Enabling a Secure Platform

Transcript

1. Enabling A Secure Platform Delaware Innovation Week 2016

2. Chris Hoffman @hoffmancs github.com/chrishoffman

3. Chatham Financial • Chatham is the largest independent risk advisor

   in the world • Clients from mom & pop shops to Fortune 10 companies • Customers trust us with non-public transaction information • We integrate with many 3rd party trading systems • Advise on some of the most complex deals in the debt and derivatives market

4. Chatham Direct • Multi-tenant SaaS application • Client-facing API •

   250+ services • 110+ servers • 2 global datacenters • Cloud providers

5. This talk is about... Looking at the challenges facing organizations

   around application security How we think about the problem and look at the solutions that worked for us

6. Security Reality • Secret sprawl ◦ Secrets stored in files,

   buckets, databases, configuration management, compiled binaries, etc • Hard to track access • Rotation is a circus ◦ ...if you do it at all
7. None

8. Whose problem is it?

9. “Security should be a shared responsibility across the organization to

   eliminate barriers”

10. Stakeholders • Business ◦ Trust • Developers ◦ Easy to

    use ◦ Doesn’t slow down development ◦ Don’t have to think about it • Operators ◦ Easy to maintain • Security and Compliance ◦ Stringent requirements for certifications, such as SOC II ◦ Fine-grained access controls ◦ Auditable

11. Datacenter Challenges • Increasingly polyglot • Transient servers and services

    • Hybrid cloud • Utilizing more 3rd party services
12. None

13. http://www.everystockphoto.com/photo.php?imageId=6103616

14. None

15. What do we do?

16. “No tool on it’s own can fix a broken culture”

    Jennifer Davis & Katherine Daniels Effective DevOps

17. No tool can fix your broken security

18. None

19. Hashicorp Vault - vaultproject.io Secret Storage Stores your existing secrets

    or generate dynamic secrets Encryption-As-A-Service Encrypt data from applications while still storing that encrypted data in some primary data store Key Rolling Secrets you store can be updated at any time or rolled with lease expiration Auditing All actions are audited and can be sent to multiple backends

20. Developer Experience • HTTP API and CLI • Local Development

    • Secret Storage • Encryption-As-A-Service

21. Operator Experience • Simple Deployment • Highly Available Configurations Available

    • Seal/Unseal • Key rolling

22. Security and Compliance • Transparency • Finely controlled access

23. Let’s see it!

24. Seal/Unseal

25. None
26. None
27. None
28. None
29. None
30. None

31. $ vault init Key 1: 427cd2c310be3b84fe69372e683a790e01 Key 2: 0e2b8f3555b42a232f7ace6fe0e68eaf02 Key

    3: 37837e5559b322d0585a6e411614695403 Key 4: 8dd72fd7d1af254de5f82d1270fd87ab04 Key 5: b47fdeb7dda82dbe92d88d3c860f605005 Initial Root Token: eaf5cc32-b48f-7785-5c94-90b5ce300e9b Vault initialized with 5 keys and a key threshold of 3!

32. $ vault unseal Key (will be hidden): Sealed: true Key

    Shares: 5 Key Threshold: 3 Unseal Progress: 1

33. $ vault unseal Key (will be hidden): Sealed: true Key

    Shares: 5 Key Threshold: 3 Unseal Progress: 1 … $ vault unseal Key (will be hidden): Sealed: false Key Shares: 5 Key Threshold: 3 Unseal Progress: 0

34. Secret Storage

35. $ vault write secret/foo zip=zap ttl=1h Success! Data written to:

    secret/foo

36. $ vault write secret/foo zip=zap ttl=1h Success! Data written to:

    secret/foo $ vault read secret/foo Key Value --- ----- refresh_interval 3600 ttl 1h zip zap

37. $ curl -H "X-Vault-Token:$VAULT_TOKEN" -s -X POST https://localhost:8200/v1/secret/foo -d "{\"zip\":

    \"zap\", \"ttl\": \"1h\"}"

38. Encryption-As-A-Service

39. None
40. None
41. None
42. None

43. $ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo

44. $ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo

    $ vault read transit/keys/foo Key Value type aes256-gcm96 deletion_allowed false derived false keys map[1:1.459861712e+09] latest_version 1 min_decryption_version 1 name foo

45. $ echo -n "Delaware Innovation Week 2016" | base64 |

    vault write transit/encrypt/foo plaintext=- Key Value ciphertext vault:v1:czEwyKqGZY/limnuzDC...

46. $ echo -n "Delaware Innovation Week 2016" | base64 |

    vault write transit/encrypt/foo plaintext=- Key Value ciphertext vault:v1:czEwyKqGZY/limnuzDC... $ vault write transit/decrypt/foo ciphertext=vault:v1:czEwyKqGZY/limnuzDC... Key Value plaintext RGVsYXdhcmUgSW5ub3ZhdGlvbiBXZWVrIDIwMTYK

47. $ echo -n "Delaware Innovation Week 2016" | base64 |

    vault write transit/encrypt/foo plaintext=- Key Value ciphertext vault:v1:czEwyKqGZY/limnuzDC... $ vault write transit/decrypt/foo ciphertext=vault:v1:czEwyKqGZY/limnuzDC... Key Value plaintext RGVsYXdhcmUgSW5ub3ZhdGlvbiBXZWVrIDIwMTYK $ echo "RGVsYXdhcmUgSW5ub3ZhdGlvbiBXZWVrIDIwMTYK" | base64 -d Delaware Innovation Week 2016

48. Still lots to do! • Dynamic secrets ◦ SQL Databases

    ◦ Service Discovery ◦ Cloud accounts • Fully automated PKI infrastructure

49. Security Reality • Secret sprawl ◦ Secrets stored in files,

    buckets, databases, configuration management, compiled binaries, • Hard to track access • Rotation is a circus ◦ ...if you do it at all
50. None

51. THANK YOU!!!