Securely Managing Secrets with Vault

C5f6e8dffbb19acf405198c8fb917337?s=47 Mark Paluch
February 23, 2017

Securely Managing Secrets with Vault

Slides of the talk I gave at Devnexus 2017

C5f6e8dffbb19acf405198c8fb917337?s=128

Mark Paluch

February 23, 2017
Tweet

Transcript

  1. Securely Managing Secrets with Vault Unless otherwise indicated, these slides

    are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch, Pivotal Software Inc., @mp911de
  2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is Security? ! Security is the practice of risk management • Deciding which risks can be accepted • Guarding against violation ! Risk increases with system complexity 2
  3. None
  4. None
  5. Threat ! Anything that elevates risk ! Threat modeling leads

    to a security policy
  6. Secret ! Anything that elevates risk if exposed

  7. Exposure ! An exposed secret is a threat ! May

    cause harm ! Probability increases over time
  8. Identifiers ! Identifiers can be disclosed • Username, TLS certificate

    ! Not completely risk-free
  9. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Trust ! Trusted entity will not divulge secrets 9 You Me 3rd Party Producer Hop Hop Consumer Circle of Trust Chain of Trust
  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Goals ! Minimize risk at any given trust link • Minimize risk of exposure ! Get a secret securely from producer to consumer • Still, assume secrets may get eventually divulged 10
  11. None
  12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storage ! Encryption ! HA ! HTTP API 12
  13. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo
  14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret sprawl ! Secrets are distributed in a distributed system ! Limit access ! Audit when a secret was accessed by who ! Discover breach 14
  15. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo
  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Lease and Expiry ! Probability of secret exposure increases over time ! Ephemeral secrets ! Rotation ! Expiration ! Revocation ! Built-in „Break Glass“ procedure 16
  17. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Dynamic Secret Backends ! AWS ! Cassandra ! Consul ! MySQL/MSSSQL/PostgreSQL ! MongoDB ! PKI ! RabbitMQ 17
  18. https://www.flickr.com/photos/kristencavanaugh/10710047746 Secure Introduction

  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token
 ! MFA (Duo) ! TLS Certificates ! App ID ! AppRole ! AWS EC2 19
  20. +

  21. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Application requirements ! Access databases and services ! Rotate credentials ! Deal with encryption 21
  22. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using Spring Vault Demo
  23. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Vault ! Spring 4, Java 1.6 ! Machine authentication ! Property sources ! Encryption 23
  24. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using Spring Cloud Vault Demo
  25. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault ! Spring Boot Integration ! Using Spring Vault ! Property sources ! Lease renewal ! Database & service integrations 25
  26. Feedback welcome

  27. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Code: Github spring-projects/spring-vault and 
 spring-cloud/spring-cloud-vault-config ! Slides: mp911.de/sdnx17 27
  28. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz