Your secret's safe with me

Post on 21-Jan-2018

282 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

Your secret’s safe with meLiz Rice

@LizRice | @AquaSecTeam

2

Secrets

@LizRice | @AquaSecTeam

3

Desirable security features for container secrets

■ Encrypted■ At rest and in transit■ Only decrypted in memory

■ Access control■ Only accessible by containers that need them

■ Life-cycle■ Rotation, revocation, audit logging

@LizRice | @AquaSecTeam

4

Secret life-cycle

■ Risk of leak increases over time■ Exploit■ Bad actor■ Accidental logging

■ Change secret values (“rotation”)

■ Token lifetime & use limit

@LizRice | @AquaSecTeam

5

Tokens all the way down

@LizRice | @AquaSecTeam

■ If your secret is in a secret store, how do you get access? ■ How do you keep the access token secret?

xkcd.com/1416

https://xkcd.com/1416/
https://xkcd.com/1416/

Passing secrets to containers

7

Bad places for secrets

@LizRice | @AquaSecTeam

■ Source code

■ Dockerfiles / images

8

docker run -v VARNAME=secret ...

Environment variables

@LizRice | @AquaSecTeam

9

docker run -v /hostsecrets:/secrets ...

Mounted volume

@LizRice | @AquaSecTeam

Orchestrator support for secrets

11

Docker Swarm

@LizRice | @AquaSecTeam

■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication

12

Docker Swarm

@LizRice | @AquaSecTeam

■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication■ Files, not env vars■ Restart service to change secret value■ RBAC in Enterprise Edition

13

Kubernetes

@LizRice | @AquaSecTeam

■ Stored unencrypted in etcd■ HTTP in transit by default■ Files and env vars

■ Files support updating secret values■ Need to restart pod to get new env var value

■ Files mounted into the host■ RBAC can be turned on --authorization-mode=RBAC

14

OpenShift

@LizRice | @AquaSecTeam

■ As Kubernetes, but with namespaced projects & RBAC

15

DC/OS

@LizRice | @AquaSecTeam

■ Encrypted in ZooKeeper■ Access control by service path■ Env vars■ Restart service to update value

16

Rancher

@LizRice | @AquaSecTeam

■ Experimental secrets support

17

Nomad

@LizRice | @AquaSecTeam

■ Integrated with Vault■ Tasks get tokens so they can retrieve values from Vault

■ Poll for changed values■ Access control

18

Aqua secrets

@LizRice | @AquaSecTeam

■ Any orchestrator■ Secrets encrypted in Vault, Amazon KMS or Aqua DB

■ Env vars injected into container process memory■ Secret can be injected to a tempfs filesystem■ Supports updating secrets without restart of container■ Supports monitoring of secret usage

■ Limit access to designated containers

Summary

20

Secrets decisions

@LizRice | @AquaSecTeam

Your best option depends on ■ choice of orchestrator■ acceptable level of risk

Aqua White Paper on secrets management coming very soon

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

Questions? Liz Rice

@LizRice | @AquaSecTeam

Top related

INHERENTLY SAFE REACTORS DESIGNS - mragheb.commragheb.com/NPRE 402 ME 405 Nuclear Power Engineering/Inherently... · INHERENTLY SAFE REACTORS DESIGNS ... significantly contributed
Documents
DRUGS AFFECT ME/ KEEPING SAFE AND HEALTHYpdhpek10.weebly.com/.../8359319/stage2_drugs_affect... · Catholic Schools Office 50 Drugs Affect Me/Keeping Safe & Healthy ... The K–6
Documents
Color Me Safe Coloring Book · PDF fileColor Me Safe. Color Me Safe National Center for Injury Prevention and Control Division of Unintentional Injury Prevention A Coloring Book from
Documents
Show Me the Evidence Ensuring Access to Safe, Effective and Affordable Prescription Drugs
Documents
Keep me safe Clear Car Insurance - Policy Expert...Clear Car Insurance Policy document Keep me safe Welcome to LV= Broker Thank you for choosing LV= Broker Clear Car insurance. We
Documents
The Secret's Out Magazine
Documents
Amy Hatvany - Safe With Me
Documents
MEDICINES AND ME/PLAY IT SAFE - PDHPEpdhpek10.weebly.com/uploads/8/3/5/9/8359319/stage1...MEDICINES AND ME/PLAY IT SAFE Stage: 1 Year: 1 Unit Duration: ... What is safe and unsafe
Documents
The Secret's in the Sauce: LOEX 2012
Education
Color me safe (4.77 MB)
Education
Color Me Safe Coloring Book - Centers for Disease Control ... · Color Me Safe. Color Me Safe National Center for Injury Prevention and Control Division of Unintentional Injury Prevention
Documents
The Secret's Out Magazine - February 2010
Documents
What Survival Looks Like At Home€¦ · I would really like your help to feel safe and regulated so I canbelieve that the love you have for me is safe. By travelling with me out
Documents
MEDICINES AND ME/PLAY IT SAFE - PDHPEpdhpek10.weebly.com/.../9/8359319/stage1_medicines_…  · Web viewMedicines and Me/Play it Safe – Stage1. Key God’s Word: Human beings are
Documents
Trust me to eat the right amount. Give me safe foods. Let ... · Let’s play! I love to play every day. Playing with me helps me grow smarter, stronger, healthier, and happier! These
Documents
11 Sunday after Pentecost · 2019. 8. 25. · 2 In your righteousness, deliver me and set me free; * incline your ear to me and save me. 3 Be my strong rock, a castle to keep me safe;
Documents
Color Me Safe Coloring Book (English)
Documents
keeping me safe - NSW Police Public Site · This activity book is provided by the NSW Police Force together with the community to teach children simple ... Keeping me safe.
Documents
Safety Begins with ME! Module 3: Influencing Safe Behaviors Created by with funding from Oregon OSHA Safety Begins with ME!
Documents
Spy on Me, I'd Rather Be Safe Transcript
Documents

Copyright © 2018 DOCUMENTS