際際滷

際際滷Share a Scribd company logo

Your secret's safe with me

Aqua Security
Aqua Security

You may also be interested in a recent blog post (http://blog.aquasec.com/managing-secrets-in-docker-containers) that covers "Managing Secrets in Docker Containers". It also includes a short demo.

1 of 21
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Your secrets safe with me Liz Rice @LizRice | @AquaSecTeam
2 Secrets @LizRice | @AquaSecTeam
3 Desirable security features for container secrets Encrypted At rest and in transit Only decrypted in memory Access control Only accessible by containers that need them Life-cycle Rotation, revocation, audit logging @LizRice | @AquaSecTeam
4 Secret life-cycle Risk of leak increases over time Exploit Bad actor Accidental logging Change secret values (rotation) Token lifetime & use limit @LizRice | @AquaSecTeam
5 Tokens all the way down @LizRice | @AquaSecTeam If your secret is in a secret store, how do you get access? How do you keep the access token secret? xkcd.com/1416
Passing secrets to containers
7 Bad places for secrets @LizRice | @AquaSecTeam Source code Dockerfiles / images
8 docker run -v VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
9 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
Orchestrator support for secrets
11 Docker Swarm @LizRice | @AquaSecTeam Secrets support built in Mounted to a temporary fs Encrypted transmission with mutual authentication
12 Docker Swarm @LizRice | @AquaSecTeam Secrets support built in Mounted to a temporary fs Encrypted transmission with mutual authentication Files, not env vars Restart service to change secret value RBAC in Enterprise Edition
13 Kubernetes @LizRice | @AquaSecTeam Stored unencrypted in etcd HTTP in transit by default Files and env vars Files support updating secret values Need to restart pod to get new env var value Files mounted into the host RBAC can be turned on --authorization-mode=RBAC
14 OpenShift @LizRice | @AquaSecTeam As Kubernetes, but with namespaced projects & RBAC
15 DC/OS @LizRice | @AquaSecTeam Encrypted in ZooKeeper Access control by service path Env vars Restart service to update value
16 Rancher @LizRice | @AquaSecTeam Experimental secrets support
17 Nomad @LizRice | @AquaSecTeam Integrated with Vault Tasks get tokens so they can retrieve values from Vault Poll for changed values Access control
18 Aqua secrets @LizRice | @AquaSecTeam Any orchestrator Secrets encrypted in Vault, Amazon KMS or Aqua DB Env vars injected into container process memory Secret can be injected to a tempfs filesystem Supports updating secrets without restart of container Supports monitoring of secret usage Limit access to designated containers
Summary
20 Secrets decisions @LizRice | @AquaSecTeam Your best option depends on choice of orchestrator acceptable level of risk Aqua White Paper on secrets management coming very soon
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Questions? Liz Rice @LizRice | @AquaSecTeam

More Related Content

Your secret's safe with me

  • 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Your secrets safe with me Liz Rice @LizRice | @AquaSecTeam
  • 3. 3 Desirable security features for container secrets Encrypted At rest and in transit Only decrypted in memory Access control Only accessible by containers that need them Life-cycle Rotation, revocation, audit logging @LizRice | @AquaSecTeam
  • 4. 4 Secret life-cycle Risk of leak increases over time Exploit Bad actor Accidental logging Change secret values (rotation) Token lifetime & use limit @LizRice | @AquaSecTeam
  • 5. 5 Tokens all the way down @LizRice | @AquaSecTeam If your secret is in a secret store, how do you get access? How do you keep the access token secret? xkcd.com/1416
  • 6. Passing secrets to containers
  • 7. 7 Bad places for secrets @LizRice | @AquaSecTeam Source code Dockerfiles / images
  • 8. 8 docker run -v VARNAME=secret ... Environment variables @LizRice | @AquaSecTeam
  • 9. 9 docker run -v /hostsecrets:/secrets ... Mounted volume @LizRice | @AquaSecTeam
  • 11. 11 Docker Swarm @LizRice | @AquaSecTeam Secrets support built in Mounted to a temporary fs Encrypted transmission with mutual authentication
  • 12. 12 Docker Swarm @LizRice | @AquaSecTeam Secrets support built in Mounted to a temporary fs Encrypted transmission with mutual authentication Files, not env vars Restart service to change secret value RBAC in Enterprise Edition
  • 13. 13 Kubernetes @LizRice | @AquaSecTeam Stored unencrypted in etcd HTTP in transit by default Files and env vars Files support updating secret values Need to restart pod to get new env var value Files mounted into the host RBAC can be turned on --authorization-mode=RBAC
  • 14. 14 OpenShift @LizRice | @AquaSecTeam As Kubernetes, but with namespaced projects & RBAC
  • 15. 15 DC/OS @LizRice | @AquaSecTeam Encrypted in ZooKeeper Access control by service path Env vars Restart service to update value
  • 16. 16 Rancher @LizRice | @AquaSecTeam Experimental secrets support
  • 17. 17 Nomad @LizRice | @AquaSecTeam Integrated with Vault Tasks get tokens so they can retrieve values from Vault Poll for changed values Access control
  • 18. 18 Aqua secrets @LizRice | @AquaSecTeam Any orchestrator Secrets encrypted in Vault, Amazon KMS or Aqua DB Env vars injected into container process memory Secret can be injected to a tempfs filesystem Supports updating secrets without restart of container Supports monitoring of secret usage Limit access to designated containers
  • 20. 20 Secrets decisions @LizRice | @AquaSecTeam Your best option depends on choice of orchestrator acceptable level of risk Aqua White Paper on secrets management coming very soon
  • 21. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Questions? Liz Rice @LizRice | @AquaSecTeam