Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (Deutsch)

C5f6e8dffbb19acf405198c8fb917337?s=47 Mark Paluch
September 08, 2016

Managing Secrets at Scale (Deutsch)

Skalieren von Microservices und der Betrieb von Docker-Container liegen gerade im Trend. Aber wie steht es um Sicherheitsaspekte? Wo legst du Passwörter ab und wie werden diese Verschlüsselt? Dieser Vortrag erklärt, wie sich hohe Sicherheitsmaßstäbe effizient mit dem Betrieb dynamischer Service-Instanzen vereinen lassen. In dieser Session lernst du Vault kennen, wie sicherheitsrelevante Daten (Zugangsdaten, Passwörter und Zertifikate) verwaltet und mit Spring Boot zugegriffen werden können.

C5f6e8dffbb19acf405198c8fb917337?s=128

Mark Paluch

September 08, 2016
Tweet

More Decks by Mark Paluch

Other Decks in Technology

Transcript

  1. Managing Secrets at Scale Unless otherwise indicated, these slides are

    © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch, Pivotal Software Inc., @mp911de
  2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch @mp911de github.com/mp911de paluch.biz
  3. None
  4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 4 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>
  5. https://www.flickr.com/photos/dahlstroms/4188244058

  6. None
  7. https://www.flickr.com/photos/nateone/5456129071

  8. None
  9. None
  10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault § Verschlüsselung § Abriegelung § Div. Authentifizierungsmechanismen § Diverse Secret Backends § ACL/Policies § HA § HTTP API 10
  11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault: Editionen § Gesicherte Ablage § Tokens und ACLs § Dynamische vertrauliche Daten durch TTL und Schlüsselrotation § Audit Logs 11 § HSM § 24x7x365 Support Community Enterprise
  12. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vertrauliche Daten wahren § Verteilung beschränken § Zugriffskontrolle § Verschlüsselung § Schlüsselrotation § Zugriff sperren 12 ✅ ✅ ✅
  13. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start und Initialisierung Demo
  14. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vertrauliche Daten ablegen und abrufen Demo
  15. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends § AWS § Cassandra § Consul § MySQL/MSSSQL/PostgreSQL § PKI § RabbitMQ § (MongoDB ~ Vault 0.6.1) 15
  16. https://www.flickr.com/photos/kristencavanaugh/10710047746

  17. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentifizierungsmethoden § Token § Benutzername/Password § LDAP § GitHub Token
 § MFA § TLS Zertifikate § App ID § AppRole 17
  18. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 18
  19. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 19 1 Administrator konfiguriert AppId 2 AppId in App Konfiguration ablegen 3 Deployment: Mapping zwischen AppId to UserId 4 App start: Vault mit AppId und UserId AppId
  20. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 20 1 Identity-Dokument abrufen (PKCS#7) 2 Vault Login 3 Vault: Prüfung auf gültige EC2 Instanz AWS-EC2
  21. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Sicherheitsfeatures für Produktiveinsatz § Auditing § Policies § Token: Lease/Expiry 21
  22. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vertrauliche Daten wahren § Verteilung beschränken § Zugriffskontrolle § Verschlüsselung § Schlüsselrotation § Zugriff sperren 22 ✅ ✅ ✅ ✅ ✅
  23. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Betriebshinweise § SSL verwenden § Schlüsselteile (Unseal-Keys) sicher aufbewahren § High-Availability-Betrieb 23
  24. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault Config Demo
  25. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Fazit § Vault ist ein gesicherter Service für vertrauliche Daten § Aufbewahrung und Generierung von vertraulichen Daten § Diverse Authentifizierungsmechanismen § HTTP API § Spring Cloud Vault Integration in Arbeit 25
  26. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Ressourcen § Vault: vaultproject.io § Code: github.com/spring-cloud-incubator/spring-cloud-vault-config § Samples: github.com/mp911de/spring-cloud-vault-config-samples § Folien: mp911.de/msasde 26
  27. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz