[email protected] @tmclaughbos
Iterative Security:Secrets Management
When You’re Not Ready For Vault
[email protected] @tmclaughbos
[email protected] @tmclaughbos
Who is this guy up here?His headshot is lasers and a cat
[email protected] @tmclaughbos
I’m Tom!• Community Engineer at CloudZero
• Previously infrastructure engineer with a focus on automation.
[email protected] @tmclaughbos
Background & Biases: Engineering is just a title
[email protected] @tmclaughbos
We have all this technology! So why does these problems still exist?
[email protected] @tmclaughbos
Security things you in ops might end up responsible for
• Access controls • How much is too much access?
• Password policies • How often should I force password rotation? • Wait, NIST has changed their recommendation? Don’t force
rotation? • Patching • Do I patch immediately on every vendor release or test first?
• and more…
[email protected] @tmclaughbos
Iterative SecurityStarting and progressively improving your security stance
[email protected] @tmclaughbos
Things we don’t get excited about with security
[email protected] @tmclaughbos
Not leaving MongoDB exposed to the internet with weak credentials
[email protected] @tmclaughbos
Not leaving Elasticsearch exposed to the internet with weak credentials
[email protected] @tmclaughbos
Many of us focus on the wrong things
http://www.littlebobbycomic.com/projects/week-115/
[email protected] @tmclaughbos
What we should be teaching
•What are you trying to do? •Where do you start? • How do you progress
[email protected] @tmclaughbos
USB sticks are a bigger threat than the man in the ceiling
[email protected] @tmclaughbos
What are we trying to protect?• Intellectual property • Customer data (data about who our customers are) • Customer’s data (data from our customers) • etc.
[email protected] @tmclaughbos
Identify threats
• Exposed network ports (network) • Unpatched EC2 instances (host) • Weak secrets management(application) • User submitted data (application) • etc.
[email protected] @tmclaughbos
Document Threats• Weak password management • At two points in our infrastructure we’re not managing
passwords • Both points involve highly valuable assets • Breach would be bad • Reputation loss -> customer loss • Data could be leveraged against our customers
[email protected] @tmclaughbos
Rate Threats• D: Damage potential • R: Reproducibility • E: Exploitability • A: Affected users • D: Discoverability
https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)
[email protected] @tmclaughbos
Rate Threats• D: Disaster if this is found (high) • R: Easy to reproduce (high) • E: Easy to exploit; requires existing access (medium) • A: Affects all users (high) • D: Not easy to find; users are hops away from issue (medium)
[email protected] @tmclaughbos
Constraints: Risk of failure
“It’s all code… We monitor it using Nagios.”
[email protected] @tmclaughbos
Constraints• Time: Few days to a few weeks • The faster we get this done the more likely we will finish.
• Complexity: We’re going to go with what we know. • Less surprises. • Less to learn and get wrong.
• Risk: Taking only as much risk as we’re ready for. • We’re moving fast! • Let’s limit the failure blast radius
[email protected] @tmclaughbos
git-crypt• Encrypts secrets directly in your repository • Find secrets, rotate, and store them
https://github.com/AGWA/git-crypt
[email protected] @tmclaughbos
git-crypt• Pro • You’ve done the exercise of auditing your code base
• Cons • Symmetric encryption • Everyone needs the master password
• TODO • Prevent key proliferation • Move to new secrets management when ready
[email protected] @tmclaughbos
Configuration Management: Puppet• Hiera-eyaml: Encrypt values in your Hiera hierarchy • Can use public key encryption • Multiple backends
https://github.com/voxpupuli/hiera-eyaml
[email protected] @tmclaughbos
Configuration Management: Puppet• Pros • You’ve centralized your secrets in one repo. • Public key encryption support
• Cons • May require manual intervention when rolling Puppetmasters. • May need to cleanup your Puppet code if you haven’t already
moved to Hiera. • TODO: • Figure out master rekey strategy
[email protected] @tmclaughbos
Configuration Management: Ansible• Ansible Vault: Encrypts entire var files in playbook
http://docs.ansible.com/ansible/playbooks_vault.html
[email protected] @tmclaughbos
Configuration Management: Ansible• Pros • You’ve done the exercise of auditing your code base
• Cons • Symmetric encryption • Everyone needs the shared password • key proliferation
• TODO • Preventing the proliferation of the Vault key • rekeying and rolling secrets.
[email protected] @tmclaughbos
S3 Buckets• Sneaker • Encrypt, store, and retrieve secrets from S3.
https://github.com/codahale/sneaker
[email protected] @tmclaughbos
S3 Buckets• Pros • Secrets no longer live in repos • reduced secret proliferation
• Secrets encrypted in S3. • Cons • How are you managing S3 buckets?
• TODO • Manage your S3 buckets with CloudFormation, Terraform, etc.
https://github.com/codahale/sneaker
[email protected] @tmclaughbos
Thank You!http://strayc.at/feedback
[email protected] @tmclaughbos
Threat Modeling: startup edition
https://twitter.com/CommitStrip/status/876830310780071936
[email protected] @tmclaughbos
Threat Modeling: startup edition response
https://twitter.com/ErrataRob/status/876963608076439556
[email protected] @tmclaughbos
We know what not to do. We (think) we know where we want to be.
But we don’t know how to get there.