A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle

Transcript

1. A Hitchhikers Guide to Managing Secrets in the Cloud Abhay

   Bhargav

2. abhaybhargav we45 Yours Truly • Founder @ we45 • Chief

   Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

3. abhaybhargav we45 Remote Trainings : May - June 2020 •

   Goto: we45.com/remote-training and select training of choice • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes streams • Get Live Training + Access to Labs + Access to Videos + Certification = • Discount code: DSO200 for DevSecOps Courses • Discount code: WEBINSUB20 for any other course

4. abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops

   at several OWASP Events

5. abhaybhargav we45 Pray to the Demo Gods

6. abhaybhargav we45 Agenda • Secrets and challenges with Secrets •

   Secrets in the cloud • Cryptographic Services in the cloud

7. abhaybhargav we45 When Secrets aren’t ….Secret!

8. abhaybhargav we45 On the other hand • Secrets are exponential

   in distributed apps • API Tokens, Passwords, Keys, HMAC Passwords, etc • More Secrets == More Secret Sprawl

9. abhaybhargav we45 Common Patterns - Secrets Storage • Environment Variables

   • Keyrings and Keychain • GPG

10. abhaybhargav we45 Demo

11. abhaybhargav we45 Common Patterns - Secrets Storage • Environment Variables

    • Keyrings and Keychain • GPG Complete compromise if there’s RCE/SSRF/Injection Better. But is difficult to secure, esp because of Containers, etc Let’s face it. You’d rather use anything else but this…

12. abhaybhargav we45 Other issues… • Access Control is not descriptive

    or effective • Accountability is hard (near impossible) to track • Doesn’t provide for Rotation, Re- keying, etc

13. abhaybhargav we45 Secret Sprawl, A Map

14. abhaybhargav we45 Recent Awesome Developments in Secrets Management • Hashicorp

    Vault and its evolution • Secrets Management from Cloud Providers: • Integrated • Democratized otherwise-expensive hardware/software

15. abhaybhargav we45 Secrets Management and Cryptographic Services - Cloud •

    AWS KMS • AWS Parameter Store and Secrets Manager • Azure KeyVault • Google KMS

16. abhaybhargav we45 Secrets and Crypto - Kubernetes • Kubernetes: •

    Encryption Services • Hashicorp Vault • Sealed Secrets (KubeSeal) • Kamus

17. Secrets vs Sensitive Information • Secrets: • Passwords • API

    Tokens • Keys • TFA - Tokens • Database Connection Strings • Sensitive Information • Data that is protected with Secrets • PII • Payment Card Information • Social Security Numbers

18. abhaybhargav we45 Principles - Good Secrets Management • Version Management

    • Access Control • Audit Trails • Key Rotation => Underlying Key • Secure Deletes and Version Deletes

19. abhaybhargav we45 Handling Security Exceptions • Enable Cloudtrail/Azure Monitor Log

    Analytics/Audit to Socket • Capture Anomalies with IP addresses or Tag-Based Request Params • Consider Pushing anomalies to Slack/etc for investigation

20. abhaybhargav we45 Cryptographic Services • Key Generation • Key Rotation

    • Access Control • Audit Trails • Envelope Encryption

21. abhaybhargav we45 AWS vs Azure vs Vault Param AWS Azure

    Vault Key Generation Symmetric and Asymmetric CMKs Asymmetric CMK Symmetric and Asymmetric Key Length AES-256 GCM, Several Asymmetric Algos RSA 2048-4096 AES, Salsa20, RSA, ECDSA Logging Cloudtrail Azure Monitor File/Socket/Syslog

22. abhaybhargav we45 Envelope Encryption

23. abhaybhargav we45 Demo

24. abhaybhargav we45 Conclusions • With the cloud and its tools

    - secrets and cryptography for your apps is a much more solvable challenge • Backed by strong algos and constantly improving and consistent APIs • Still some ways to shoot yourself in the foot - Read IAM and Grants