Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Keeping Secrets with Hashicorp Vault

2 005 vues

Publié le

As large enterprises move toward organization-wide adoption of DevOps, one challenge they face is the handling of secrets, typically used for authentication. Automation precludes us from using a human being as a source of trust, and security requires us to make sure credentials are not stored in a format from which they could leak sensitive info, e.g., never in code.

In this talk, Ali Hussain from Flux7 will discuss how they are using HashiCorp Vault at one of the largest payments and credit card providers. I’ll share core principles of modern secret management and how we used Vault and Consul for a fail-safe, automated, dynamic secrets management solution as part of a sustainable and scalable DevSecOps approach that helps proactively meet security, risk and compliance objectives. I’ll cover the journey toward DevSecOps, best practices and toolkit used in this use case, starting with a basic, secure installation of Vault with a Consul back-end configured for a few users to expanded use through a highly available and federated installation that allows administrators, end users, and applications to have zero downtime due to unavailability.

Bio

Ali Hussain is CTO and co-founder at Flux7, an award-winning Austin based IT consulting company recognized by AWS for its proficiency in DevOps. As a HashiCorp Premier Systems Integration partner, Flux7 helps organizations establish a framework for repeatable deployments of Vault and Consul on top of their existing infrastructure or as part of a new infrastructure solution.

Publié dans : Technologie
  • Soyez le premier à commenter

Keeping Secrets with Hashicorp Vault

  1. 1. Keeping secrets with Hashicorp Vault June 12, 2017 Presenter: Ali Hussain
  2. 2. Achievements About Flux7 Ali Hussain Co-Founder & CTO Flux7 Flux7: Founded in 2013 Team of 40+ Headquartered in Austin, TX AWS DevOps, Migration, Healthcare, and Life Sciences Competencies WAF service delivery partner TechTarget’s “Impact Best AWS Consulting Partner” three years in a row (2015, 2016 & 2017) Partner Recognition Award by AWS at reInvent’15 Customers featured on stage at AWS re:Invent four years in a row, and two AWS Summits in 2016 Docker Foundation and authorized consulting partner 150+ happy customers through word of mouth Partnerships Amazon Web Services HashiCorp Ansible Docker Jenkins Chef
  3. 3. Achievements About Flux7 Ali Hussain Co-Founder & CTO Flux7 Flux7: Founded in 2013 Team of 40+ Headquartered in Austin, TX AWS DevOps, Migration, Healthcare, and Life Sciences Competencies WAF service delivery partner TechTarget’s “Impact Best AWS Consulting Partner” three years in a row (2015, 2016 & 2017) Partner Recognition Award by AWS at reInvent’15 Customers featured on stage at AWS re:Invent four years in a row, and two AWS Summits in 2016 Docker Foundation and authorized consulting partner 150+ happy customers through word of mouth Partnerships Amazon Web Services HashiCorp Ansible Docker Jenkins Chef
  4. 4. Achievements About Flux7 Ali Hussain Co-Founder & CTO Flux7 Flux7: Founded in 2013 Team of 40+ Headquartered in Austin, TX AWS DevOps, Migration, Healthcare, and Life Sciences Competencies WAF service delivery partner TechTarget’s “Modern Impact Best AWS Consulting Partner” three years in a row (2015, 2016 & 2017) Partner Recognition Award by AWS at reInvent’15 Customers featured on stage at AWS re:Invent four years in a row, and two AWS Summits in 2016 Docker Foundation and authorized consulting partner 150+ happy customers through word of mouth Partnerships Amazon Web Services HashiCorp Ansible Docker Jenkins Chef
  5. 5. Technology SmartStarts: Introduce an enterprise to: ➔ Infrastructure as code ➔ Config management ➔ CI & D of Code ➔ Automated Security ➔ Docker Containers ➔ Secret management ➔ Service Catalog ➔ Web Application Firewalls ➔ MicroServices Audit Services: ➔ Security Review ➔ App Architecture Review ➔ DevOps Audit ➔ Cost efficiency Audit Design & Implement Foundation Adopt a pilot Engage the CoE
  6. 6. HashiCorp Tools @ Flux7 SmartStarts: Introduce an enterprise to: ➔ Infrastructure as code: TerraForm Enterprise ➔ Config management: Packer ➔ CI & D of Code: Packer ➔ Automated Security: Vault Enterprise ➔ Docker Containers: Nomad ➔ Secret management: Vault Enterprise ➔ Service Catalog ➔ Web Application Firewalls ➔ MicroServices: Consul Audit Services: ➔ Security Review ➔ App Architecture Review ➔ DevOps Audit ➔ Cost efficiency Audit Design & Implement Foundation Adopt a pilot Engage the CoE
  7. 7. The Problem
  8. 8. Our Ambitions Automate Everything Everything needs to be defined in code Sounds good until ...
  9. 9. What about the passwords? Everyone remembers the advice “do not write passwords on a sticky?” But we can’t depend on a human being to configure a password Need a “secure” mechanism to store and distribute passwords and other secrets
  10. 10. So what do we need? Day to day: Able to provide correct access controls If things go wrong: Make it easy to remediate the issue And make it easy to setup
  11. 11. So where can I put the secrets? ■ Remember them ■ Code ■ Config management tools ■ Custom configuration options ■ Hashicorp Vault
  12. 12. Remember them No go because it fails ease of use Not as good as you think at access control
  13. 13. Code
  14. 14. Code Automation is free Access control is very hard SCMs never forget
  15. 15. Config management tools Solves the problem fairly well Different platforms have their own pros and cons
  16. 16. Custom configuration options Example S3 encrypted with KMS “Custom” always has its own problems
  17. 17. Hashicorp Vault
  18. 18. Hashicorp Vault Take secret management to the next level Automation friendly Secure
  19. 19. Automation friendly Complete API access Automatic rotation for several tools and platforms Integrations with Terraform and Consul template
  20. 20. Automation friendly - App workflow 1. Generate Secret and save to Vault 2. Deploy App (with no secrets) 3. Get Secret 4. Log access 5. Authenticate 2 1 3 5 4 Vault DB SCM App
  21. 21. Secure Vault Admins Storage backend Infrastructure Vault Users Applications Authentication ACL Allow mutual SSL Integrations with existing auth systems All data is encrypted Need multiple Vault admins to start Vault Application auth IP-based restrictions Secret rotation Need a quorum of Vault admins to take malicious action
  22. 22. Secure Access Control External threat protection Internal threat protection Integrations
  23. 23. Secure - Access Control ✓Everything is a path ✓ACL rules apply on a given path ✓ Define operation types available on a path
  24. 24. Secure - Access Control Example 1. Create HCL file called my-policy.hcl with read and write policy for path “secret/foo” path "secret/foo" { policy = "write" } path "secret/foo" {te policy = "read" } 2. Write policy via CLI $ vault policy-write my-policy my-policy.hcl 3. Assign policy to token $ vault token-create -policy=”my-policy” 4. Access Path (after using new token to authenticate) Read: $ vault write secret/foo Write: $ vault write secret/foo
  25. 25. Secure - Internal threat protection Need a quorum of Vault Admins to take high risk actions ○ Storage is encrypted at rest ○ A Vault server cannot function unless unsealed ○ Using Shamir’s Secret Sharing Algorithm Vault is considered sealed until a quorum of admins enter their unseal keys ● Keys generated at init time ● Each designated admin maintains a key
  26. 26. Secure - Internal threat protection
  27. 27. Integrations Authentication platforms ○ Okta ○ LDAP ○ RADIUS ○ GitHub ○ AWS Target backends ○ SSH ○ PKI ○ AWS ○ Databases Includes credential authentication, authorization, and rotation
  28. 28. Challenges
  29. 29. Secret Zero ? How does an application server with no secret authenticate with Vault ? How big a problem is it: ○ To overcome? ○ To security?
  30. 30. Secret Zero ✓Can be addressed by using a complete platform: ○ Nomad ○ AWS with Parameter store ○ Docker Enterprise ✓Custom Solution: Create a security broker that uses a secondary mechanism for authentication
  31. 31. Secret Zero - Security Broker Request an AppRole for servicename create app-role write -f secret-id Broker Developer Prod server role-id, secret-id role-id & secret-id Requested secret Admin time Assign role permissions Request Vault creds Validate request using AWS API and get the role path as /auth/service/<servicename> read role role-id secret-id ack
  32. 32. Library Availability ✓Dynamic secrets are an extremely powerful feature but need application changes ○ Change application configurations dynamically ○ Support for reload operation ✓Creates a need for restart in many applications
  33. 33. Library Availability Create custom code for updating the config ✓Use Consul template for updating config files ✓Restart servers if no reload option ✓Use Consul to implement distributed lock to ensure one at a time restart
  34. 34. Best Practices
  35. 35. Follow security best practices ● Use short lifecycles for secrets and tokens ● Observe the principle of least privilege
  36. 36. Delete root token after initial setup ● Root token can perform any action ● Delete after setting up initial admin accounts ● Can be recreated using “key shares”
  37. 37. Always Enable Audit Logging ● Tracks every API request, source, and response ● Only logs a hash for confidential information ● Create alerts on suspicious log entries
  38. 38. Be iterative in rollout ● Using advanced features may require app improvements ● Roll out something simple ● Make iterative improvements
  39. 39. Pay attention to organization ● Understand access requirements in your org ○ team/service/app/business unit ● Create path prefixes accordingly ● Implement corresponding ACL roles
  40. 40. Summary
  41. 41. Summary ● Vault provides a secure solution for sharing and distributing secrets ● Some challenges that require customization for your needs ● Stakes are extremely high and need to prepare accordingly
  42. 42. Thank You Ali Hussain CTO Flux7.com Austin, Texas www.flux7.com @flux7Labs @Ali_A_Hussain

×