turtles all the way down - schedschd.ws/hosted_files/appsecusa2015/a5/turtles.pdf ·...
TRANSCRIPT
TURTLES ALL THE WAY DOWN
Storing Secrets in the Cloud and in the Data Center
1
TURTLES COMPANION SITE
h:p://danielsomerfield.github.io/turtles
3
WHAT'S THE PROBLEM?
We all have secrets
We want to know they're safe
And…
WHAT'S THE PROBLEM?
We need reliable, reproducible deployments
SETTING GOALS
6
WHAT GOOD LOOKS LIKE
Security Goals • Secrets are secrets • AudiIng • No reliance on heroes • Standard pracIces
WHAT DOES GOOD LOOK LIKE
OperaDonal Goals • Automated • Scales operaIonally
It haz 2B EZ 2 uze!!!!
WHAT DOES GOOD LOOK LIKE
SEARCHING FOR THE ELUSIVE LAST TURTLE
10
THE FIRST TURTLE
Does this sound familiar? • Secrets in SCM • Admins, admins everywhere • CredenIal reuse • Secrets are not really secrets
THE FIRST TURTLE
Goals • Encrypted secrets • Controlled distribuIon • Secrets are automated
orchestrationserver
orchestrator decryption
target application encrypted store
encrypted secret
plaintext secret
plaintext secret
encrypted secret
plaintext secret
secure channel
orchestrationserver
application decryption
target applicationencrypted store
encrypted secret
encrypted secret
plaintext secret
encrypted secret
STRATEGIES
secret deploymentapplication deploymentoperational compartmentalization
encrypted store
orchestrationserver
artifact repo
orchestrationserver
plaintext secret
target application
ORCHESTRATOR DECRYPTION
orchestrationserver
orchestrator decryption
target application encrypted store
encrypted secret
plaintext secret
plaintext secret
encrypted secret
plaintext secret
secure channel
orchestrationserver
orchestrator decryption
target application encrypted store
encrypted secret
plaintext secret
plaintext secret
encrypted secret
plaintext secret
secure channel
ORCHESTRATOR DECRYPTION
Advantages – Key management – IntegraIon
Disadvantages – Exploit severity – Secrets at rest – One more turtle…
APPLICATION DECRYPTION
orchestrationserver
application decryption
target applicationencrypted store
encrypted secret
encrypted secret
plaintext secret
encrypted secret
orchestrationserver
application decryption
target applicationencrypted store
encrypted secret
encrypted secret
plaintext secret
encrypted secret
APPLICATION DECRYPTION
Advantages – CompartmentalizaIon – IntegraIon
Disadvantages – Key management – Secrets at rest – One more turtle…
OPERATIONAL COMPARTMENTALIZATION
secret deploymentapplication deploymentoperational compartmentalization
encrypted store
orchestrationserver
artifact repo
orchestrationserver
plaintext secret
target application
ORGANIZATIONAL COMPARTMENTALIZATION
Advantages – Clear responsibiliIes – IntegraIon
Disadvantages – OrganizaIonal silos – Lack of transparency
secret deploymentapplication deploymentoperational compartmentalization
encrypted store
orchestrationserver
artifact repo
orchestrationserver
plaintext secret
target application
TOOLS
SCM encrypIon
OrchestraIon tools
Secret service
SCM ENCRYPTION
EncrypIon of enIre SCM repo or individual items within them.
SCM ENCRYPTION
Strengths • IntegraIon • SCM-‐based audit
SCM ENCRYPTION
Weaknesses • Secret rotaIon support • Data at rest • AudiIng of usage • More turtles…
SCM ENCRYPTION TOOLS
Blackbox
GitCrypt
Transcrypt
ORCHESTRATOR ENCRYPTION
ORCHESTRATOR ENCRYPTION
Strengths • AutomaIon • Familiar workflow
ORCHESTRATION ENCRYPTION
Weaknesses • Similar to SCM encrypIon, plus: • Vendor lock-‐in • Another turtle…
ORCHESTRATION ENCRYPTION TOOLS
Chef Vault
Ansible Vault
Blackbox
Chef
hiera-‐eyaml
TOOLS
SCM encrypIon
OrchestraIon tools
Secret service
THE SECOND TURTLE
Goals • Key RotaIon • Limit secrets at rest
PULLING
application-pull
target application
encrypted store
secure channel
plaintext secret
secret server
encrypted secret
plaintext secret
SECRET SERVICES
A separate endpoint providing secrets on demand over a secure channel.
SECRETS SERVICES
Strengths • Minimizes at rest • Facilitates rotaIon • CompartmentalizaIon • Ephemeral credenIals • Access policies • AudiIng
SECRETS AS A SERVICE
Weaknesses • AdopIon • Single point of failure • Few opIons • One more turtle…
SECRETS AS A SERVICE
HashiCorp Vault
Square KeyWhiz
TOOLS
SCM encrypIon
OrchestraIon tools
Secret service
THE THIRD TURTLE
Goals • Ephemeral credenIals • Instances without remote access • Immutable infrastructure • CredenIal-‐less architecture
???
TOOLS
OrchestraIon tools
Secret service
FINAL THOUGHTS
39
THE BIG PICTURE
application
private key
orchestrationpackage
secret
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret
application
private key
orchestrationpackage
secret
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret1. publishes artifact
application
private key
orchestrationpackage
secret
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret1. publishes artifact 2. push orchestration package
application
private key
orchestrationpackage
secret
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret1. publishes artifact 2. push orchestration package
3. download app package
application
private key
orchestrationpackage
secret
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret1. publishes artifact 2. push orchestration package
3. download app package 4. download secret
application
private key
orchestrationpackage
secret
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret1. publishes artifact 2. push orchestration package
3. download app package 4. download secret
5. decrypt secret
application
private key
orchestrationpackage
secret
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret1. publishes artifact 2. push orchestration package
3. download app package 4. download secret
5. decrypt secret
6. start application
application
private key
orchestrationpackage
artifact repo
build serverorchestration
server
secret store
public key encrypted
secret1. publishes artifact 2. push orchestration package
3. download app package 4. download secret
5. decrypt secret
6. start application
7. delete secret
IN CLOSING
So how do you find the last turtle?
- TacIcal human intervenIon - Audit - Automate - Evolve