Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securely Managing Secrets with Vault

Mark Paluch
February 23, 2017

Securely Managing Secrets with Vault

Slides of the talk I gave at Devnexus 2017

Mark Paluch

February 23, 2017
Tweet

More Decks by Mark Paluch

Other Decks in Technology

Transcript

  1. Securely Managing Secrets
    with Vault
    Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Mark Paluch, Pivotal Software Inc., @mp911de

    View Slide

  2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    What is Security?
    ! Security is the practice of risk management
    • Deciding which risks can be accepted
    • Guarding against violation
    ! Risk increases with system complexity
    2

    View Slide

  3. View Slide

  4. View Slide

  5. Threat
    ! Anything that elevates risk
    ! Threat modeling leads to a security policy

    View Slide

  6. Secret
    ! Anything that elevates risk if exposed

    View Slide

  7. Exposure
    ! An exposed secret is a threat
    ! May cause harm
    ! Probability increases over time

    View Slide

  8. Identifiers
    ! Identifiers can be disclosed
    • Username, TLS certificate
    ! Not completely risk-free

    View Slide

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Trust
    ! Trusted entity will not divulge secrets
    9
    You
    Me
    3rd Party
    Producer Hop Hop Consumer
    Circle of Trust
    Chain of Trust

    View Slide

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Goals
    ! Minimize risk at any given trust link
    • Minimize risk of exposure
    ! Get a secret securely from producer to consumer
    • Still, assume secrets may get eventually divulged
    10

    View Slide

  11. View Slide

  12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Vault Project
    ! Secure storage
    ! Encryption
    ! HA
    ! HTTP API
    12

    View Slide

  13. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Start and initialize
    Vault
    Demo

    View Slide

  14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Secret sprawl
    ! Secrets are distributed in a distributed system
    ! Limit access
    ! Audit when a secret was accessed by who
    ! Discover breach
    14

    View Slide

  15. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Storing/Loading
    generic secrets
    Demo

    View Slide

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Lease and Expiry
    ! Probability of secret exposure increases over time
    ! Ephemeral secrets
    ! Rotation
    ! Expiration
    ! Revocation
    ! Built-in „Break Glass“ procedure
    16

    View Slide

  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Dynamic Secret Backends
    ! AWS
    ! Cassandra
    ! Consul
    ! MySQL/MSSSQL/PostgreSQL
    ! MongoDB
    ! PKI
    ! RabbitMQ
    17

    View Slide

  18. https://www.flickr.com/photos/kristencavanaugh/10710047746
    Secure Introduction

    View Slide

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Authentication methods
    ! Token
    ! Username/password
    ! LDAP
    ! GitHub Token

    ! MFA (Duo)
    ! TLS Certificates
    ! App ID
    ! AppRole
    ! AWS EC2
    19

    View Slide

  20. +

    View Slide

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Application requirements
    ! Access databases and services
    ! Rotate credentials
    ! Deal with encryption
    21

    View Slide

  22. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Using Spring
    Vault
    Demo

    View Slide

  23. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Spring Vault
    ! Spring 4, Java 1.6
    ! Machine authentication
    ! Property sources
    ! Encryption
    23

    View Slide

  24. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Using Spring
    Cloud Vault
    Demo

    View Slide

  25. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Spring Cloud Vault
    ! Spring Boot Integration
    ! Using Spring Vault
    ! Property sources
    ! Lease renewal
    ! Database & service integrations
    25

    View Slide

  26. Feedback
    welcome

    View Slide

  27. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Resources
    ! Vault: vaultproject.io
    ! Samples: github.com/mp911de/spring-cloud-vault-config-samples
    ! Code: Github spring-projects/spring-vault and 

    spring-cloud/spring-cloud-vault-config
    ! Slides: mp911.de/sdnx17
    27

    View Slide

  28. Learn More. Stay Connected.
    Twitter: @mp911de
    Github: github.com/mp911de
    Website: paluch.biz

    View Slide