Copyright @ 2016 Aqua Security Software Ltd. All Rights Reserved.

Who’s Keeping your Secrets?Amir Jerbi, CTO and co-founderAqua Security

2

DO YOU HAVE SECRETS? Encryption keys Database passwords SSH Keys Cloud service tokens

3

SECRET ARE HEAVILY USED IN CONTAINERS

4

AND SOME TIMES CAN BE USED INSECURELY…

5

PASSING SECRETS TO CONTAINERS – WRONG WAY Cleartext environment variables Mounted volumes Unauthenticated Services (e.g. S3) Saving secrets into images (please don’t)

6

CAN EXPOSE SECRETS TO THE HOST “docker inspect …”

/proc/<pid>/environ

7

PASSING SECRETS IS NOT THE ONLY CHALLENGE… Controlling who can access a secret Monitoring secret usage Rotating secret values De-provisioning a secret

8

AVAILABLE SOLUTIONS Kubernetes Secrets

https://kubernetes.io/docs/user-guide/secrets/ Docker Swarm Secrets

https://blog.docker.com/2017/02/docker-secrets-management/ DC/OS Secrets

https://docs.mesosphere.com/1.8/administration/secrets/ Keywiz

https://github.com/square/keywhiz Hashicorp Vault

https://www.vaultproject.io/https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d#.86vfvlk1t

9

WHY HASHICORP VAULT? Purpose built for secrets Key Rolling Comprehensive Access control Expiration policies Extendable Easy to integrate

10

CASE STUDY: AQUA SECURITY INTEGRATION WITH HASHICORP VAULT

Solution Highlights Central

management Secrets are

never persisted to disk outside of Vault

Secured communications

Host 1 Host 2

Command Center

Hashicorp Vault

11

SECRETS ARE INJECTED INTO CONTAINERS Through environment variables

Or tmpfs mounted volume

12

SECRET ACCESS CONTROL Control user and group access to secrets

13

USAGE TRACKING Track which containers are using secrets

14

SECRET ROTATION & REVOCATION Container secrets can be

updated in runtime No need to restart container Deleting a secret removes it

from all running containers

Q&A