Ryan Lane - Jun 13, 2016
Identity, Access and Secret Management
InfoQ.com: News & Community Site
• 750,000 unique visitors/month
• Published in 4 languages (English, Chinese, Japanese an...
Presented at QCon New York
www.qconnewyork.com
Purpose of QCon
- to empower software development by facilitating the sprea...
Example service
Example service
Example service
Example service Multiple environments
Identity
SaaS/Web Services
SSO with API
SSO without API
No SSO with API
No SSO, without API
EC2 user identity
SSO:
SAML
SSO: SAML
• Google
• Onelogin
• Okta
• Ping Identity
• …
Providers:
SSO: OpenID
Dead end.
SSO: OpenID Connect (OAuth2 + OpenID)
• Google
• Facebook
• Okta
• Ping Identity
• …
Providers:
No SSO…
No SSO with API
SSO with API
No SSO, No API
Secrets Files
No SSO, No API
Password
Management.
What
about
LDAP?
Die In a Fire, LDAP
nsscache
Die In a Fire, LDAP
Access controls
Ensuring
least
privilege
Access Control
Access Control
Access Control
Docker
Access Control
Docker
SSH management
SSH management
SSH management
Secrets
Limiting
footprint,
scope, and
access.
Hardcoded
Secrets
Secret Management
GPG
Sneaker
Vault
Confidant
KMS Auth Token
token = kms_client.encrypt(
KeyId=‘alias/authnz’,
Plaintext=(
’{“not_before”:“20160613T100000Z”,’
‘”not_aft...
IAM policy
‘confidant-authnz-encrypt’:
Version: ‘2012-10-17’
Statement:
- Action:
- ‘kms:Encrypt’
Effect: ‘Allow’
Resource: ...
IAM policy
‘confidant-authnz-decrypt’:
Version: ‘2012-10-17’
Statement:
- Action:
- ‘kms:Decrypt’
Effect: ‘Allow’
Resource: ...
Service to service auth
User to service auth
Bandit
Bandit
Thank
You.
@squiddlane
rlane@lyft.com
Watch the video with slide synchronization on
InfoQ.com!
https://www.infoq.com/presentations/lyft-
security-cloud
Access and Secret Management in Cloud Services
Access and Secret Management in Cloud Services
Prochain SlideShare
Chargement dans…5
×

Access and Secret Management in Cloud Services

222 vues

Publié le

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2bO7jt1.

Ryan Lane talks about the methods for handling various types of security problems in cloud services as well as the tools they use at Lyft including Google SAML/OAuth2, Octa for identity management/SSO, Confidant, Vault, Sneaker, Credstash and Keywhiz for secret management, Confidant and KMS for secure bootstrapping, and metadataproxy and ec2metaproxy for limiting access to Docker containers. Filmed at qconnewyork.com.

Ryan Lane is a Security Engineer at Lyft. He's the maintainer of a number of Lyft's Open Source security products, like Confidant, metadataproxy and bandit-high-entropy-string. Ryan also wrote and maintains the AWS orchestration code in SaltStack and is a major contributor to Wikimedia and OpenStack projects.

Publié dans : Technologie
0 commentaire
0 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Aucun téléchargement
Vues
Nombre de vues
222
Sur SlideShare
0
Issues des intégrations
0
Intégrations
1
Actions
Partages
0
Téléchargements
0
Commentaires
0
J’aime
0
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

Access and Secret Management in Cloud Services

  1. 1. Ryan Lane - Jun 13, 2016 Identity, Access and Secret Management
  2. 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ lyft-security-cloud
  3. 3. Presented at QCon New York www.qconnewyork.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  4. 4. Example service
  5. 5. Example service
  6. 6. Example service
  7. 7. Example service Multiple environments
  8. 8. Identity SaaS/Web Services SSO with API SSO without API No SSO with API No SSO, without API EC2 user identity
  9. 9. SSO: SAML
  10. 10. SSO: SAML • Google • Onelogin • Okta • Ping Identity • … Providers:
  11. 11. SSO: OpenID Dead end.
  12. 12. SSO: OpenID Connect (OAuth2 + OpenID) • Google • Facebook • Okta • Ping Identity • … Providers:
  13. 13. No SSO…
  14. 14. No SSO with API
  15. 15. SSO with API
  16. 16. No SSO, No API
  17. 17. Secrets Files
  18. 18. No SSO, No API Password Management.
  19. 19. What about LDAP?
  20. 20. Die In a Fire, LDAP nsscache
  21. 21. Die In a Fire, LDAP
  22. 22. Access controls Ensuring least privilege
  23. 23. Access Control
  24. 24. Access Control
  25. 25. Access Control Docker
  26. 26. Access Control Docker
  27. 27. SSH management
  28. 28. SSH management
  29. 29. SSH management
  30. 30. Secrets Limiting footprint, scope, and access.
  31. 31. Hardcoded Secrets
  32. 32. Secret Management
  33. 33. GPG
  34. 34. Sneaker
  35. 35. Vault
  36. 36. Confidant
  37. 37. KMS Auth Token token = kms_client.encrypt( KeyId=‘alias/authnz’, Plaintext=( ’{“not_before”:“20160613T100000Z”,’ ‘”not_after”:“20160613T110000Z”}’ ), EncryptionContext={ ‘from’: ‘service-a’, ‘to’: ‘service-b’, ‘user_type’: ‘service’ } )[‘CiphertextBlob’]
  38. 38. IAM policy ‘confidant-authnz-encrypt’: Version: ‘2012-10-17’ Statement: - Action: - ‘kms:Encrypt’ Effect: ‘Allow’ Resource: ‘arn:aws:kms:us-east-1:1234:key/…’ Condition: StringEquals: ‘kms:EncryptionContext:from’: ‘service-a‘ ‘kms:EncryptionContext:user_type’: ‘service’ StringLike: ‘kms:EncryptionContext:to’: ‘*’
  39. 39. IAM policy ‘confidant-authnz-decrypt’: Version: ‘2012-10-17’ Statement: - Action: - ‘kms:Decrypt’ Effect: ‘Allow’ Resource: ‘arn:aws:kms:us-east-1:1234:key/…’ Condition: StringEquals: ‘kms:EncryptionContext:to’: ‘confidant-production’ ‘kms:EncryptionContext:user_type’: ‘*’ StringLike: ‘kms:EncryptionContext:from’: ‘*’
  40. 40. Service to service auth
  41. 41. User to service auth
  42. 42. Bandit
  43. 43. Bandit
  44. 44. Thank You.
  45. 45. @squiddlane rlane@lyft.com
  46. 46. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/lyft- security-cloud

×