SlideShare une entreprise Scribd logo

Secret Management Journey - Here Be Dragons aka Secret Dragons

M
Michael Man

Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.

Technologie
1  sur  41
Télécharger pour lire hors ligne
Secret Dragons Secret Dragons
Secret Dragons whoami Marcus Maxwell Technical Consultant ● AWS Certified Solutions Architect - Professional ● Certified Kubernetes Administrator https://twitter.com/mindful_monk marcus.maxwell@contino.io
Secret Dragons
Secret Dragons Agenda ● History of Secrets ( plain text files, encrypted spreadsheet, pwman, keypass, passwordstore) ● Keeping secrets with ansible-vault ● Keeping secrets with Jenkins ● Trying to use Enterprise Secret Stores(CyberArk) ● DevOps Secret Stores 2.0 (HashiCorp Vault, Conjur, Keywhiz)
Secret Dragons Who uses HashiCorp Vault?
Secret Dragons History of Secrets
Secret Dragons
Secret Dragons Physical Secrets ● Post-it notes ● Notebook ● Single password in your head
Secret Dragons
Secret Dragons Plaintext files ● Still in use ● Sometimes base64 encoded ● Sometimes hashed ● Sometimes on NFS ● Post-it note on the windows desktop ● OneNote
Secret Dragons Confluence/Sharepoint ● Locked down access ● Sometimes with a fancy plugin https://www.servicerocket.com/add-on/security-and-encryption
Secret Dragons Spreadsheets ● Usually on an NFS ● Hopefully password protected ● Outdated like hell ● Pretty much used by everyone not in the IT department
Secret Dragons Old apps still in use ● Password Safe pwsafe.org probably most common solution inside of teams, made by Bruce Shneier ● Keepass
Secret Dragons The various git methods ● git-crypt ● BlackBox https://github.com/StackExchange/blackbox ● pass - gpg file
Secret Dragons CM Tools ● Puppet - Hiera eyaml ● Chef - encrypted databags ● Ansible Vault
Secret Dragons Enterprise Solution ● CyberArk ● Thycotic Secret Server ● Pleasant Password Server
Secret Dragons Browser based password managers ● Lastpass ● Dashlane ● 1Password
Secret Dragons Jenkins
Secret Dragons Cloud Based ● CredStash https://github.com/fugue/credstash ● AWS Secret Store(Parameter Store) ● Azure Key Vault ● Confidant (secrets in dynamodb) ● Sneaker (secrets in s3 buckets)
Secret Dragons Container Native ● Kubernetes Secrets ● Docker Secrets ● Rancher Secrets ● Aquasec Secrets
Secret Dragons The New Wave ● HashiCorp Vault ● Keywhiz ● Conjur
Secret Dragons Problems with Secret Management ● If it gets compromised, how do I rotate all my secrets? Most don’t have support for that ● Lack of granular permissions ● Chicken and egg problem, where do you keep the password to decrypt the passwords? (Secure Introduction) ● Start to completely break down once you try to use them in a more dynamic atmosphere ● Usually no AD integration ● Enterprise solutions cost an arm and a leg
Secret Dragons A note on SSL Certificates ● Usually out of scope ● Usually managed by some team nobody really knows about ● Rarely an API to get one ● Usually takes 1-2 weeks and requires filling out a 10 page .doc ● People just don’t bother and have invalid cert errors all the time ● curl -k yo ● Many better options available: HashiCorp Vault, Lemur, cloudflare ssl
Secret Dragons Some tips ● APIs or GTFO ● Dynamic > Static ● Optimize for rotating secrets in the whole estate ● Ensure self-service ● Validate container use-case as most solutions won’t fit and can be discarded
Secret Dragons Summary ● Talk to the developers ● Find out how secrets are currently being stored in your organization ● Come up with a transition plan ● Start on-boarding teams to the new secret store ● and most importantly don’t end up like this
Secret Dragons Learn more ● Modern Secret Managements with Vault https://www.youtube.com/watch?v=iqigxGccezI ● Vault vs other products https://www.vaultproject.io/intro/vs/index.html ● [Webinar] Securing Ansible Deployments With HashiCorp Vault https://www.youtube.com/watch?v=wCTgi6fKXcM
Secret Dragonscontino.io info@contino.io @ContinoHQ @ContinoHQ Contino QUESTIONS ? London 1 Fore Street, Moorgate, London, EC2Y 9DT, UK New York 404 5th Avenue, New York NY 10018 United States Melbourne Level 2, Hub Southern Cross, 696 Bourke St, Melbourne VIC 3000, Australia — — — london@contino.io newyork@contino.io melbourne@contino.io Sydney 5 Martin Place Sydney NSW 2000, Australia sydney@contino.io — Boston 745 Atlantic Ave Boston MA 02111 United States hello@contino.io Atlanta 3340 Peachtree Rd NE STE 1010 Atlanta GA 30326 United States hello@contino.io

Recommandé

Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Apache2 BootCamp : Overview
Apache2 BootCamp : OverviewApache2 BootCamp : Overview
Apache2 BootCamp : Overview
Wildan Maulana
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Richard Fussenegger
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 

Recommandé

Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Apache2 BootCamp : Overview
Apache2 BootCamp : OverviewApache2 BootCamp : Overview
Apache2 BootCamp : Overview
Wildan Maulana
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Richard Fussenegger
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
Excella
 
Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
Peter Westwood
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
inaz2
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
David Busby, CISSP
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
Chris Gates
 
Sec 101
Sec 101Sec 101
Sec 101
Diego Pacheco
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
Teri Radichel
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructure
OVHcloud
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
WP Engine
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas WidhalmOSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
NETWAYS
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
London HashiCorp User Group
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
NGINX, Inc.
 
Vault
VaultVault
Vault
dawnlua
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
Charles Southerland
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 

Contenu connexe

Tendances

Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
Peter Westwood
 

Tendances (20)

Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
 
Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Sec 101
Sec 101Sec 101
Sec 101
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructure
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Vault 101
Vault 101Vault 101
Vault 101
 
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas WidhalmOSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
 
Vault
VaultVault
Vault
 

Similaire à Secret Management Journey - Here Be Dragons aka Secret Dragons

DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
Bret Fisher
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
Docker, Inc.
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
Drew Gorton
 

Similaire à Secret Management Journey - Here Be Dragons aka Secret Dragons (20)

All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Security - Drupal Decision Makers training
Security - Drupal Decision Makers trainingSecurity - Drupal Decision Makers training
Security - Drupal Decision Makers training
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Greenfields tech decisions
Greenfields tech decisionsGreenfields tech decisions
Greenfields tech decisions
 
Secrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes PodsSecrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes Pods
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositories
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Pentester++
Pentester++Pentester++
Pentester++
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with Helmfile
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
 
Linuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux Admins
Linuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux AdminsLinuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux Admins
Linuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux Admins
 

Plus de Michael Man

DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
Michael Man
 

Plus de Michael Man (20)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Secret Management Journey - Here Be Dragons aka Secret Dragons

  • 2. Secret Dragons whoami Marcus Maxwell Technical Consultant ● AWS Certified Solutions Architect - Professional ● Certified Kubernetes Administrator https://twitter.com/mindful_monk marcus.maxwell@contino.io
  • 4. Secret Dragons Agenda ● History of Secrets ( plain text files, encrypted spreadsheet, pwman, keypass, passwordstore) ● Keeping secrets with ansible-vault ● Keeping secrets with Jenkins ● Trying to use Enterprise Secret Stores(CyberArk) ● DevOps Secret Stores 2.0 (HashiCorp Vault, Conjur, Keywhiz)
  • 5. Secret Dragons Who uses HashiCorp Vault?
  • 8. Secret Dragons Physical Secrets ● Post-it notes ● Notebook ● Single password in your head
  • 10. Secret Dragons Plaintext files ● Still in use ● Sometimes base64 encoded ● Sometimes hashed ● Sometimes on NFS ● Post-it note on the windows desktop ● OneNote
  • 11.
  • 12. Secret Dragons Confluence/Sharepoint ● Locked down access ● Sometimes with a fancy plugin https://www.servicerocket.com/add-on/security-and-encryption
  • 13.
  • 14. Secret Dragons Spreadsheets ● Usually on an NFS ● Hopefully password protected ● Outdated like hell ● Pretty much used by everyone not in the IT department
  • 15.
  • 16. Secret Dragons Old apps still in use ● Password Safe pwsafe.org probably most common solution inside of teams, made by Bruce Shneier ● Keepass
  • 17.
  • 18. Secret Dragons The various git methods ● git-crypt ● BlackBox https://github.com/StackExchange/blackbox ● pass - gpg file
  • 19.
  • 20. Secret Dragons CM Tools ● Puppet - Hiera eyaml ● Chef - encrypted databags ● Ansible Vault
  • 21.
  • 22. Secret Dragons Enterprise Solution ● CyberArk ● Thycotic Secret Server ● Pleasant Password Server
  • 23.
  • 24. Secret Dragons Browser based password managers ● Lastpass ● Dashlane ● 1Password
  • 25.
  • 27.
  • 28. Secret Dragons Cloud Based ● CredStash https://github.com/fugue/credstash ● AWS Secret Store(Parameter Store) ● Azure Key Vault ● Confidant (secrets in dynamodb) ● Sneaker (secrets in s3 buckets)
  • 29. Secret Dragons Container Native ● Kubernetes Secrets ● Docker Secrets ● Rancher Secrets ● Aquasec Secrets
  • 30.
  • 31. Secret Dragons The New Wave ● HashiCorp Vault ● Keywhiz ● Conjur
  • 32.
  • 33. Secret Dragons Problems with Secret Management ● If it gets compromised, how do I rotate all my secrets? Most don’t have support for that ● Lack of granular permissions ● Chicken and egg problem, where do you keep the password to decrypt the passwords? (Secure Introduction) ● Start to completely break down once you try to use them in a more dynamic atmosphere ● Usually no AD integration ● Enterprise solutions cost an arm and a leg
  • 34.
  • 35. Secret Dragons A note on SSL Certificates ● Usually out of scope ● Usually managed by some team nobody really knows about ● Rarely an API to get one ● Usually takes 1-2 weeks and requires filling out a 10 page .doc ● People just don’t bother and have invalid cert errors all the time ● curl -k yo ● Many better options available: HashiCorp Vault, Lemur, cloudflare ssl
  • 36. Secret Dragons Some tips ● APIs or GTFO ● Dynamic > Static ● Optimize for rotating secrets in the whole estate ● Ensure self-service ● Validate container use-case as most solutions won’t fit and can be discarded
  • 37.
  • 38. Secret Dragons Summary ● Talk to the developers ● Find out how secrets are currently being stored in your organization ● Come up with a transition plan ● Start on-boarding teams to the new secret store ● and most importantly don’t end up like this
  • 39.
  • 40. Secret Dragons Learn more ● Modern Secret Managements with Vault https://www.youtube.com/watch?v=iqigxGccezI ● Vault vs other products https://www.vaultproject.io/intro/vs/index.html ● [Webinar] Securing Ansible Deployments With HashiCorp Vault https://www.youtube.com/watch?v=wCTgi6fKXcM
  • 41. Secret Dragonscontino.io info@contino.io @ContinoHQ @ContinoHQ Contino QUESTIONS ? London 1 Fore Street, Moorgate, London, EC2Y 9DT, UK New York 404 5th Avenue, New York NY 10018 United States Melbourne Level 2, Hub Southern Cross, 696 Bourke St, Melbourne VIC 3000, Australia — — — london@contino.io newyork@contino.io melbourne@contino.io Sydney 5 Martin Place Sydney NSW 2000, Australia sydney@contino.io — Boston 745 Atlantic Ave Boston MA 02111 United States hello@contino.io Atlanta 3340 Peachtree Rd NE STE 1010 Atlanta GA 30326 United States hello@contino.io