Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (English)

Mark Paluch
July 28, 2016
Technology
0
41

Managing Secrets at Scale (English)

Running multiple instances of microservices, deploying Docker images to Kubernetes is the current trend. But what about security? Are you encrypting passwords? Where do you store the key? How often do you rotate secrets? A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication and often much more. Traditional, manual patterns cannot keep the security bar high with dynamic deployment scenarios. Secrets should stay secret and not get distributed amongst the landscape. Come to this session to learn how to keep the security bar high while running services that require secrets. You'll see how to securely share and manage secrets (certificates, passwords, keys) for your services using Vault and how to use it with Spring Boot.

Links:

* Vault: https://vaultproject.io
* Code: https://github.com/spring-cloud/spring-cloud-vault
* Samples: https://github.com/mp911de/spring-cloud-vault-config-samples

Mark Paluch

July 28, 2016
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Project Loom: Broadening Concurrency
mp911de
0
140
Full Steam Ahead, R2DBC!
mp911de
2
520
Reactive Relational Database Connectivity 2020
mp911de
3
170
Reactive Relational Database Connectivity
mp911de
3
750
Building Event-Driven Java Applications using Redis Streams
mp911de
1
410
What's New in CDI 2.0 at JUG HH
mp911de
0
210
Reactive Spring Workshop
mp911de
1
970
Under the Hood of Reactive Data Access
mp911de
3
1.6k
Under the Hood of Reactive Data Access
mp911de
1
380

Other Decks in Technology

See All in Technology
「ふりかえりのふりかえり」をふりかえり、実のあるふりかえりにする
naitosatoshi
0
210
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
13
35k
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
310
The CloudCompare project by Dr. Daniel Girardeau-Montaut
kentaitakura
0
490
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
720
自動生成を活用した、運用保守コストを抑える Error/Alert/Runbook の一元集約管理 / Centralized management of Error/Alert/Runbook to minimize operational costs using automated code generation
biwashi
9
2k
OpenTelemetry を使ったトレースエグザンプラーの活用 / otel-trace-exemplar
k6s4i53rx
2
630
Databricks におけるデータエンジニアリング
databricksjapan
0
370
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
2
230
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
オーナーシップを持つ領域を明確にする
konifar
6
360
疲弊しない!AWSセキュリティ統制の考え方 #devio_osakaday1
masahirokawahara
6
5.8k

Featured

See All Featured
Scaling GitHub
holman
457
140k
The Illustrated Children's Guide to Kubernetes
chrisshort
28
46k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
272
13k
What the flash - Photography Introduction
edds
64
11k
Optimising Largest Contentful Paint
csswizardry
7
2.3k
Imperfection Machines: The Place of Print at Facebook
scottboms
258
12k
Embracing the Ebb and Flow
colly
78
4.1k
How to train your dragon (web standard)
notwaldorf
71
5.1k
Web Components: a chance to create the future
zenorocha
304
41k
Designing for Performance
lara
601
67k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990

Transcript

  1. Managing Secrets at Scale Unless otherwise indicated, these slides are

    © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch, Pivotal Software Inc., @mp911de

  2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch @mp911de github.com/mp911de paluch.biz
  3. None

  4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 4 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>

  5. https://www.flickr.com/photos/dahlstroms/4188244058

  6. None

  7. https://www.flickr.com/photos/nateone/5456129071

  8. None
  9. None

  10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storages ! Sealing/Unsealing ! Multiple authentication mechanisms ! Multiple secret backends ! ACL/policies ! HA ! HTTP API 10

  11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions ! Secret storage ! Tokens and access control policies ! Dynamic secrets with leasing and revocation ! Key rolling ! Audit logs 11 ! HSM ! 24x7x365 Phone and Email Support Community Enterprise

  12. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

  13. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo

  14. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends ! AWS ! Cassandra ! Consul ! MySQL/MSSSQL/PostgreSQL ! MongoDB ! PKI ! RabbitMQ 14

  15. https://www.flickr.com/photos/kristencavanaugh/10710047746

  16. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token ! MFA (Duo)
 ! TLS Certificates ! App ID ! AppRole ! AWS EC2 & IAM ! Kubernetes 16

  17. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17

  18. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 18 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

  19. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 19 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

  20. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints ! Use SSL ! Use SSL ! Keep unseal keys secret ! Operate in High-Availability setup 20

  21. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends ! AWS ! Cassandra ! Consul ! MySQL/MSSSQL/PostgreSQL/Oracle ! MongoDB ! PKI ! RabbitMQ 21

  22. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault Config Demo

  23. +

  24. Feedback welcome

  25. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Code: github.com/spring-cloud/spring-cloud-vault ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Slides: mp911.de/msas 25

  26. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz