Date post: | 20-Jan-2017 |
Category: |
Technology |
Upload: | conjurinc |
View: | 669 times |
Download: | 4 times |
Using Puppet With A Secrets Server8 October 2015
© 2015 Conjur. All rights reserved. 1
Hi!
© 2015 Conjur. All rights reserved.2
@KingOAuth
Agenda
•Why Deploy a Secrets Server?
• Secrets Management Best Practices
• Puppet & Secrets Walkthrough
© 2015 Conjur. All rights reserved.3
WHY DEPLOY A SECRETS SERVER?
© 2015 Conjur. All rights reserved.4
Why Deploy A Secrets Server?
© 2015 Conjur. All rights reserved.5
Because you need to:• Store• Manage• Distribute
Secrets such as:• SSL Certificates• App/DB Passwords• API Keys• Dynamic Credentials
Core Components of a Secrets Server
© 2015 Conjur. All rights reserved.6
• End to End Encryption
• RBAC for People, Machines, and Code
• Self Auditing
• Fully Programmable with Fine Granularity
• Highly Available Across Any Cloud
SECRETS MANAGEMENTBEST PRACTICES
© 2015 Conjur. All rights reserved.7
Secrets Management Best Practices
© 2015 Conjur. All rights reserved.8
1. Define A Policy
2. Get Your Secrets Into Source Control
3. Create Host Factories
4. Increase Velocity
5. Orchestrate with the DevOps Tool Chain
Secrets Management Best Practices
© 2015 Conjur. All rights reserved.9
1. Define A Policy– Policy Defines Security Rules for
the Infrastructure in code.• Which people, machines are
allowed/denied?• Which credentials will they
require?• Which services are allowed to
talk to each other?
Secrets Management Best Practices
© 2015 Conjur. All rights reserved.10
2. Get Your Secrets INTO Source Control
– Secrets.yml• http://conjurinc.github.io/summon/–Ability to rotate keys on-demand
Secrets Management Best Practices
© 2015 Conjur. All rights reserved.11
3. Create Host Factories
– A mechanism for “lifting” a new host (machine, container, or PaaS application into a privileged computing role.
– Key component to delivering securely at speed
Secrets Management Best Practices
© 2015 Conjur. All rights reserved.12
4. Increase Velocity
– The goal is to deploy to production on-demand, so consider the tool chain as well.
– Frees up the Puppet Master from being a security choke point
Secrets Management Best Practices
© 2015 Conjur. All rights reserved.13
5. Orchestrate with the DevOps Tool Chain
PUPPET & SECRETS WALKTHROUGH
© 2015 Conjur. All rights reserved.14
Using Node-Side Secrets With Puppet
© 2015 Conjur. All rights reserved.15
* Presented at PuppetCamp Boston, 2014.
Secrets In Manifests
© 2015 Conjur. All rights reserved.16
Secrets in hiera
© 2015 Conjur. All rights reserved.17
Encrypted hiera entries
© 2015 Conjur. All rights reserved.18
Node-Obtained Secrets
© 2015 Conjur. All rights reserved.19
Summary
© 2015 Conjur. All rights reserved.20
THANK YOU!
© 2015 Conjur. All rights reserved.21
www.conjur.net
@ConjurInc