your secret's safe with me
TRANSCRIPT
![Page 1: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/1.jpg)
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Your secret’s safe with meLiz Rice
@LizRice | @AquaSecTeam
![Page 2: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/2.jpg)
2
Secrets
@LizRice | @AquaSecTeam
![Page 3: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/3.jpg)
3
Desirable security features for container secrets
■ Encrypted■ At rest and in transit■ Only decrypted in memory
■ Access control■ Only accessible by containers that need them
■ Life-cycle■ Rotation, revocation, audit logging
@LizRice | @AquaSecTeam
![Page 4: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/4.jpg)
4
Secret life-cycle
■ Risk of leak increases over time■ Exploit■ Bad actor■ Accidental logging
■ Change secret values (“rotation”)
■ Token lifetime & use limit
@LizRice | @AquaSecTeam
![Page 5: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/5.jpg)
5
Tokens all the way down
@LizRice | @AquaSecTeam
■ If your secret is in a secret store, how do you get access? ■ How do you keep the access token secret?
xkcd.com/1416
![Page 6: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/6.jpg)
Passing secrets to containers
![Page 7: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/7.jpg)
7
Bad places for secrets
@LizRice | @AquaSecTeam
■ Source code
■ Dockerfiles / images
![Page 8: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/8.jpg)
8
docker run -v VARNAME=secret ...
Environment variables
@LizRice | @AquaSecTeam
![Page 9: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/9.jpg)
9
docker run -v /hostsecrets:/secrets ...
Mounted volume
@LizRice | @AquaSecTeam
![Page 10: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/10.jpg)
Orchestrator support for secrets
![Page 11: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/11.jpg)
11
Docker Swarm
@LizRice | @AquaSecTeam
■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication
![Page 12: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/12.jpg)
12
Docker Swarm
@LizRice | @AquaSecTeam
■ Secrets support built in■ Mounted to a temporary fs■ Encrypted transmission with mutual authentication■ Files, not env vars■ Restart service to change secret value■ RBAC in Enterprise Edition
![Page 13: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/13.jpg)
13
Kubernetes
@LizRice | @AquaSecTeam
■ Stored unencrypted in etcd■ HTTP in transit by default■ Files and env vars
■ Files support updating secret values■ Need to restart pod to get new env var value
■ Files mounted into the host■ RBAC can be turned on --authorization-mode=RBAC
![Page 14: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/14.jpg)
14
OpenShift
@LizRice | @AquaSecTeam
■ As Kubernetes, but with namespaced projects & RBAC
![Page 15: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/15.jpg)
15
DC/OS
@LizRice | @AquaSecTeam
■ Encrypted in ZooKeeper■ Access control by service path■ Env vars■ Restart service to update value
![Page 16: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/16.jpg)
16
Rancher
@LizRice | @AquaSecTeam
■ Experimental secrets support
![Page 17: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/17.jpg)
17
Nomad
@LizRice | @AquaSecTeam
■ Integrated with Vault■ Tasks get tokens so they can retrieve values from Vault
■ Poll for changed values■ Access control
![Page 18: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/18.jpg)
18
Aqua secrets
@LizRice | @AquaSecTeam
■ Any orchestrator■ Secrets encrypted in Vault, Amazon KMS or Aqua DB
■ Env vars injected into container process memory■ Secret can be injected to a tempfs filesystem■ Supports updating secrets without restart of container■ Supports monitoring of secret usage
■ Limit access to designated containers
![Page 19: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/19.jpg)
Summary
![Page 20: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/20.jpg)
20
Secrets decisions
@LizRice | @AquaSecTeam
Your best option depends on ■ choice of orchestrator■ acceptable level of risk
Aqua White Paper on secrets management coming very soon
![Page 21: Your secret's safe with me](https://reader031.vdocument.in/reader031/viewer/2022021815/5a6479b17f8b9a57568b471f/html5/thumbnails/21.jpg)
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Questions? Liz Rice
@LizRice | @AquaSecTeam