Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle

A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle

Secrets are ubiquitous. From API Keys to encryption keys, the number of secrets an average app requires for its ops, especially in the cloud, is increasing Unfortunately, developers and practitioners are unaware of secrets management, resulting in some very serious vulnerabilities.

In this talk, we discuss how to handle secrets the right way. Concretely, we look at vault-based secrets management for Kubernetes, AWS and Azure environments. Not only do we cover best practices, we also investigate gotchas and implementation nuances across platforms.

Abhay Bhargav

April 30, 2020

More Decks by Abhay Bhargav

Other Decks in Programming


  1. A Hitchhikers Guide to Managing Secrets in the Cloud Abhay

  2. abhaybhargav we45 Yours Truly • Founder @ we45 • Chief

    Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide
  3. abhaybhargav we45 Remote Trainings : May - June 2020 •

    Goto: we45.com/remote-training and select training of choice • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes streams • Get Live Training + Access to Labs + Access to Videos + Certification = • Discount code: DSO200 for DevSecOps Courses • Discount code: WEBINSUB20 for any other course
  4. abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops

    at several OWASP Events
  5. abhaybhargav we45 Pray to the Demo Gods

  6. abhaybhargav we45 Agenda • Secrets and challenges with Secrets •

    Secrets in the cloud • Cryptographic Services in the cloud
  7. abhaybhargav we45 When Secrets aren’t ….Secret!

  8. abhaybhargav we45 On the other hand • Secrets are exponential

    in distributed apps • API Tokens, Passwords, Keys, HMAC Passwords, etc • More Secrets == More Secret Sprawl
  9. abhaybhargav we45 Common Patterns - Secrets Storage • Environment Variables

    • Keyrings and Keychain • GPG
  10. abhaybhargav we45 Demo

  11. abhaybhargav we45 Common Patterns - Secrets Storage • Environment Variables

    • Keyrings and Keychain • GPG Complete compromise if there’s RCE/SSRF/Injection Better. But is difficult to secure, esp because of Containers, etc Let’s face it. You’d rather use anything else but this…
  12. abhaybhargav we45 Other issues… • Access Control is not descriptive

    or effective • Accountability is hard (near impossible) to track • Doesn’t provide for Rotation, Re- keying, etc
  13. abhaybhargav we45 Secret Sprawl, A Map

  14. abhaybhargav we45 Recent Awesome Developments in Secrets Management • Hashicorp

    Vault and its evolution • Secrets Management from Cloud Providers: • Integrated • Democratized otherwise-expensive hardware/software
  15. abhaybhargav we45 Secrets Management and Cryptographic Services - Cloud •

    AWS KMS • AWS Parameter Store and Secrets Manager • Azure KeyVault • Google KMS
  16. abhaybhargav we45 Secrets and Crypto - Kubernetes • Kubernetes: •

    Encryption Services • Hashicorp Vault • Sealed Secrets (KubeSeal) • Kamus
  17. Secrets vs Sensitive Information • Secrets: • Passwords • API

    Tokens • Keys • TFA - Tokens • Database Connection Strings • Sensitive Information • Data that is protected with Secrets • PII • Payment Card Information • Social Security Numbers
  18. abhaybhargav we45 Principles - Good Secrets Management • Version Management

    • Access Control • Audit Trails • Key Rotation => Underlying Key • Secure Deletes and Version Deletes
  19. abhaybhargav we45 Handling Security Exceptions • Enable Cloudtrail/Azure Monitor Log

    Analytics/Audit to Socket • Capture Anomalies with IP addresses or Tag-Based Request Params • Consider Pushing anomalies to Slack/etc for investigation
  20. abhaybhargav we45 Cryptographic Services • Key Generation • Key Rotation

    • Access Control • Audit Trails • Envelope Encryption
  21. abhaybhargav we45 AWS vs Azure vs Vault Param AWS Azure

    Vault Key Generation Symmetric and Asymmetric CMKs Asymmetric CMK Symmetric and Asymmetric Key Length AES-256 GCM, Several Asymmetric Algos RSA 2048-4096 AES, Salsa20, RSA, ECDSA Logging Cloudtrail Azure Monitor File/Socket/Syslog
  22. abhaybhargav we45 Envelope Encryption

  23. abhaybhargav we45 Demo

  24. abhaybhargav we45 Conclusions • With the cloud and its tools

    - secrets and cryptography for your apps is a much more solvable challenge • Backed by strong algos and constantly improving and consistent APIs • Still some ways to shoot yourself in the foot - Read IAM and Grants