they now generate more than 35,000 unique downloads per week themselves — a stat which has doubled in the past 6 months.
I’d be shocked if one or more of these tools isn’t in use at your company already.
Remember this scene from Star Wars? How was a simple maintenance droid able to log onto this fully armed and operational battle station and take control of the trash compactor? We did some research and here's what the post mortem showed (Zoom in on screen behind R2D2).
Remember this scene from Star Wars? How was a simple maintenance droid able to log onto this fully armed and operational battle station and take control of the trash compactor? We did some research and here's what the post mortem showed (Zoom in on screen behind R2D2).
As it turns out the Death Star had some serious security flaws. Why would a security minded organization like the Empire have all these unrestricted maintenance ports all over the place? Why was the exhaust port of the ship connected to the main reactor? The death star was probably a nightmare to secure. You have rebels disguised as stormtroopers, contractors crawling all over the ship, and an unrealistic deadline to get it built that caused some serious security flaws and shortcuts to happen.
This is the empire's equivalent of leaving a sticky note on your monitor with your password on it.
Recently there was a casino who lost their high roller database due to an internet-connected fish tank thermometer.
https://thehackernews.com/2018/04/iot-hacking-thermometer.html
There are refrigerators on the internet. Barbie dolls. Some of your infrastructure is in the cloud, some is on prem, and some is hosted platform or SaaS. There is no longer a 'network perimeter' in the traditional sense of the term. You have to assume that *everywhere* is hostile.
The internet is a hostile place. My wife's wordpress site gets attacked hundreds of times a day by bots, crawling around looking for insecure wordpress sites. They even harvest keywords from the site and try to use them as your password.
Security is hard.
Humans suck at managing passwords.
Sticky Note Slide
Ever see this? Why does this happen? A survey about a decade ago revealed that 70% of people would give up their computer password for a chocolate bar. Humans just aren't that great at remembering complex passwords. In fact, complexity requirements might actually make things worse. We end up with passwords that look like this:
P455w0rd!
Let's be real. You're not fooling any computer by replacing the letter O with a Zero. Anyone know how long it takes a modern CPU to crack a password like this one? Yes, milliseconds. So we've made it harder for humans to remember their passwords, but easy for computers to guess them. Some users just give up and write the password down on a sticky note. Or copy it into a file. Or save it in their source code...the list goes on.
Let's not get all smug about this. Almost every one of us in this room has seen passwords being stored places they shouldn't be. Let's look at some of the other forms of password abuse.
Security is hard.
Humans suck at managing passwords.
Let's not get all smug about this. Almost every one of us in this room has seen passwords being stored places they shouldn't be. Let's look at some of the other forms of password abuse.
What are some of the ways orgs try to limit access and make things more secure?
* Double moat! More layers of security around the database.
* Bastion hosts
* Put passwords into an "Ark", require them to be checked out
* Strong permissions on the file
* Etc (all the other stuff SANS recommends)
How do most applications store their passwords? That's right, in a file! On the application server. Even as recently as 2014 the SANS institute created guidlines most of which were about protecting this file, placing it in a safe directory, etc. But as soon as that machine is compromised, or the password copied somewhere, or written to a log file...you've lost. Any attacker with legitimate credentials is going to look just like any other application or user. And you often have no way to tell that you've been compromised! Some of these things go on for months.
There's got to be a better way.
What if i told you that you could change your database passwords automatically, every 24 hours, without causing any downtime or disruption to your applications?
HashiCorp Vault is a modern, API-driven, cloud friendly secrets broker and management system. Vault can store existing credentials or even dynamically manage credentials for you.
Salespeople please plug your ears. Where are my sales bros. Everything I'm about to show you in this demo, you can do with open source Vault. Ok you guys can unplug your ears now.
Storage Backend - A storage backend is responsible for durable storage of encrypted data. Backends are not trusted by Vault and are only expected to provide durability. The storage backend is configured when starting the Vault server.
Barrier - The barrier is cryptographic steel and concrete around the Vault. All data that flows between Vault and the storage backend passes through the barrier. The barrier ensures that only encrypted data is written out, and that data is verified and decrypted on the way in. Much like a bank vault, the barrier must be "unsealed" before anything inside can be accessed.
Secrets Engine - A secrets engine is responsible for managing secrets. Simple secrets engines like the "kv" secrets engine simply return the same secret when queried. Some secrets engines support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows Vault to do fine-grained revocation and policy updates. As an example, a MySQL secrets engine could be configured with a "web" policy. When the "web" secret is read, a new MySQL user/password pair will be generated with a limited set of privileges for the web server.
Audit Device - An audit device is responsible for managing audit logs. Every request to Vault and response from Vault goes through the configured audit devices. This provides a simple way to integrate Vault with multiple audit logging destinations of different types.
Auth Method - An auth method is used to authenticate users or applications which are connecting to Vault. Once authenticated, the auth method returns the list of applicable policies which should be applied. Vault takes an authenticated user and returns a client token that can be used for future requests. As an example, the userpass auth method uses a username and password to authenticate the user. Alternatively, the github auth method allows users to authenticate via GitHub.
Client Token - A client token (aka "Vault Token") is a conceptually similar to a session cookie on a web site. Once a user authenticates, Vault returns a client token which is used for future requests. The token is used by Vault to verify the identity of the client and to enforce the applicable ACL policies. This token is passed via HTTP headers.
Secret - A secret is the term for anything returned by Vault which contains confidential or cryptographic material. Not everything returned by Vault is a secret, for example system configuration, status information, or policies are not considered secrets. Secrets always have an associated lease. This means clients cannot assume that the secret contents can be used indefinitely. Vault will revoke a secret at the end of the lease, and an operator may intervene to revoke the secret before the lease is over. This contract between Vault and its clients is critical, as it allows for changes in keys and policies without manual intervention.
Server - Vault depends on a long-running instance which operates as a server. The Vault server provides an API which clients interact with and manages the interaction between all the secrets engines, ACL enforcement, and secret lease revocation. Having a server based architecture decouples clients from the security keys and policies, enables centralized audit logging and simplifies administration for operators.
The number of shares and the minimum threshold required can both be specified. Shamir's technique can be disabled, and the master key used directly for unsealing. Once Vault retrieves the encryption key, it is able to decrypt the data in the storage backend, and enters the unsealed state. Once unsealed, Vault loads all of the configured audit devices, auth methods, and secrets engines.
What if i told you that you could change your database passwords automatically, every 24 hours, without causing any downtime or disruption to your applications?
HashiCorp Vault is a modern, API-driven, cloud friendly secrets broker and management system. Vault can store existing credentials or even dynamically manage credentials for you.
Salespeople please plug your ears. Where are my sales bros. Everything I'm about to show you in this demo, you can do with open source Vault. Ok you guys can unplug your ears now.
We seem to be missing a #1! I would say #1 is authentication.