Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.
10. Secret Dragons
Plaintext files
● Still in use
● Sometimes base64 encoded
● Sometimes hashed
● Sometimes on NFS
● Post-it note on the windows desktop
● OneNote
14. Secret Dragons
Spreadsheets
● Usually on an NFS
● Hopefully password protected
● Outdated like hell
● Pretty much used by everyone not in the IT department
15.
16. Secret Dragons
Old apps still in use
● Password Safe pwsafe.org probably most common solution inside of teams,
made by Bruce Shneier
● Keepass
17.
18. Secret Dragons
The various git methods
● git-crypt
● BlackBox https://github.com/StackExchange/blackbox
● pass - gpg file
33. Secret Dragons
Problems with Secret Management
● If it gets compromised, how do I rotate all my secrets? Most don’t have
support for that
● Lack of granular permissions
● Chicken and egg problem, where do you keep the password to decrypt the
passwords? (Secure Introduction)
● Start to completely break down once you try to use them in a more dynamic
atmosphere
● Usually no AD integration
● Enterprise solutions cost an arm and a leg
34.
35. Secret Dragons
A note on SSL Certificates
● Usually out of scope
● Usually managed by some team nobody really knows about
● Rarely an API to get one
● Usually takes 1-2 weeks and requires filling out a 10 page .doc
● People just don’t bother and have invalid cert errors all the time
● curl -k yo
● Many better options available: HashiCorp Vault, Lemur, cloudflare ssl
36. Secret Dragons
Some tips
● APIs or GTFO
● Dynamic > Static
● Optimize for rotating secrets in the whole estate
● Ensure self-service
● Validate container use-case as most solutions won’t fit and can be discarded
37.
38. Secret Dragons
Summary
● Talk to the developers
● Find out how secrets are currently being stored in your organization
● Come up with a transition plan
● Start on-boarding teams to the new secret store
● and most importantly don’t end up like this
39.
40. Secret Dragons
Learn more
● Modern Secret Managements with Vault
https://www.youtube.com/watch?v=iqigxGccezI
● Vault vs other products https://www.vaultproject.io/intro/vs/index.html
● [Webinar] Securing Ansible Deployments With HashiCorp Vault
https://www.youtube.com/watch?v=wCTgi6fKXcM
41. Secret Dragonscontino.io info@contino.io
@ContinoHQ
@ContinoHQ
Contino
QUESTIONS ?
London
1 Fore Street,
Moorgate,
London,
EC2Y 9DT,
UK
New York
404 5th Avenue,
New York
NY 10018
United States
Melbourne
Level 2,
Hub Southern Cross,
696 Bourke St,
Melbourne VIC 3000,
Australia
— — —
london@contino.io newyork@contino.io melbourne@contino.io
Sydney
5 Martin Place
Sydney NSW 2000,
Australia
sydney@contino.io
—
Boston
745 Atlantic Ave
Boston
MA 02111
United States
hello@contino.io
Atlanta
3340 Peachtree Rd NE
STE 1010
Atlanta
GA 30326
United States
hello@contino.io