Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

London HUG 14/3

625 vues

Publié le

Amir Jerbi - AquaSec CTO

Publié dans : Technologie
  • Soyez le premier à commenter

London HUG 14/3

  1. 1. Copyright @ 2016 Aqua Security Software Ltd. All Rights Reserved. Who’s Keeping your Secrets? Amir Jerbi, CTO and co-founder Aqua Security
  2. 2. 2 DO YOU HAVE SECRETS?  Encryption keys  Database passwords  SSH Keys  Cloud service tokens
  3. 3. 3 SECRET ARE HEAVILY USED IN CONTAINERS
  4. 4. 4 AND SOME TIMES CAN BE USED INSECURELY…
  5. 5. 5 PASSING SECRETS TO CONTAINERS – WRONG WAY  Cleartext environment variables  Mounted volumes  Unauthenticated Services (e.g. S3)  Saving secrets into images (please don’t)
  6. 6. 6 CAN EXPOSE SECRETS TO THE HOST  “docker inspect …”  /proc/<pid>/environ
  7. 7. 7 PASSING SECRETS IS NOT THE ONLY CHALLENGE…  Controlling who can access a secret  Monitoring secret usage  Rotating secret values  De-provisioning a secret
  8. 8. 8 AVAILABLE SOLUTIONS  Kubernetes Secrets  https://kubernetes.io/docs/user-guide/secrets/  Docker Swarm Secrets  https://blog.docker.com/2017/02/docker-secrets-management/  DC/OS Secrets  https://docs.mesosphere.com/1.8/administration/secrets/  Keywiz  https://github.com/square/keywhiz  Hashicorp Vault  https://www.vaultproject.io/ https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret- management-2017-c82ec9136a3d#.86vfvlk1t
  9. 9. 9 WHY HASHICORP VAULT?  Purpose built for secrets  Key Rolling  Comprehensive Access control  Expiration policies  Extendable  Easy to integrate
  10. 10. 10 CASE STUDY: AQUA SECURITY INTEGRATION WITH HASHICORP VAULT  Solution Highlights  Central management  Secrets are never persisted to disk outside of Vault  Secured communications Host 1 Host 2 Command Center Hashicorp Vault
  11. 11. 11 SECRETS ARE INJECTED INTO CONTAINERS  Through environment variables  Or tmpfs mounted volume
  12. 12. 12 SECRET ACCESS CONTROL  Control user and group access to secrets
  13. 13. 13 USAGE TRACKING  Track which containers are using secrets
  14. 14. 14 SECRET ROTATION & REVOCATION  Container secrets can be updated in runtime  No need to restart container  Deleting a secret removes it from all running containers
  15. 15. Q&A

×