Securely Managing Secrets with Vault

Transcript

1. Securely Managing Secrets with Vault Unless otherwise indicated, these slides

   are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch, Pivotal Software Inc., @mp911de

2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

   Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is Security? ! Security is the practice of risk management • Deciding which risks can be accepted • Guarding against violation ! Risk increases with system complexity 2
3. None
4. None

5. Threat ! Anything that elevates risk ! Threat modeling leads

   to a security policy

6. Secret ! Anything that elevates risk if exposed

7. Exposure ! An exposed secret is a threat ! May

   cause harm ! Probability increases over time

8. Identifiers ! Identifiers can be disclosed • Username, TLS certificate

   ! Not completely risk-free

9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

   Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Trust ! Trusted entity will not divulge secrets 9 You Me 3rd Party Producer Hop Hop Consumer Circle of Trust Chain of Trust

10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Goals ! Minimize risk at any given trust link • Minimize risk of exposure ! Get a secret securely from producer to consumer • Still, assume secrets may get eventually divulged 10
11. None

12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storage ! Encryption ! HA ! HTTP API 12

13. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret sprawl ! Secrets are distributed in a distributed system ! Limit access ! Audit when a secret was accessed by who ! Discover breach 14

15. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo

16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Lease and Expiry ! Probability of secret exposure increases over time ! Ephemeral secrets ! Rotation ! Expiration ! Revocation ! Built-in „Break Glass“ procedure 16

17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Dynamic Secret Backends ! AWS ! Cassandra ! Consul ! MySQL/MSSSQL/PostgreSQL ! MongoDB ! PKI ! RabbitMQ 17

18. https://www.flickr.com/photos/kristencavanaugh/10710047746 Secure Introduction

19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token
 ! MFA (Duo) ! TLS Certificates ! App ID ! AppRole ! AWS EC2 19

20. +

21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Application requirements ! Access databases and services ! Rotate credentials ! Deal with encryption 21

22. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using Spring Vault Demo

23. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Vault ! Spring 4, Java 1.6 ! Machine authentication ! Property sources ! Encryption 23

24. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using Spring Cloud Vault Demo

25. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault ! Spring Boot Integration ! Using Spring Vault ! Property sources ! Lease renewal ! Database & service integrations 25

26. Feedback welcome

27. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Code: Github spring-projects/spring-vault and 
 spring-cloud/spring-cloud-vault-config ! Slides: mp911.de/sdnx17 27

28. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz