Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam

2 Secrets @LizRice | @AquaSecTeam

3 Desirable security features for container secrets ■ Encrypted ■ At rest and in transit ■ Only decrypted in memory ■ Access control ■ Only accessible by containers that need them ■ Life-cycle ■ Rotation, revocation, audit logging @LizRice | @AquaSecTeam

4 Secret life-cycle ■ Risk of leak increases over time ■ Exploit ■ Bad actor ■ Accidental logging ■ Change secret values (“rotation”) ■ Token lifetime & use limit @LizRice | @AquaSecTeam

5 Tokens all the way down @LizRice | @AquaSecTeam ■ If your secret is in a secret store, how do you get access? ■ How do you keep the access token secret? xkcd.com/1416

Passing secrets to containers

7 Bad places for secrets @LizRice | @AquaSecTeam ■ Source code ■ Dockerfiles / images

8 docker run -v VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam

9 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam

Orchestrator support for secrets

11 Docker Swarm @LizRice | @AquaSecTeam ■ Secrets support built in ■ Mounted to a temporary fs ■ Encrypted transmission with mutual authentication

12 Docker Swarm @LizRice | @AquaSecTeam ■ Secrets support built in ■ Mounted to a temporary fs ■ Encrypted transmission with mutual authentication ■ Files, not env vars ■ Restart service to change secret value ■ RBAC in Enterprise Edition

13 Kubernetes @LizRice | @AquaSecTeam ■ Stored unencrypted in etcd ■ HTTP in transit by default ■ Files and env vars ■ Files support updating secret values ■ Need to restart pod to get new env var value ■ Files mounted into the host ■ RBAC can be turned on --authorization-mode=RBAC

14 OpenShift @LizRice | @AquaSecTeam ■ As Kubernetes, but with namespaced projects & RBAC

15 DC/OS @LizRice | @AquaSecTeam ■ Encrypted in ZooKeeper ■ Access control by service path ■ Env vars ■ Restart service to update value

16 Rancher @LizRice | @AquaSecTeam ■ Experimental secrets support

17 Nomad @LizRice | @AquaSecTeam ■ Integrated with Vault ■ Tasks get tokens so they can retrieve values from Vault ■ Poll for changed values ■ Access control

18 Aqua secrets @LizRice | @AquaSecTeam ■ Any orchestrator ■ Secrets encrypted in Vault, Amazon KMS or Aqua DB ■ Env vars injected into container process memory ■ Secret can be injected to a tempfs filesystem ■ Supports updating secrets without restart of container ■ Supports monitoring of secret usage ■ Limit access to designated containers

Summary

20 Secrets decisions @LizRice | @AquaSecTeam Your best option depends on ■ choice of orchestrator ■ acceptable level of risk Aqua White Paper on secrets management coming very soon

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Questions? Liz Rice @LizRice | @AquaSecTeam