Secrets at Scale Automated Bootstrapping of Secrets and Identity in the Cloud. Ian January 30, 2017

Similar documents
TURTLES ALL THE WAY DOWN. Storing Secrets in the Cloud and in the Data Center

Secrets in the Cloud JAX Dominik Schadow

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Simple Security for Startups. Mark Bate, AWS Solutions Architect

OneID An architectural overview

AWS Integration Guide

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop

Filters AWS CLI syntax, 43 Get methods, 43 Where-Object command, 43

ONAP Security using trusted solutions. Intel & Tech Mahindra

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Thales Hsm Documentation

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

Cloud Native Security. OpenShift Commons Briefing

Client-Server Architecture PlusUltra beyond the Blockchain

AWS CloudHSM. User Guide

CPSC 467: Cryptography and Computer Security

AWS CloudHSM. User Guide

3 CERTIFICATION AUTHORITY KEY PROTECTION (HSMS)

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

High School Technology Services myhsts.org Certification Courses

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Dashlane Security Whitepaper

Lesson 13 Securing Web Services (WS-Security, SAML)

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Distributing Secrets. Securely? Simo Sorce. Presented by. Red Hat, Inc.

ECE 646 Lecture 3. Key management

CPM Quick Start Guide V2.2.0

But where'd that extra "s" come from, and what does it mean?

Shine and Security. Our app is playful and encourages sharing, but we take keeping this information secure very seriously.

TPM v.s. Embedded Board. James Y

Dashlane Security White Paper

Cisco CTL Client setup

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

SAP Vora - AWS Marketplace Production Edition Reference Guide

SECURE YOUR INTEGRATIONS. Maarten Smeets

IVE Quick Startup Guide - OS 4.0

Man in the Middle Attacks and Secured Communications

PKI Credentialing Handbook

Cloud Computing /AWS Course Content

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Progress OpenEdge. > Getting Started. in the Amazon Cloud.

SecureDoc Disk Encryption Cryptographic Engine

CS November 2018

Securing Internet Communication: TLS

Dashlane Security White Paper July 2018

Pass, No Record: An Android Password Manager

1 Installing KEEP is Easy

CIT 668: System Architecture. Amazon Web Services

Authentication CHAPTER 17

Who s Protecting Your Keys? August 2018

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Key Protection for Endpoint, Cloud and Data Center

CPM. Quick Start Guide V2.4.0

Securing Connections with Digital Certificates in Router OS. By Ezugu Magnus PDS Nigeria

Tableau Server Security in Depth

EJBCA Enterprise Cloud Edition CloudHSM Integration Guide

ECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

This paper introduces the security policies, practices, and procedures of Lucidchart.

Configuring SSL. SSL Overview CHAPTER

VMware, SQL Server and Encrypting Private Data Townsend Security

CPSC 467b: Cryptography and Computer Security

Remote Key Loading Spread security. Unlock efficiency

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Getting Started with AWS Security

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

Vaultive and SafeNet KeySecure KMIP Integration Guide v1.0. September 2016

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Partner Center: Secure application model

Criptext s end-to-end encryption system. Technical white paper

Your Auth is open! Oversharing with OpenAuth & SAML

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Attacking Modern SaaS Companies. Sean Cassidy

Nigori: Storing Secrets in the Cloud. Ben Laurie

Linux Network Administration

RSA SecurID Implementation

System Requirements. Network Administrator Guide

UNIT - IV Cryptographic Hash Function 31.1

Authentication Part IV NOTE: Part IV includes all of Part III!

Overview of Authentication Systems

How can you implement this through a script that a scheduling daemon runs daily on the application servers?

SSH and keys. Network Startup Resource Center

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

A Single-Sign-On Security Platform for Private and Decentralized Applications. William Swanson, Paul Puey

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Online Banking Security

Cisco CTL Client Setup

MASHaBLE: Mobile Applications of Secret Handshakes over Bluetooth Low-Energy. Yan Michalevsky, Suman Nath, Jie Liu

Cloud FastPath: Highly Secure Data Transfer

: Practical Cryptographic Systems March 25, Midterm

CloudSky: A Controllable Data Self-Destruction System for Untrusted Cloud Storage Networks

Security Enhanced IEEE 802.1x Authentication Method for WLAN Mobile Router

Auditing IoT Communications with TLS-RaR

savvisdirect White Papers

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Transcription:

Secrets at Scale Automated Bootstrapping of Secrets and Identity in the Cloud Ian Haken @ianhaken January 30, 2017

The Problem With Secrets AES HSM JKS Where do I put my secret?

Secrets at Scale TLS/HTTPS Certificate Private Keys RDS passwords HMAC keys Encryption keys for credit card data, personally identifiable information, etc. Third-party API credentials Basically, anything your application needs to startup or be functional.

Secrets at Scale Services at Netflix are Autoscaling Ephemeral Self-healing

Naive Solutions Manually copy a secret/config file after the instance is booted? No way to scale! Just encrypt the secrets? How do instances get the decryption key? Host the secret somewhere at a hidden URL? Now that hidden URL is a secret that needs to be protected Most solutions just change what secret you re protecting. And if you re protect one secret with another secret It s turtles all the way down...

Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center Daniel Somerfield ThoughtWorks, AppSec USA 2015 Encrypted secrets in source Blackbox, GitCrypt, Transcrypt Secrets managed by orchestration tools Chef Vault, Ansible Vault Secrets fetched from a Secret Service Hashicorp Vault, Square Keywhiz Before performing any operation with Vault, the connecting client must be authenticated. it is important to understand that authentication works by verifying your identity and then generating a token to associate with that identity.

The Identity Problem Traditional remote authentication schemes: Username and password Client Token / Secret HMAC with an authentication token TLS Certificate and Private Key All these schemes involve proving possession of a secret...making this turtle n+1. PCI Encryption Key HSM Password Keystore Password SS Token

Solving the secret storage problem means we need to solve the bootstrap identity problem.

Why Not IP For Identity? 192.168.0.101 10.0.1.12 NAT 192.168.0.102 VLAN hopping, ARP poisoning and Man-In-The-Middle Attacks in Virtualized Environments Ronny L. Bull, Jeanna N. Matthews, Kaitlin A. Trumbull https://media.defcon.org/def%20con%2024/def%20con%2024%20presentations/defcon-24-bull-matthews-trumbull-vlan-hopping-arp-mitm-in-virtualized-wp-updated.pdf

Remote Attestation In the cloud, our provider knows what application images are running where. This means the cloud provider can facilitate remote attestation. In AWS, instances can request a metadata document signed by AWS. This document is unique to each EC2 instance that calls it and can we used to prove what code (AMI) is running.

http://169.254.169.254/latest/ dynamic/instance-identity Who Are You? { "document" : { "privateip" : "10.16.112.84", "region" : "us-east-1", "instanceid" : "i-1234567890", "accountid" : "123456789012", "imageid" : "ami-5fb8c835", "kernelid" : "aki-919dcaf8", }, "signature" : "lyoyvbouyry9n..." } { "securitygroups" : {... }, "iamrole" : "test::creditcardsrv" "user-data" : { "appname" : "creditcardservice",... } }

The cloud provider supplies a signed document which provides a cryptographic assertion of instance identity. Additional metadata APIs let use map this to an internal application name and other features.

The Developer Experience $CWD/decrypted/mysecret.txt /app_working_dir/decrypted/mysecret.txt

Universal Identity Certificate: Data: Issuer: CN = Secret Service CA Subject: CN = creditcardservice... Certificate: Data: Issuer: CN = Secret Service CA Subject: CN = userbillingservice...

The Last Turtle With these tools, we ve accomplished our goals: Applications can get their secrets automatically Only applications ever see their secrets Except how does the secret server come up? PCI Encryption Key HSM Password Keystore Password

The Last Turtle PCI Encryption Key HSM Password Keystore Password

Summary Solving the secret storage problem meant that we had to solve the problem of bootstrapping identity as applications start up. But as a bonus, this identity is re-usable throughout the ecosystem. The Secret Service itself is also a Secret Service client and uses it to bootstrap its own master key. This makes the end-to-end solution auto-scalable and self-healing! We now have a clear, simple answer to the question Where do I put my secret? Put it in the secret service......and it will automatically show up on your application s disk.

Questions? Twitter: @ianhaken ihaken@netflix.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback