Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle

A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle

Secrets are ubiquitous. From API Keys to encryption keys, the number of secrets an average app requires for its ops, especially in the cloud, is increasing Unfortunately, developers and practitioners are unaware of secrets management, resulting in some very serious vulnerabilities.

In this talk, we discuss how to handle secrets the right way. Concretely, we look at vault-based secrets management for Kubernetes, AWS and Azure environments. Not only do we cover best practices, we also investigate gotchas and implementation nuances across platforms.

Abhay Bhargav

April 30, 2020
Tweet

More Decks by Abhay Bhargav

Other Decks in Programming

Transcript

  1. A Hitchhikers Guide
    to Managing Secrets
    in the Cloud
    Abhay Bhargav

    View full-size slide

  2. abhaybhargav we45
    Yours Truly
    • Founder @ we45
    • Chief Architect - Orchestron
    • Avid Pythonista and AppSec Automation Junkie
    • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc
    world-wide
    • Lead Trainer - we45 Training and Workshops
    • Co-author of Secure Java For Web Application Development
    • Author of PCI Compliance: A Definitive Guide

    View full-size slide

  3. abhaybhargav we45
    Remote Trainings : May - June 2020
    • Goto: we45.com/remote-training and select training of choice
    • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes
    streams
    • Get Live Training + Access to Labs + Access to Videos + Certification =

    • Discount code: DSO200 for DevSecOps Courses
    • Discount code: WEBINSUB20 for any other course

    View full-size slide

  4. abhaybhargav we45
    Community Initiatives
    Youtube Channel: youtube.com/we45-appsec
    Blog: we45.com/blog
    Talks/Workshops at several OWASP Events

    View full-size slide

  5. abhaybhargav we45
    Pray to the Demo Gods

    View full-size slide

  6. abhaybhargav we45
    Agenda
    • Secrets and challenges with Secrets
    • Secrets in the cloud
    • Cryptographic Services in the cloud

    View full-size slide

  7. abhaybhargav we45
    When Secrets aren’t ….Secret!

    View full-size slide

  8. abhaybhargav we45
    On the other hand
    • Secrets are exponential in distributed apps
    • API Tokens, Passwords, Keys, HMAC Passwords, etc
    • More Secrets == More Secret Sprawl

    View full-size slide

  9. abhaybhargav we45
    Common Patterns - Secrets Storage
    • Environment Variables
    • Keyrings and Keychain
    • GPG

    View full-size slide

  10. abhaybhargav we45
    Demo

    View full-size slide

  11. abhaybhargav we45
    Common Patterns - Secrets Storage
    • Environment Variables
    • Keyrings and Keychain
    • GPG
    Complete compromise if there’s RCE/SSRF/Injection
    Better. But is difficult to secure, esp because of Containers, etc
    Let’s face it. You’d rather use anything else but this…

    View full-size slide

  12. abhaybhargav we45
    Other issues…
    • Access Control is not descriptive or
    effective
    • Accountability is hard (near impossible)
    to track
    • Doesn’t provide for Rotation, Re-
    keying, etc

    View full-size slide

  13. abhaybhargav we45
    Secret Sprawl, A Map

    View full-size slide

  14. abhaybhargav we45
    Recent Awesome Developments in Secrets
    Management
    • Hashicorp Vault and its evolution
    • Secrets Management from Cloud Providers:
    • Integrated
    • Democratized otherwise-expensive hardware/software

    View full-size slide

  15. abhaybhargav we45
    Secrets Management and Cryptographic
    Services - Cloud
    • AWS KMS
    • AWS Parameter Store and Secrets
    Manager
    • Azure KeyVault
    • Google KMS

    View full-size slide

  16. abhaybhargav we45
    Secrets and Crypto - Kubernetes
    • Kubernetes:
    • Encryption Services
    • Hashicorp Vault
    • Sealed Secrets (KubeSeal)
    • Kamus

    View full-size slide

  17. Secrets vs Sensitive Information
    • Secrets:
    • Passwords
    • API Tokens
    • Keys
    • TFA - Tokens
    • Database Connection Strings
    • Sensitive Information
    • Data that is protected with Secrets
    • PII
    • Payment Card Information
    • Social Security Numbers

    View full-size slide

  18. abhaybhargav we45
    Principles - Good Secrets Management
    • Version Management
    • Access Control
    • Audit Trails
    • Key Rotation => Underlying Key
    • Secure Deletes and Version Deletes

    View full-size slide

  19. abhaybhargav we45
    Handling Security Exceptions
    • Enable Cloudtrail/Azure Monitor Log Analytics/Audit to Socket
    • Capture Anomalies with IP addresses or Tag-Based Request Params
    • Consider Pushing anomalies to Slack/etc for investigation

    View full-size slide

  20. abhaybhargav we45
    Cryptographic Services
    • Key Generation
    • Key Rotation
    • Access Control
    • Audit Trails
    • Envelope Encryption

    View full-size slide

  21. abhaybhargav we45
    AWS vs Azure vs Vault
    Param AWS Azure Vault
    Key Generation
    Symmetric and
    Asymmetric CMKs
    Asymmetric CMK
    Symmetric and
    Asymmetric
    Key Length
    AES-256 GCM, Several
    Asymmetric Algos
    RSA 2048-4096
    AES, Salsa20, RSA,
    ECDSA
    Logging Cloudtrail Azure Monitor File/Socket/Syslog

    View full-size slide

  22. abhaybhargav we45
    Envelope Encryption

    View full-size slide

  23. abhaybhargav we45
    Demo

    View full-size slide

  24. abhaybhargav we45
    Conclusions
    • With the cloud and its tools - secrets and cryptography for your apps is a
    much more solvable challenge
    • Backed by strong algos and constantly improving and consistent APIs
    • Still some ways to shoot yourself in the foot - Read IAM and Grants

    View full-size slide