Deploying Vault by HashiCorp for Secure Cloud Deployments

Slide 1

Slide 1 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Using Vault for secure cloud deployments Nicki Watt @techiewatt 28/01/2016 1

Slide 2

Slide 2 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 Agenda • Setting the scene  • Where does Vault fit in? • How is it being used? • Conclusion  

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5 Act 2 : “Efficiently (and securely) Take advantage of cloud-like computing”

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8 Enable creation of fast, repeatable, secure environments capable of running in diﬀerent clouds!

Slide 9

Slide 9 text

Slide 10

Slide 10 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

Slide 11

Slide 11 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud • Automate everything  • Separate config from code • API driven clouds & tools • Prefer modular, open source tools  Principles - ASAP

Slide 12

Slide 12 text

Slide 13

Slide 13 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 1: Securing the automated IaaS process

Slide 14

Slide 14 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env speciﬁc mount, policy & add secrets Init Request new env The cloud-env mgmt App

Slide 19

Slide 19 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env speciﬁc mount, policy & add secrets Init Request new env Spin up new env The cloud-env mgmt App

Slide 20

Slide 20 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env speciﬁc mount, policy & add secrets Init Request new env Spin up new env Get IaaS creds, generate OTP & real token The cloud-env mgmt App

Slide 21

Slide 21 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up new env Get IaaS creds, generate OTP & real token Create env speciﬁc mount, policy & add secrets Request new env

Slide 22

Slide 22 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22 • Centralised secure storage: • cloud & other infrastructure provider credentials  • Option to leverage simplified lifecycle management: • dynamic secret backend  • Audit-ability Benefits

Slide 23

Slide 23 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23 • No native terraform integration (yet) • Terraform #2221, #4169 • Vault API • Allows for custom integrations where required • Make use of existing AWS policies • Awaiting next release (Vault PR #895)  Considerations:

Slide 24

Slide 24 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 2: Securing the automated Config management process

Slide 25

Slide 25 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 25 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

Slide 26

Slide 26 text

Slide 27

Slide 27 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up new env Get IaaS creds, generate OTP & real token Create env speciﬁc mount, policy & add secrets Request new env

Slide 28

Slide 28 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Spin up new env Get IaaS creds, generate OTP & real token Create env speciﬁc mount, policy & add secrets Request new env TOKEN: USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

Slide 29

Slide 29 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- TOKEN: USES: 1 REAL TOKEN /cubbyhole cloud provider management subnet dev subnet orch-vm /env + gitcred1 = x + gitcred2 = z

Slide 30

Slide 30 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN: USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

Slide 31

Slide 31 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN: USES: 0 /cubbyhole REAL TOKEN /env + gitcred1 = x + gitcred2 = z

Slide 32

Slide 32 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env + gitcred1 = x + gitcred2 = z

Slide 33

Slide 33 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env + gitcred1 = x + gitcred2 = z

Slide 34

Slide 34 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + gitcred1 = x + gitcred2 = z cloud provider management subnet dev subnet orch-vm

Slide 35

Slide 35 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + gitcred1 = x + gitcred2 = z cloud provider management subnet dev subnet orch-vm

Slide 36

Slide 36 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env + gitcred1 = x + gitcred2 = z

Slide 37

Slide 37 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + secret1 = x + secret2 = z cloud provider management subnet dev subnet orch-vm

Slide 38

Slide 38 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 38 • Secure bootstrap process: • OTP, real token not exposed  • Eased changing config man tool • Ansible —> Puppet  • No secrets explicitly stored on disk for puppet usage • https://github.com/jsok/hiera-vault Benefits

Slide 39

Slide 39 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39 • Mount per env • Currently easiest way to delete all secrets until next release (0.5.0) which includes PR #617  • Puppet Hiera plugin has potential for generating a lot of traffic with Vault • Considering ConsulTemplate Considerations:

Slide 40

Slide 40 text

Slide 41

Slide 41 text

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 41 • Vault fits in well with broader principles & aims of overall solution • Vault is a single focused tool - this is good! • Vault is new • we are still experimenting, but happy thus far! 