$30 off During Our Annual Pro Sale. View Details »

Securely Managing Secrets with Vault

Mark Paluch
February 23, 2017
Technology
1
930

Securely Managing Secrets with Vault

Slides of the talk I gave at Devnexus 2017

Mark Paluch

February 23, 2017
Tweet

More Decks by Mark Paluch

See All by Mark Paluch
Project Loom: Broadening Concurrency
mp911de
0
120
Full Steam Ahead, R2DBC!
mp911de
2
500
Reactive Relational Database Connectivity 2020
mp911de
3
160
Reactive Relational Database Connectivity
mp911de
3
710
Building Event-Driven Java Applications using Redis Streams
mp911de
1
400
What's New in CDI 2.0 at JUG HH
mp911de
0
170
Reactive Spring Workshop
mp911de
1
850
Under the Hood of Reactive Data Access
mp911de
3
1.6k
Under the Hood of Reactive Data Access
mp911de
1
380

Other Decks in Technology

See All in Technology
ARR100億超SaaSをさらに成長させるPdM組織の立ち上げと今後について
rakus_dev
0
150
生成AIでシステム開発はどう変わるか
etaroid
19
7.9k
CSSパフォーマンスに関する計測結果
poteboy
3
1.4k
Bedrock & Amazon Q のアプデ、結局これって○○でいう××のこと?? 生成AIトレンドを俯瞰しながら解説!
minorun365
PRO
0
310
GPTsによるアシスタント業務の改善
neonankiti
3
380
2023-12-01 吉祥寺.pm ベストプラクティスと組織とIaC
masasuzu
1
400
DevFest Tokyo 2023: Google Cloudでチームで安全にデプロイをする
sakajunquality
7
660
ECサイト向け決済機能の開発で学んだ外部決済サービスの活用ポイント
k1style
1
220
Microsoft Fabric と データメッシュ
ryomaru0825
2
180
AI-OCR機能のバクラクな体験を支えるソフトウェアエンジニアリング
tomoaki25
0
110
reInvent2023のセキュリティまとめしてGuardDutyQとコストの話します
cmusudakeisuke
0
310
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
17
10k

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Docker and Python
trallard
32
2.4k
Thoughts on Productivity
jonyablonski
55
3.5k
How to name files
jennybc
59
87k
Clear Off the Table
cherdarchuk
81
300k
Agile that works and the tools we love
rasmusluckow
323
20k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
12
1.1k

Transcript

  1. Securely Managing Secrets
    with Vault
    Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Mark Paluch, Pivotal Software Inc., @mp911de

    View Slide

  2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    What is Security?
    ! Security is the practice of risk management
    • Deciding which risks can be accepted
    • Guarding against violation
    ! Risk increases with system complexity
    2

    View Slide

  3. View Slide

  4. View Slide

  5. Threat
    ! Anything that elevates risk
    ! Threat modeling leads to a security policy

    View Slide

  6. Secret
    ! Anything that elevates risk if exposed

    View Slide

  7. Exposure
    ! An exposed secret is a threat
    ! May cause harm
    ! Probability increases over time

    View Slide

  8. Identifiers
    ! Identifiers can be disclosed
    • Username, TLS certificate
    ! Not completely risk-free

    View Slide

  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Trust
    ! Trusted entity will not divulge secrets
    9
    You
    Me
    3rd Party
    Producer Hop Hop Consumer
    Circle of Trust
    Chain of Trust

    View Slide

  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Goals
    ! Minimize risk at any given trust link
    • Minimize risk of exposure
    ! Get a secret securely from producer to consumer
    • Still, assume secrets may get eventually divulged
    10

    View Slide

  11. View Slide

  12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Vault Project
    ! Secure storage
    ! Encryption
    ! HA
    ! HTTP API
    12

    View Slide

  13. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Start and initialize
    Vault
    Demo

    View Slide

  14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Secret sprawl
    ! Secrets are distributed in a distributed system
    ! Limit access
    ! Audit when a secret was accessed by who
    ! Discover breach
    14

    View Slide

  15. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Storing/Loading
    generic secrets
    Demo

    View Slide

  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Lease and Expiry
    ! Probability of secret exposure increases over time
    ! Ephemeral secrets
    ! Rotation
    ! Expiration
    ! Revocation
    ! Built-in „Break Glass“ procedure
    16

    View Slide

  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Dynamic Secret Backends
    ! AWS
    ! Cassandra
    ! Consul
    ! MySQL/MSSSQL/PostgreSQL
    ! MongoDB
    ! PKI
    ! RabbitMQ
    17

    View Slide

  18. https://www.flickr.com/photos/kristencavanaugh/10710047746
    Secure Introduction

    View Slide

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Authentication methods
    ! Token
    ! Username/password
    ! LDAP
    ! GitHub Token

    ! MFA (Duo)
    ! TLS Certificates
    ! App ID
    ! AppRole
    ! AWS EC2
    19

    View Slide

  20. +

    View Slide

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Application requirements
    ! Access databases and services
    ! Rotate credentials
    ! Deal with encryption
    21

    View Slide

  22. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Using Spring
    Vault
    Demo

    View Slide

  23. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Spring Vault
    ! Spring 4, Java 1.6
    ! Machine authentication
    ! Property sources
    ! Encryption
    23

    View Slide

  24. Unless otherwise indicated, these slides are 

    © 2013-2017 Pivotal Software, Inc. and licensed under a
    Creative Commons Attribution-NonCommercial
    license: http://creativecommons.org/licenses/by-nc/3.0/
    Using Spring
    Cloud Vault
    Demo

    View Slide

  25. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Spring Cloud Vault
    ! Spring Boot Integration
    ! Using Spring Vault
    ! Property sources
    ! Lease renewal
    ! Database & service integrations
    25

    View Slide

  26. Feedback
    welcome

    View Slide

  27. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software, Inc. and licensed under a

    Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
    Resources
    ! Vault: vaultproject.io
    ! Samples: github.com/mp911de/spring-cloud-vault-config-samples
    ! Code: Github spring-projects/spring-vault and 

    spring-cloud/spring-cloud-vault-config
    ! Slides: mp911.de/sdnx17
    27

    View Slide

  28. Learn More. Stay Connected.
    Twitter: @mp911de
    Github: github.com/mp911de
    Website: paluch.biz

    View Slide