SlideShare una empresa de Scribd logo

Secret Management Journey - Here Be Dragons aka Secret Dragons

M
Michael Man

Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.

Tecnología
1 de 41
Descargar para leer sin conexión
Secret Dragons Secret Dragons
Secret Dragons whoami Marcus Maxwell Technical Consultant ● AWS Certified Solutions Architect - Professional ● Certified Kubernetes Administrator https://twitter.com/mindful_monk marcus.maxwell@contino.io
Secret Dragons
Secret Dragons Agenda ● History of Secrets ( plain text files, encrypted spreadsheet, pwman, keypass, passwordstore) ● Keeping secrets with ansible-vault ● Keeping secrets with Jenkins ● Trying to use Enterprise Secret Stores(CyberArk) ● DevOps Secret Stores 2.0 (HashiCorp Vault, Conjur, Keywhiz)
Secret Dragons Who uses HashiCorp Vault?
Secret Dragons History of Secrets
Secret Dragons
Secret Dragons Physical Secrets ● Post-it notes ● Notebook ● Single password in your head
Secret Dragons
Secret Dragons Plaintext files ● Still in use ● Sometimes base64 encoded ● Sometimes hashed ● Sometimes on NFS ● Post-it note on the windows desktop ● OneNote
Secret Dragons Confluence/Sharepoint ● Locked down access ● Sometimes with a fancy plugin https://www.servicerocket.com/add-on/security-and-encryption
Secret Dragons Spreadsheets ● Usually on an NFS ● Hopefully password protected ● Outdated like hell ● Pretty much used by everyone not in the IT department
Secret Dragons Old apps still in use ● Password Safe pwsafe.org probably most common solution inside of teams, made by Bruce Shneier ● Keepass
Secret Dragons The various git methods ● git-crypt ● BlackBox https://github.com/StackExchange/blackbox ● pass - gpg file
Secret Dragons CM Tools ● Puppet - Hiera eyaml ● Chef - encrypted databags ● Ansible Vault
Secret Dragons Enterprise Solution ● CyberArk ● Thycotic Secret Server ● Pleasant Password Server
Secret Dragons Browser based password managers ● Lastpass ● Dashlane ● 1Password
Secret Dragons Jenkins
Secret Dragons Cloud Based ● CredStash https://github.com/fugue/credstash ● AWS Secret Store(Parameter Store) ● Azure Key Vault ● Confidant (secrets in dynamodb) ● Sneaker (secrets in s3 buckets)
Secret Dragons Container Native ● Kubernetes Secrets ● Docker Secrets ● Rancher Secrets ● Aquasec Secrets
Secret Dragons The New Wave ● HashiCorp Vault ● Keywhiz ● Conjur
Secret Dragons Problems with Secret Management ● If it gets compromised, how do I rotate all my secrets? Most don’t have support for that ● Lack of granular permissions ● Chicken and egg problem, where do you keep the password to decrypt the passwords? (Secure Introduction) ● Start to completely break down once you try to use them in a more dynamic atmosphere ● Usually no AD integration ● Enterprise solutions cost an arm and a leg
Secret Dragons A note on SSL Certificates ● Usually out of scope ● Usually managed by some team nobody really knows about ● Rarely an API to get one ● Usually takes 1-2 weeks and requires filling out a 10 page .doc ● People just don’t bother and have invalid cert errors all the time ● curl -k yo ● Many better options available: HashiCorp Vault, Lemur, cloudflare ssl
Secret Dragons Some tips ● APIs or GTFO ● Dynamic > Static ● Optimize for rotating secrets in the whole estate ● Ensure self-service ● Validate container use-case as most solutions won’t fit and can be discarded
Secret Dragons Summary ● Talk to the developers ● Find out how secrets are currently being stored in your organization ● Come up with a transition plan ● Start on-boarding teams to the new secret store ● and most importantly don’t end up like this
Secret Dragons Learn more ● Modern Secret Managements with Vault https://www.youtube.com/watch?v=iqigxGccezI ● Vault vs other products https://www.vaultproject.io/intro/vs/index.html ● [Webinar] Securing Ansible Deployments With HashiCorp Vault https://www.youtube.com/watch?v=wCTgi6fKXcM
Secret Dragonscontino.io info@contino.io @ContinoHQ @ContinoHQ Contino QUESTIONS ? London 1 Fore Street, Moorgate, London, EC2Y 9DT, UK New York 404 5th Avenue, New York NY 10018 United States Melbourne Level 2, Hub Southern Cross, 696 Bourke St, Melbourne VIC 3000, Australia — — — london@contino.io newyork@contino.io melbourne@contino.io Sydney 5 Martin Place Sydney NSW 2000, Australia sydney@contino.io — Boston 745 Atlantic Ave Boston MA 02111 United States hello@contino.io Atlanta 3340 Peachtree Rd NE STE 1010 Atlanta GA 30326 United States hello@contino.io

Recomendados

Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Apache2 BootCamp : Overview
Apache2 BootCamp : OverviewApache2 BootCamp : Overview
Apache2 BootCamp : Overview
Wildan Maulana
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Richard Fussenegger
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 

Recomendados

Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Apache2 BootCamp : Overview
Apache2 BootCamp : OverviewApache2 BootCamp : Overview
Apache2 BootCamp : Overview
Wildan Maulana
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
Taswar Bhatti
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Richard Fussenegger
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
Amanda MacLeod
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
antitree
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
Excella
 
Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
Peter Westwood
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
inaz2
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
David Busby, CISSP
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
Chris Gates
 
Sec 101
Sec 101Sec 101
Sec 101
Diego Pacheco
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
Teri Radichel
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructure
OVHcloud
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
WP Engine
 
Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas WidhalmOSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
NETWAYS
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
London HashiCorp User Group
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
NGINX, Inc.
 
Vault
VaultVault
Vault
dawnlua
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
Charles Southerland
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 

Más contenido relacionado

La actualidad más candente

Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
Peter Westwood
 

La actualidad más candente (20)

Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
 
Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Sec 101
Sec 101Sec 101
Sec 101
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructure
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Vault 101
Vault 101Vault 101
Vault 101
 
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas WidhalmOSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
OSMC 2017 | Troubleshooting-icinga 2 by Thomas Widhalm
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & Acceleration
 
Vault
VaultVault
Vault
 

Similar a Secret Management Journey - Here Be Dragons aka Secret Dragons

DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
Bret Fisher
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
Docker, Inc.
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
Drew Gorton
 

Similar a Secret Management Journey - Here Be Dragons aka Secret Dragons (20)

All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Security - Drupal Decision Makers training
Security - Drupal Decision Makers trainingSecurity - Drupal Decision Makers training
Security - Drupal Decision Makers training
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
 
Taking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and DecideTaking Docker to Production: What You Need to Know and Decide
Taking Docker to Production: What You Need to Know and Decide
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Greenfields tech decisions
Greenfields tech decisionsGreenfields tech decisions
Greenfields tech decisions
 
Secrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes PodsSecrets Management and Delivery to Kubernetes Pods
Secrets Management and Delivery to Kubernetes Pods
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositories
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Pentester++
Pentester++Pentester++
Pentester++
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with Helmfile
 
Understanding and implementing website security
Understanding and implementing website securityUnderstanding and implementing website security
Understanding and implementing website security
 
Linuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux Admins
Linuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux AdminsLinuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux Admins
Linuxfest Northwest Proper Care and Feeding Of a MySQL for Busy Linux Admins
 

Más de Michael Man

DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
Michael Man
 

Más de Michael Man (20)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Secret Management Journey - Here Be Dragons aka Secret Dragons

  • 2. Secret Dragons whoami Marcus Maxwell Technical Consultant ● AWS Certified Solutions Architect - Professional ● Certified Kubernetes Administrator https://twitter.com/mindful_monk marcus.maxwell@contino.io
  • 4. Secret Dragons Agenda ● History of Secrets ( plain text files, encrypted spreadsheet, pwman, keypass, passwordstore) ● Keeping secrets with ansible-vault ● Keeping secrets with Jenkins ● Trying to use Enterprise Secret Stores(CyberArk) ● DevOps Secret Stores 2.0 (HashiCorp Vault, Conjur, Keywhiz)
  • 5. Secret Dragons Who uses HashiCorp Vault?
  • 8. Secret Dragons Physical Secrets ● Post-it notes ● Notebook ● Single password in your head
  • 10. Secret Dragons Plaintext files ● Still in use ● Sometimes base64 encoded ● Sometimes hashed ● Sometimes on NFS ● Post-it note on the windows desktop ● OneNote
  • 11.
  • 12. Secret Dragons Confluence/Sharepoint ● Locked down access ● Sometimes with a fancy plugin https://www.servicerocket.com/add-on/security-and-encryption
  • 13.
  • 14. Secret Dragons Spreadsheets ● Usually on an NFS ● Hopefully password protected ● Outdated like hell ● Pretty much used by everyone not in the IT department
  • 15.
  • 16. Secret Dragons Old apps still in use ● Password Safe pwsafe.org probably most common solution inside of teams, made by Bruce Shneier ● Keepass
  • 17.
  • 18. Secret Dragons The various git methods ● git-crypt ● BlackBox https://github.com/StackExchange/blackbox ● pass - gpg file
  • 19.
  • 20. Secret Dragons CM Tools ● Puppet - Hiera eyaml ● Chef - encrypted databags ● Ansible Vault
  • 21.
  • 22. Secret Dragons Enterprise Solution ● CyberArk ● Thycotic Secret Server ● Pleasant Password Server
  • 23.
  • 24. Secret Dragons Browser based password managers ● Lastpass ● Dashlane ● 1Password
  • 25.
  • 27.
  • 28. Secret Dragons Cloud Based ● CredStash https://github.com/fugue/credstash ● AWS Secret Store(Parameter Store) ● Azure Key Vault ● Confidant (secrets in dynamodb) ● Sneaker (secrets in s3 buckets)
  • 29. Secret Dragons Container Native ● Kubernetes Secrets ● Docker Secrets ● Rancher Secrets ● Aquasec Secrets
  • 30.
  • 31. Secret Dragons The New Wave ● HashiCorp Vault ● Keywhiz ● Conjur
  • 32.
  • 33. Secret Dragons Problems with Secret Management ● If it gets compromised, how do I rotate all my secrets? Most don’t have support for that ● Lack of granular permissions ● Chicken and egg problem, where do you keep the password to decrypt the passwords? (Secure Introduction) ● Start to completely break down once you try to use them in a more dynamic atmosphere ● Usually no AD integration ● Enterprise solutions cost an arm and a leg
  • 34.
  • 35. Secret Dragons A note on SSL Certificates ● Usually out of scope ● Usually managed by some team nobody really knows about ● Rarely an API to get one ● Usually takes 1-2 weeks and requires filling out a 10 page .doc ● People just don’t bother and have invalid cert errors all the time ● curl -k yo ● Many better options available: HashiCorp Vault, Lemur, cloudflare ssl
  • 36. Secret Dragons Some tips ● APIs or GTFO ● Dynamic > Static ● Optimize for rotating secrets in the whole estate ● Ensure self-service ● Validate container use-case as most solutions won’t fit and can be discarded
  • 37.
  • 38. Secret Dragons Summary ● Talk to the developers ● Find out how secrets are currently being stored in your organization ● Come up with a transition plan ● Start on-boarding teams to the new secret store ● and most importantly don’t end up like this
  • 39.
  • 40. Secret Dragons Learn more ● Modern Secret Managements with Vault https://www.youtube.com/watch?v=iqigxGccezI ● Vault vs other products https://www.vaultproject.io/intro/vs/index.html ● [Webinar] Securing Ansible Deployments With HashiCorp Vault https://www.youtube.com/watch?v=wCTgi6fKXcM
  • 41. Secret Dragonscontino.io info@contino.io @ContinoHQ @ContinoHQ Contino QUESTIONS ? London 1 Fore Street, Moorgate, London, EC2Y 9DT, UK New York 404 5th Avenue, New York NY 10018 United States Melbourne Level 2, Hub Southern Cross, 696 Bourke St, Melbourne VIC 3000, Australia — — — london@contino.io newyork@contino.io melbourne@contino.io Sydney 5 Martin Place Sydney NSW 2000, Australia sydney@contino.io — Boston 745 Atlantic Ave Boston MA 02111 United States hello@contino.io Atlanta 3340 Peachtree Rd NE STE 1010 Atlanta GA 30326 United States hello@contino.io