Upload File

your secret's safe with me

21
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Your secret’s safe with me Liz Rice @LizRice | @AquaSecTeam

Upload: liz-rice

Post on 21-Jan-2018

282 views

Category:

Software


0 download

Report

TRANSCRIPT

Page 1: Your secret's safe with me

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

Your secret’s safe with meLiz Rice

@LizRice | @AquaSecTeam

Page 2: Your secret's safe with me

2

Secrets

@LizRice | @AquaSecTeam

Page 3: Your secret's safe with me

3

Desirable security features for container secrets

■ Encrypted■ At rest and in transit■ Only decrypted in memory

■ Access control■ Only accessible by containers that need them

■ Life-cycle■ Rotation, revocation, audit logging

@LizRice | @AquaSecTeam

Page 4: Your secret's safe with me

4

Secret life-cycle

■ Risk of leak increases over time■ Exploit■ Bad actor■ Accidental logging

■ Change secret values (“rotation”)

■ Token lifetime & use limit

@LizRice | @AquaSecTeam

Page 5: Your secret's safe with me

5

Tokens all the way down

@LizRice | @AquaSecTeam

■ If your secret is in a secret store, how do you get access? ■ How do you keep the access token secret?

xkcd.com/1416

https://xkcd.com/1416/
https://xkcd.com/1416/
Page 6: Your secret's safe with me

Passing secrets to containers

Page 7: Your secret's safe with me

7

Bad places for secrets

@LizRice | @AquaSecTeam

■ Source code

■ Dockerfiles / images

Page 8: Your secret's safe with me

8

docker run -v VARNAME=secret ...

Environment variables

@LizRice | @AquaSecTeam

Page 9: Your secret's safe with me

9

docker run -v /hostsecrets:/secrets ...

Mounted volume

@LizRice | @AquaSecTeam

Page 10: Your secret's safe with me

Orchestrator support for secrets

Page 11: Your secret's safe with me

11

Docker Swarm

@LizRice | @AquaSecTeam

■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication

Page 12: Your secret's safe with me

12

Docker Swarm

@LizRice | @AquaSecTeam

■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication■ Files, not env vars■ Restart service to change secret value■ RBAC in Enterprise Edition

Page 13: Your secret's safe with me

13

Kubernetes

@LizRice | @AquaSecTeam

■ Stored unencrypted in etcd■ HTTP in transit by default■ Files and env vars

■ Files support updating secret values■ Need to restart pod to get new env var value

■ Files mounted into the host■ RBAC can be turned on --authorization-mode=RBAC

Page 14: Your secret's safe with me

14

OpenShift

@LizRice | @AquaSecTeam

■ As Kubernetes, but with namespaced projects & RBAC

Page 15: Your secret's safe with me

15

DC/OS

@LizRice | @AquaSecTeam

■ Encrypted in ZooKeeper■ Access control by service path■ Env vars■ Restart service to update value

Page 16: Your secret's safe with me

16

Rancher

@LizRice | @AquaSecTeam

■ Experimental secrets support

Page 17: Your secret's safe with me

17

Nomad

@LizRice | @AquaSecTeam

■ Integrated with Vault■ Tasks get tokens so they can retrieve values from Vault

■ Poll for changed values■ Access control

Page 18: Your secret's safe with me

18

Aqua secrets

@LizRice | @AquaSecTeam

■ Any orchestrator■ Secrets encrypted in Vault, Amazon KMS or Aqua DB

■ Env vars injected into container process memory■ Secret can be injected to a tempfs filesystem■ Supports updating secrets without restart of container■ Supports monitoring of secret usage

■ Limit access to designated containers

Page 19: Your secret's safe with me

Summary

Page 20: Your secret's safe with me

20

Secrets decisions

@LizRice | @AquaSecTeam

Your best option depends on ■ choice of orchestrator■ acceptable level of risk

Aqua White Paper on secrets management coming very soon

Page 21: Your secret's safe with me

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

Questions? Liz Rice

@LizRice | @AquaSecTeam


Show Me the Money PING-slides - Safe Routes to School ... · Show Me the Money: Finding Local Funding Sources for Safe Routes to School Case Studies: Minnesota, Arizona, Illinois,

SRTS Show Me the Money NashvilleMPO October 4, 2012 · 2012 Safe Routes to School National Partnership Show Me the Money: Finding Local Funding Sources for Safe Routes to School October

Principle 1: Keep Me Safe during COVID-19

Rules and laws keep me safe

SAFE MEDICINE DISPOSAL FOR ME ***

Safe Medicine Disposal for ME: 2011 Update Presentation at the 2011

MEDICINES AND ME/PLAY IT SAFE - PDHPEpdhpek10.weebly.com/.../9/8359319/stage1_medicines_…  · Web viewMedicines and Me/Play it Safe – Stage1. Key God’s Word: Human beings are

Safe Working Procedures – Electronics - ME Programmeprogram.com.au/wp-content/uploads/2016/03/... · 2 . Safe Working Procedures – Electronics . Electronics activities should

Safety Begins with ME! Module 3: Influencing Safe Behaviors Created by with funding from Oregon OSHA Safety Begins with ME!

Color Me Safe Coloring Book - Centers for Disease Control ... · Color Me Safe. Color Me Safe National Center for Injury Prevention and Control Division of Unintentional Injury Prevention

Safe House, Safe Me - Coloring book for Children

Color Me Safe Coloring Book (English)

The Secret's Out Magazine - February 2010

The Secret's in the Sauce: LOEX 2012

Spy on Me, I'd Rather Be Safe Transcript

Color Me Safe Coloring Book - University of Florida

The Secret's in the Mix: using OR to inform learning and teaching developments

Show Me the Evidence Ensuring Access to Safe, Effective and Affordable Prescription Drugs

INHERENTLY SAFE REACTORS DESIGNS - mragheb.commragheb.com/NPRE 402 ME 405 Nuclear Power Engineering/Inherently... · INHERENTLY SAFE REACTORS DESIGNS ... significantly contributed

The Secret's Out Magazine - May 2010

PowerPoint Presentation€¦ · Interchange . UNIVERSAL POSTAL to get me there faster The Keep me safe to get me there foster compoign highlights what items ore safe to send through

Color me safe (4.77 MB)

DRUGS AFFECT ME/ KEEPING SAFE AND HEALTHYpdhpek10.weebly.com/.../8359319/stage2_drugs_affect... · Catholic Schools Office 50 Drugs Affect Me/Keeping Safe & Healthy ... The K–6

Amy Hatvany - Safe With Me

SAFe for Architects - Capgemini Academy · 2020-01-07 · “SAFe® for Architects gave me the practical understanding and tools to not only effectively lead throughout a SAFe engagement

Photo#Total Donations Oreo - His Master's voice146$60.00 Pugsley Williker Huxtable Rickerd160$27.00 Sadie - I just love Victoria Secret's Semi-Annual clearance

Your (container) secret's safe with me

It’s All About…ME!!! Staying Safe both on and offline!

Show me the Money: Finding Local Funding Sources for Safe ... · Show me the Money: Finding Local Funding Sources for Safe Routes to Schools Thursday, October 4, 2012 ... guards and

Secret's Out

keeping me safe - NSW Police Public Site · This activity book is provided by the NSW Police Force together with the community to teach children simple ... Keeping me safe

helped me remain safe in situations I can

Keep me safe Clear Car Insurance - Policy Expert...Clear Car Insurance Policy document Keep me safe Welcome to LV= Broker Thank you for choosing LV= Broker Clear Car insurance. We

Ask Me No Questions Vocabulary 1. Asylum A safe place

Safe Harbor Statement - Huodongjia.com does Autonomous Database mean for the DBA? Less me on Administraon • Less me on infrastructure • Less me on patching ... Released in Oracle