Vault and Security as a Service

•

0 j'aime•259 vues

Slides for Vault talk at The Lead Dev conference in Austin 2018. Given as a 10-minute lightning talk on what Vault is, security-through-observability, and how to get started with secret management.

Technologie

Vault + Security as a Service
Pat Shields
Bronto Software
twitter.com/patrickmshields
linkedin.com/in/ihavenoideawhatimdoinggif

A Developer’s Perspective
• Database Password Storage
• Data Encryption
• Production Access Control

I. The Pickle We’re In
II. Secret Management
III. Audit Trails
IV. Where To Go From Here

Monolithic Web Architecture
Load
Balancer
monolith-prod-001
monolith-prod-002
monolith-prod-003
DB

Current Web Architecture
Container
Container
Container
Container
Container
Container
Container
Cluster Managed Env
DB
DB
Kafka
No
SQL
Random
VM
Random
VM
Analytics Cluster
Spark Job
MR Job

https://arstechnica.com/information-technology/2013/01/psa-dont-upload-your-important-passwords-to-github/

https://arstechnica.com/information-technology/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/

Secret Management
“If I can’t put the password
in the conﬁg ﬁle then where
does it go?”
or

$Prototypical Secret Management service-prod-001 vault DB authenticate token write /secrets/my_app {db-pass: temp123}$

$Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123}$

$service-prod-001 vault DB Prototypical Secret Management read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123$

Dynamically Generated
Secrets
Oracle
MongoDB
Consul
Cassandra
MSSQL
MySQL
SSH PKI

$Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123$

Authentication
Humans Machines
LDAP
Github
AWS
Google Cloud
Okta
AppRole
TLS
Kubernetes
AWS EC2
Google Cloud

Vault Audit Trail
A record of every operation against Vault

${ "time": "2017-10-24T15:49:36Z", "type": "response", "auth": { "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "display_name": "ldap-bill.gates", "policies": ["windoze-95"], "metadata": { "username": "bill.gates" } }, "request": { "id": "69d4258a-fc3e-d247-d471-769a27bcd755", "operation": "list", "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "client_token_accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "path": “secret/redmond/windoze/", "data": null, "remote_address": "192.168.1.1", "wrap_ttl": 0, "headers": {} }, "response": { "data": { "keys": ["hmac-sha256:3c90f99095c7f16cfeaaa7471922912cb7d1280161eddb9a94c4dfe16a7f998e"] } }, "error": "" }$

Response Wrapping Example
deployer-prod-001vault
service-prod-001audit-log.json

Response Wrapping Example
deployer-prod-001vault
service-prod-001
read /secrets/passwd
audit-log.json

Response Wrapping Example
deployer-prod-001vault
service-prod-001
read /secrets/password
audit-log.json
vault/links/123
deployer-prod-001
requested /secrets/passwd
wrapped
TTL 15 seconds
Only one use!

Response Wrapping Example
deployer-prod-001vault
service-prod-001audit-log.json
vault/links/123

Response Wrapping Example
deployer-prod-001vault
service-prod-001audit-log.json
read vault/links/123

Response Wrapping Example
deployer-prod-001vault
service-prod-001audit-log.json
read vault/links/123
password!
service-prod-001
read links/123

Start Today
Use as a team or organizational
password manager

Start Today
Use a “seed” secrets system or
cloud provider auth backend

Start Today
Expose your applications to Vault

Key Management
+
Encryption as a Service
RSA AES HMACSHA
Secure Random Bytes!

I. What Problems Does Vault Solve?
II. Using Vault To Access DB Password

I. What Problems Does Vault Solve?
II. Using Vault To Access DB Password
III. Authenticating With Vault

I. What Problems Does Vault Solve?
II. Using Vault To Access DB Password
III. Authenticating With Vault
IV. Audit Trails and Response Wrapping

I. What Problems Does Vault Solve?
II. Using Vault To Access DB Password
III. Authenticating With Vault
IV. Audit Trails and Response Wrapping
V. How To Get Started

David Helms for helping me deploy Vault at Bronto
Lead Dev for inviting me and helping me with this talk
You for listening
https://www.vaultproject.io/

Contenu connexe

Tendances

Day by day, technology introduces new changes affecting several aspects of everyone's life, from private individuals to industry. In such ever changing world, cutting edge research on application security is one of the topics that requires attention in order to keep up with this. Minded Security, since the beginning of its mission, has been focusing on application security research in order to professionally support analysis and mitigation of old and new threats for our customers. This talk will go through some of the research performed by Minded Security improving the quality of security and privacy of our customers.

Ieee S&P 2020 - Software Security: from Research to Industry.

Minded Security

You just cannot imagine the Web without audio and video services. Up until now, if you want to include streaming media content in your websites or applications, you need to rely on third party services or massive computing capacity for media transcoding, and streaming to a range of client devices. With the release of Windows Azure Media Services and the Media Services SDK, these capabilities are becoming easily available for you to incorporate in your websites and applications. In this session we'll give an overview of Windows Azure Media Services, and you'll learn from a series of demos how you can take advantage of the platform to add media content to your development. We'll also see what the competition has in store and what's missing.

Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...

Mike Martin

Veil Evasion and Client Side Attacks

n|u - The Open Security Community

Mod Security

Abhishek Singh

Introduction to vault

Henrik Høegh

As developers, we build great things. The next step is to protect this work and our precious data, sometimes the crown jewels of the company. This extensive presentation is an introduction into information security, with many tips and thoughts for developers. It focuses on the benefits of applying information security, and how to use it in your work. Michael Boelen has a background in Linux security. He is the developer of several open source tools. This presentation includes some tips specifically for Linux, although most principles are applicable on all platforms.

Linux Security for Developers

Michael Boelen

Appsec DC - wXf -2010

Chris Gates

In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated: -AWS Hardening -AWS Monitoring -AWS Disaster Recovery -GitHub Monitoring -OPINT -Software Development Practices/Processes -Secure use of Jenkins/Hudson -Developer laptop hardening (OS X)

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016

Chris Gates

After my offensive presentation "Testing iOS Apps without Jailbreak in 2018" it is time to focus also on building not just breaking. This talk will cover the most important milestones in reaching secure iOS/macOS apps. I'm going to show you how to develop modern & secure iOS/macOS apps using new security features presented at the latest Apple's Worldwide Developers Conference. Hackers will be satisfied as well, since I'm going to cover also pen tester's perspective. What's more - I will share with you details of multiple vulnerabilities (*including not disclosed previously*) that I found during security assessments and my research of Apple's applications.

Building & Hacking Modern iOS Apps

SecuRing

Spring Security 5.5 From Taxi to Takeoff

VMware Tanzu

Node JS reverse shell

Madhu Akula

[OWASP Poland Day] Saving private token

OWASP

[OWASP Poland Day] A study of Electron security

OWASP

Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures. 1. Be Secure by Design 2. Scan Dependencies 3. Use HTTPS Everywhere 4. Use Access and Identity Tokens 5. Encrypt and Protect Secrets 6. Verify Security with Delivery Pipelines 7. Slow Down Attackers 8. Use Docker Rootless Mode 9. Use Time-Based Security 10. Scan Docker and Kubernetes Configuration for Vulnerabilities 11. Know Your Cloud and Cluster Security Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Security Patterns for Microservice Architectures - SpringOne 2020

Matt Raible

HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)

Igalia

Csp and http headers

ColdFusionConference

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

Nick Maludy

In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is.

The Anatomy of Java Vulnerabilities

Steve Poole

[Wroclaw #5] OWASP Projects: beyond Top 10

OWASP

The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

SecuRing

Tendances (20)

Ieee S&P 2020 - Software Security: from Research to Industry.

Lights, Camera, Action - Windows Azure Media Services on the Loose - the Azug...

Veil Evasion and Client Side Attacks

Mod Security

Introduction to vault

Linux Security for Developers

Appsec DC - wXf -2010

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016

Building & Hacking Modern iOS Apps

Spring Security 5.5 From Taxi to Takeoff

Node JS reverse shell

[OWASP Poland Day] Saving private token

[OWASP Poland Day] A study of Electron security

Security Patterns for Microservice Architectures - SpringOne 2020

HTTPS: Achievements, Challenges, and Epiphany (Web Engines Hackfest 2015)

Csp and http headers

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

The Anatomy of Java Vulnerabilities

[Wroclaw #5] OWASP Projects: beyond Top 10

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

Similaire à Vault and Security as a Service

[Wroclaw #9] The purge - dealing with secrets in Opera Software

OWASP

With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers

Lewis Ardern

All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler. This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence. From DeliveryConf 2020

Pragmatic Pipeline Security

James Wickett

Building an Automated Security Fabric in AWS

Amazon Web Services

Javacro 2014 Spring Security 3 Speech

Fernando Redondo Ramírez

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

WhiteSource

Containers are shaping the way organizations are developing and managing applications nowadays. However, many are not always fully aware of the measures that need to be taken across the entire software development lifecycle, especially when it comes to open source security aspects. The mindset of securing our applications needs to be shifted – to continuous security. In this session, Shiri Ivstan, Product Manager at WhiteSource, will discuss: 1) the main security challenges organizations face when using containers; 2) the most common layers in a typical container deployment; and 3) 4 simple steps to build security into each layer.

From Zero to Hero: Continuous Container Security in 4 Simple Steps

DevOps.com

Essential security measures in ASP.NET MVC

Rafał Hryniewski

Working on DevSecOps culture - a team centric view

Patrick Debois

Stay safe, grab a drink and join us virtually for our upcoming "The Hacking Game - A Road to Post Exploitation" meetup to learn how hackers can compromise the software supply chain, advanced data protection methods on WebLogic Server and how to use AI in order to protect your software. Agenda: 17:00 - 17:10 - 'Opening words' - by Gidi Farkash (CISO at Pipl Security) 17:10 - 17:40 - 'Tracking Attackers in Open Source Supply Chain - Lessons Learned' - by Jossef Harush Kadouri (Head of Software Supply Chain Security at Checkmarx) 17:40 - 18:20 - 'WebLogic - The Road to Post Exploitation' - by Amit German (Cyber Security Researcher at Pentera) 18:20 - 19:00 - 'AI In The Hands of Application Security' - by Brit Glazer (Head of Information Security at Unit)

The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx

lior mazor

Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services. Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India

Continuous Delivery, Continuous Integration

Amazon Web Services

Using Security to Build with Confidence in AWS - Trend Micro

Amazon Web Services

Finding Security a Home in a DevOps World

Shannon Lietz

Managing secrets in a distributed cloud world requires a new approach to security. Applications and systems are now frequently created and destroyed. The network between distributed clouds, applications, and systems is low-trust, furthering the complexities of secrets sprawl. So, what is the solution? HashiCorp Vault seeks to solve the problem of secret sprawl by centralizing secrets management in a scalable, repeatable workflow to be able to create, manage, and revoke secrets as needed. Watch this webinar to learn: - How Vault addresses today’s security threats - How security teams can use Vault to store and manage all their secrets across their private and public infrastructure, globally. - How Adobe reduced secret sprawl, increased operational performance of a key security process, and processes 100 trillion transactions with Vault For full webinar recording: https://hashicorp.com/resources/eliminating-secret-sprawl-in-the-cloud

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018

HashiCorp

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Attack Chaining: Advanced Maneuvers for Hack Fu

Rob Ragan

Secure coding presentation Oct 3 2020

Moataz Kamel

Cloudefigo - From zero to secure in 1 minute

Israel AWS User Group

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

fangjiafu

Cyber Kill Chain: Web Application Exploitation

Prathan Phongthiproek

In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe? While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish. For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?

Rails security: above and beyond the defaults

Matias Korhonen

Similaire à Vault and Security as a Service (20)

[Wroclaw #9] The purge - dealing with secrets in Opera Software

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers

Pragmatic Pipeline Security

Building an Automated Security Fabric in AWS

Javacro 2014 Spring Security 3 Speech

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

From Zero to Hero: Continuous Container Security in 4 Simple Steps

Essential security measures in ASP.NET MVC

Working on DevSecOps culture - a team centric view

The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx

Continuous Delivery, Continuous Integration

Using Security to Build with Confidence in AWS - Trend Micro

Finding Security a Home in a DevOps World

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018

Attack Chaining: Advanced Maneuvers for Hack Fu

Secure coding presentation Oct 3 2020

Cloudefigo - From zero to secure in 1 minute

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

Cyber Kill Chain: Web Application Exploitation

Rails security: above and beyond the defaults

Dernier

Manulife - Insurer Innovation Award 2024

The Digital Insurer

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Dernier (20)

Manulife - Insurer Innovation Award 2024

MINDCTI Revenue Release Quarter One 2024

Partners Life - Insurer Innovation Award 2024

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

🐬 The future of MySQL is Postgres 🐘

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Artificial Intelligence Chap.5 : Uncertainty

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Axa Assurance Maroc - Insurer Innovation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Boost PC performance: How more available memory can improve productivity

AWS Community Day CPH - Three problems of Terraform

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Strategies for Landing an Oracle DBA Job as a Fresher

Top 10 Most Downloaded Games on Play Store in 2024

Vault and Security as a Service

1. Vault + Security as a Service Pat Shields Bronto Software twitter.com/patrickmshields linkedin.com/in/ihavenoideawhatimdoinggif

2. A Developer’s Perspective

3. A Developer’s Perspective • Database Password Storage • Data Encryption • Production Access Control

4. I. The Pickle We’re In II. Secret Management III. Audit Trails IV. Where To Go From Here

5. Monolithic Web Architecture Load Balancer monolith-prod-001 monolith-prod-002 monolith-prod-003 DB

6. Monolithic Web Architecture Load Balancer monolith-prod-001 monolith-prod-002 monolith-prod-003 DB

7. Current Web Architecture Container Container Container Container Container Container Container Cluster Managed Env DB DB Kafka No SQL Random VM Random VM Analytics Cluster Spark Job MR Job

8. https://arstechnica.com/information-technology/2013/01/psa-dont-upload-your-important-passwords-to-github/

9. https://arstechnica.com/information-technology/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/

10. DevOps Security as a Service

11.

12. Secret Management

13. Secret Management “If I can’t put the password in the conﬁg ﬁle then where does it go?” or

14. Prototypical Secret Management service-prod-001 vault DB

15. Prototypical Secret Management service-prod-001 vault DB authenticate token write /secrets/my_app {db-pass: temp123}

16. Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123}

17. service-prod-001 vault DB Prototypical Secret Management read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123

18. Dynamically Generated Secrets Oracle MongoDB Consul Cassandra MSSQL MySQL SSH PKI

19. Prototypical Secret Management service-prod-001 vault DB read /secrets/my_app authenticate token write /secrets/my_app {db-pass: temp123} auth?pass=temp123

20. Authentication Humans Machines LDAP Github AWS Google Cloud Okta AppRole TLS Kubernetes AWS EC2 Google Cloud

21. Detection enables less restriction

22. Vault Audit Trail A record of every operation against Vault

23. Audit Trails

24. { "time": "2017-10-24T15:49:36Z", "type": "response", "auth": { "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "display_name": "ldap-bill.gates", "policies": ["windoze-95"], "metadata": { "username": "bill.gates" } }, "request": { "id": "69d4258a-fc3e-d247-d471-769a27bcd755", "operation": "list", "client_token": "hmac-sha256:5dfb2a759a5c62863a03969af7cef1b5a56e14a2114de8633350147af4c8330d", "client_token_accessor": "hmac-sha256:c0bab9a00791244e965a8cd4147af6b55d6d4b059d8686bf01217075003579d1", "path": “secret/redmond/windoze/", "data": null, "remote_address": "192.168.1.1", "wrap_ttl": 0, "headers": {} }, "response": { "data": { "keys": ["hmac-sha256:3c90f99095c7f16cfeaaa7471922912cb7d1280161eddb9a94c4dfe16a7f998e"] } }, "error": "" }

25. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json

26. Response Wrapping Example deployer-prod-001vault service-prod-001 read /secrets/passwd audit-log.json

27. Response Wrapping Example deployer-prod-001vault service-prod-001 read /secrets/password audit-log.json vault/links/123 deployer-prod-001 requested /secrets/passwd wrapped TTL 15 seconds Only one use!

28. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json vault/links/123

29. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json read vault/links/123

30. Response Wrapping Example deployer-prod-001vault service-prod-001audit-log.json read vault/links/123 password! service-prod-001 read links/123

31. Start Today

32. Start Today Use as a team or organizational password manager

33. Start Today Use a “seed” secrets system or cloud provider auth backend

34. Start Today Expose your applications to Vault

35. Key Management + Encryption as a Service RSA AES HMACSHA Secure Random Bytes!

36. I. What Problems Does Vault Solve?

37. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password

38. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault

39. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault IV. Audit Trails and Response Wrapping

40. I. What Problems Does Vault Solve? II. Using Vault To Access DB Password III. Authenticating With Vault IV. Audit Trails and Response Wrapping V. How To Get Started

41. David Helms for helping me deploy Vault at Bronto Lead Dev for inviting me and helping me with this talk You for listening https://www.vaultproject.io/

Vault and Security as a Service

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Vault and Security as a Service

Similaire à Vault and Security as a Service (20)

Dernier

Dernier (20)

Vault and Security as a Service