London HUG 14/3
-
Upload
london-hashicorp-user-group -
Category
Technology
-
view
391 -
download
0
Transcript of London HUG 14/3
Copyright @ 2016 Aqua Security Software Ltd. All Rights Reserved.
Who’s Keeping your Secrets?Amir Jerbi, CTO and co-founderAqua Security
2
DO YOU HAVE SECRETS? Encryption keys Database passwords SSH Keys Cloud service tokens
3
SECRET ARE HEAVILY USED IN CONTAINERS
4
AND SOME TIMES CAN BE USED INSECURELY…
5
PASSING SECRETS TO CONTAINERS – WRONG WAY Cleartext environment variables Mounted volumes Unauthenticated Services (e.g. S3) Saving secrets into images (please don’t)
6
CAN EXPOSE SECRETS TO THE HOST “docker inspect …”
/proc/<pid>/environ
7
PASSING SECRETS IS NOT THE ONLY CHALLENGE… Controlling who can access a secret Monitoring secret usage Rotating secret values De-provisioning a secret
8
AVAILABLE SOLUTIONS Kubernetes Secrets
https://kubernetes.io/docs/user-guide/secrets/ Docker Swarm Secrets
https://blog.docker.com/2017/02/docker-secrets-management/ DC/OS Secrets
https://docs.mesosphere.com/1.8/administration/secrets/ Keywiz
https://github.com/square/keywhiz Hashicorp Vault
https://www.vaultproject.io/https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d#.86vfvlk1t
9
WHY HASHICORP VAULT? Purpose built for secrets Key Rolling Comprehensive Access control Expiration policies Extendable Easy to integrate
10
CASE STUDY: AQUA SECURITY INTEGRATION WITH HASHICORP VAULT
Solution Highlights Central
management Secrets are
never persisted to disk outside of Vault
Secured communications
Host 1 Host 2
Command Center
Hashicorp Vault
11
SECRETS ARE INJECTED INTO CONTAINERS Through environment variables
Or tmpfs mounted volume
12
SECRET ACCESS CONTROL Control user and group access to secrets
13
USAGE TRACKING Track which containers are using secrets
14
SECRET ROTATION & REVOCATION Container secrets can be
updated in runtime No need to restart container Deleting a secret removes it
from all running containers
Q&A