TURTLES ALL THE WAY DOWN. Storing Secrets in the Cloud and in the Data Center

Size: px

Start display at page:

Download "TURTLES ALL THE WAY DOWN. Storing Secrets in the Cloud and in the Data Center"

Vernon Manning
6 years ago
Views:

1 TURTLES ALL THE WAY DOWN Storing Secrets in the Cloud and in the Data Center 1

2 INTRODUCTION Daniel Somerfield

3 TURTLES COMPANION SITE h:p://danielsomerfield.github.io/turtles 3

4 WHAT'S THE PROBLEM? We all have s We want to know they're safe And

5 WHAT'S THE PROBLEM? We need reliable, reproducible deployments

6 SETTING GOALS 6

7 WHAT GOOD LOOKS LIKE Security Goals Secrets are s AudiIng No reliance on heroes Standard pracices

8 WHAT DOES GOOD LOOK LIKE Automated Scales operaionally OperaDonal Goals

9 WHAT DOES GOOD LOOK LIKE It haz 2B EZ 2 uze!!!!

10 SEARCHING FOR THE ELUSIVE LAST TURTLE 10

11 THE FIRST TURTLE Does this sound familiar? Secrets in SCM Admins, admins everywhere CredenIal reuse Secrets are not really s

12 THE FIRST TURTLE Goals Encrypted s Controlled distribuion Secrets are automated

13 STRATEGIES application decryption orchestration server encrypted encrypted operational compartmentalization application deployment deployment encrypted plaintext target application encrypted store artifact repo encrypted store orchestrator decryption orchestration server orchestration server secure channel plaintext encrypted plaintext orchestration server encrypted target application plaintext plaintext target application encrypted store

14 ORCHESTRATOR DECRYPTION orchestrator decryption encrypted secure channel plaintext plaintext orchestration server encrypted plaintext target application encrypted store

15 ORCHESTRATOR DECRYPTION Advantages Key management IntegraIon Disadvantages Exploit severity Secrets at rest One more turtle orchestrator decryption secure channel plaintext encrypted plaintext orchestration server encrypted plaintext target application encrypted store

16 APPLICATION DECRYPTION application decryption encrypted orchestration server encrypted encrypted plaintext target application encrypted store

17 APPLICATION DECRYPTION Advantages CompartmentalizaIon IntegraIon Disadvantages Key management Secrets at rest One more turtle application decryption encrypted orchestration server encrypted encrypted plaintext target application encrypted store

18 OPERATIONAL COMPARTMENTALIZATION operational compartmentalization application deployment deployment artifact repo encrypted store orchestration server orchestration server target application plaintext

19 ORGANIZATIONAL COMPARTMENTALIZATION Advantages Clear responsibiliies IntegraIon Disadvantages OrganizaIonal silos Lack of transparency operational compartmentalization application deployment deployment artifact repo encrypted store orchestration server orchestration server target application plaintext

20 TOOLS SCM encrypion OrchestraIon tools Secret service

21 SCM ENCRYPTION EncrypIon of enire SCM repo or individual items within them.

22 SCM ENCRYPTION IntegraIon SCM- based audit Strengths

23 SCM ENCRYPTION Secret rotaion support Data at rest AudiIng of usage More turtles Weaknesses

24 SCM ENCRYPTION TOOLS Blackbox GitCrypt Transcrypt

25 ORCHESTRATOR ENCRYPTION

26 ORCHESTRATOR ENCRYPTION AutomaIon Familiar workflow Strengths

27 ORCHESTRATION ENCRYPTION Weaknesses Similar to SCM encrypion, plus: Vendor lock- in Another turtle

28 ORCHESTRATION ENCRYPTION TOOLS hiera- eyaml Blackbox Chef Chef Vault Ansible Vault

29 TOOLS SCM encrypion OrchestraIon tools Secret service

30 THE SECOND TURTLE Key RotaIon Limit s at rest Goals

31 PULLING application-pull plaintext target application secure channel encrypted plaintext server encrypted store

32 SECRET SERVICES A separate endpoint providing s on demand over a secure channel.

33 SECRETS SERVICES Strengths Minimizes at rest Facilitates rotaion CompartmentalizaIon Ephemeral credenials Access policies AudiIng

34 SECRETS AS A SERVICE Weaknesses AdopIon Single point of failure Few opions One more turtle

35 SECRETS AS A SERVICE HashiCorp Vault Square KeyWhiz

36 TOOLS SCM encrypion OrchestraIon tools Secret service

37 THE THIRD TURTLE Goals Ephemeral credenials Instances without remote access Immutable infrastructure CredenIal- less architecture

38 TOOLS OrchestraIon tools Secret service???

39 FINAL THOUGHTS 39

40 THE BIG PICTURE build server orchestration server 1. publishes artifact 2. push orchestration package public key encrypted store artifact repo 3. download app package orchestration 4. download package 5. decrypt 6. start application application 7. delete private key

41 IN CLOSING So how do you find the last turtle? - TacIcal human intervenion - Audit - Automate - Evolve

42 Q & A Daniel Somerfield daniel.somerfield@thoughtworks.com h:p://danielsomerfield.github.io/turtles

Secrets at Scale Automated Bootstrapping of Secrets and Identity in the Cloud. Ian January 30, 2017

Secrets at Scale Automated Bootstrapping of Secrets and Identity in the Cloud Ian Haken @ianhaken January 30, 2017 The Problem With Secrets AES HSM JKS Where do I put my secret? Secrets at Scale TLS/HTTPS