Your secret's safe with me

Transcript

1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

   Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam

2. 2 Secrets @LizRice | @AquaSecTeam

3. 3 Desirable security features for container secrets ▪ Encrypted ▪

   At rest and in transit ▪ Only decrypted in memory ▪ Access control ▪ Only accessible by containers that need them ▪ Life-cycle ▪ Rotation, revocation, audit logging @LizRice | @AquaSecTeam

4. 4 Secret life-cycle ▪ Risk of leak increases over time

   ▪ Exploit ▪ Bad actor ▪ Accidental logging ▪ Change secret values (“rotation”) ▪ Token lifetime & use limit @LizRice | @AquaSecTeam

5. 5 Tokens all the way down @LizRice | @AquaSecTeam ▪

   If your secret is in a secret store, how do you get access? ▪ How do you keep the access token secret? xkcd.com/1416

6. Passing secrets to containers

7. 7 Bad places for secrets @LizRice | @AquaSecTeam ▪ Source

   code ▪ Dockerfiles / images

8. 8 docker run -v VARNAME=secret ... Environment variables @LizRice |

   @AquaSecTeam

9. 9 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice |

   @AquaSecTeam

10. Orchestrator support for secrets

11. 11 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication

12. 12 Docker Swarm @LizRice | @AquaSecTeam ▪ Secrets support built

    in ▪ Mounted to a temporary fs ▪ Encrypted transmission with mutual authentication ▪ Files, not env vars ▪ Restart service to change secret value ▪ RBAC in Enterprise Edition

13. 13 Kubernetes @LizRice | @AquaSecTeam ▪ Stored unencrypted in etcd

    ▪ HTTP in transit by default ▪ Files and env vars ▪ Files support updating secret values ▪ Need to restart pod to get new env var value ▪ Files mounted into the host ▪ RBAC can be turned on --authorization-mode=RBAC

14. 14 OpenShift @LizRice | @AquaSecTeam ▪ As Kubernetes, but with

    namespaced projects & RBAC

15. 15 DC/OS @LizRice | @AquaSecTeam ▪ Encrypted in ZooKeeper ▪

    Access control by service path ▪ Env vars ▪ Restart service to update value

16. 16 Rancher @LizRice | @AquaSecTeam ▪ Experimental secrets support

17. 17 Nomad @LizRice | @AquaSecTeam ▪ Integrated with Vault ▪

    Tasks get tokens so they can retrieve values from Vault ▪ Poll for changed values ▪ Access control

18. 18 Aqua secrets @LizRice | @AquaSecTeam ▪ Any orchestrator ▪

    Secrets encrypted in Vault, Amazon KMS or Aqua DB ▪ Env vars injected into container process memory ▪ Secret can be injected to a tempfs filesystem ▪ Supports updating secrets without restart of container ▪ Supports monitoring of secret usage ▪ Limit access to designated containers

19. Summary

20. 20 Secrets decisions @LizRice | @AquaSecTeam Your best option depends

    on ▪ choice of orchestrator ▪ acceptable level of risk Aqua White Paper on secrets management coming very soon

21. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Questions? Liz Rice @LizRice | @AquaSecTeam