The Rise of Secrets Management
•
0 j'aime•748 vues
In this talk, Oded Hareven, Co-Founder & CEO of Akeyless.io, discusses the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. He explores how secrets management is now a MUST for DevOps and security teams of all enterprises and why the right tool needs to be cloud-agnostic, cloud-native, integrable with any DevOps pipelines, and infinitely scalable.
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à The Rise of Secrets Management
Similaire à The Rise of Secrets Management (20)
Dernier
Dernier (20)
The Rise of Secrets Management
- 1. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Oded Hareven, CEO & Co-founder @ Akeyless Oded@akeyless.io {Ret. Captain, Israel Defence Forces, CyberSecurity Identity Management, PAM, Information Security Infrastructure Dev, Product, Ops} The Rise of Secrets Management
- 2. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Unique Zero- Knowledge KMS Technology Akeyless DFC™ Secrets Management SaaS Platform Akeyless Vault Platform Secrets Management as-a-service Serving market leaders enterprises Pharma, Insurance, Adtech, Online, E- commerce, Gaming
- 3. 3 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Data encryption Step #1: Protecting Data • Access Control • Control who can access the data? • How to validate his identity? • Data Encryption • Control who can access the key? • How to validate her identity? Data Access Control
- 4. 4 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #2: Identity Validation • Requires Authentication • Human • Machine • Using something that only the human/machine has • Secret = {password, credentials, api-key, certificate, ssh-key} • If you can’t keep a Secret - you can’t protect your Data... Password DB password DB User Application
- 5. 5 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #3: Privileged Access • Beyond application access • Who’s controlling my workloads? • Internal/external personnel • Can they impersonate? • Admin can do everything... • PAM • Control human admin access - session recording • Regulation and compliance • Secrets Repository • Default admin passwords rotation Password DB password DB User Application Admin OS Admin OS Admin Password Password
- 6. 6 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #4: Root-of-Trust • Using an Encryption key to encrypt secrets & data +Using signing key to sign TLS/SSH Certificates = identities • Where to place the key? • Configuration - bad practice • Local store - not secured enough • KMS - good start • HSM - considered to be most secure • Secret-zero: accessing the key requires a secret? The chicken and the egg... Hardware Security Module
- 7. 7 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #5: Interconnectivity & overlapping HSM Root of trust KMS PAM SSH Mng. Certificate Mng.
- 8. 8 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Trends that encourage the massive use of secrets 1. Containerization 2. Hybrid & multi-cloud 3. DevOps, CI/CD, Automation 4. Zero-Trust Passwords Certificate API-Keys SQL Credentials AES Encryption RSA Signing Key SSH Key And then came the cloud. Proprietary and Confidential
- 9. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Sprawl: Clear-text, unprotected Source Code DevOps Scripts Configuration Files x myScript { // App.Config DB password = “T0pSecr3t” API_Key_AWS = “Cl3aRt3xt$!” } x //myconfig < // App.Config Access_Token = “T0pSecr3t” API_Key_GCP = “Cl3aRt3xt$!” /> x Void myCode( ) { // App.Config Encryption_Key = “aKey43!t” API_Key_Azure = “Cl3a3xt$!” } Secrets are used also within workload management platforms
- 10. 10 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 IAM have never been easier • Ephemeral resources + Automation + IaC • Perimeter-less world = data is everywhere • Root-of-trust in a non-trusted distributed architecture • Privileged Access (Remote, WFH, COVID-19)
- 11. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 11 Report:"Managing Machine Identities, Secrets, Keys and Certificates" Published: 24 August 2020 Analyst: Erik Wahlstrom Source: Akeyless is mentioned in this Gartner’s report, p16. under “secrets management solutions”
- 12. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Management Fetch Secrets from any platform, script or application ***** ***** ***** API / SDK / CLI / Plugins Customer Application Customer Database 3rd-party Service API Password = “Pass12#” Applications Encrypted Secrets Store Human DevOps, IT, Developers Secrets Management
- 13. 13 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 First: Integrate with everything Authentication via LDAP SAML OpenID Direct channels Platforms Plugins (examples) Machine authentication Human authentication
- 14. 14 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 World-wide availability • Scalability • Multi-region / multi cloud • Disaster Recovery: Replication, Backup • Highly Available Consider: Self-deployment vs. SaaS
- 15. 15 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
- 16. 16 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
- 17. 17 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
- 18. 18 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. Unified Secrets Management Platform
- 19. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Thank you. Further questions & thoughts you’d like to share? Mostly invited to drop an email to Oded@akeyless.io