turtles all the way down - schedschd.ws/hosted_files/appsecusa2015/a5/turtles.pdf ·...

TURTLES  ALL  THE  WAY  DOWN

Storing  Secrets  in  the  Cloud  and  in  the  Data  Center

1

INTRODUCTION

Daniel  Somerfield  daniel.somerfield@thoughtworks.com

TURTLES  COMPANION  SITE

h:p://danielsomerfield.github.io/turtles

3

WHAT'S  THE  PROBLEM?

We  all  have  secrets  

We  want  to  know  they're  safe  

And…

WHAT'S  THE  PROBLEM?

We  need  reliable,  reproducible  deployments

SETTING  GOALS

6

WHAT  GOOD  LOOKS  LIKE

Security  Goals  • Secrets  are  secrets  • AudiIng  • No  reliance  on  heroes  • Standard  pracIces

WHAT  DOES  GOOD  LOOK  LIKE

OperaDonal  Goals  • Automated  • Scales  operaIonally  

It haz 2B EZ 2 uze!!!!

WHAT  DOES  GOOD  LOOK  LIKE

SEARCHING  FOR  THE  ELUSIVE  LAST  TURTLE

10

THE  FIRST  TURTLE

Does  this  sound  familiar?  • Secrets  in  SCM  • Admins,  admins  everywhere  • CredenIal  reuse  • Secrets  are  not  really  secrets

THE  FIRST  TURTLE

Goals  • Encrypted  secrets  • Controlled  distribuIon  • Secrets  are  automated

orchestrationserver

orchestrator decryption

target application encrypted store

encrypted secret

plaintext secret

plaintext secret

encrypted secret

plaintext secret

secure channel

orchestrationserver

application decryption

target applicationencrypted store

encrypted secret

encrypted secret

plaintext secret

encrypted secret

STRATEGIES

secret deploymentapplication deploymentoperational compartmentalization

encrypted store

orchestrationserver

artifact repo

orchestrationserver

plaintext secret

target application

ORCHESTRATOR  DECRYPTION

orchestrationserver

orchestrator decryption

target application encrypted store

encrypted secret

plaintext secret

plaintext secret

encrypted secret

plaintext secret

secure channel

orchestrationserver

orchestrator decryption

target application encrypted store

encrypted secret

plaintext secret

plaintext secret

encrypted secret

plaintext secret

secure channel

ORCHESTRATOR  DECRYPTION

Advantages  – Key  management  – IntegraIon

Disadvantages  – Exploit  severity  – Secrets  at  rest  – One  more  turtle…

APPLICATION  DECRYPTION

orchestrationserver

application decryption

target applicationencrypted store

encrypted secret

encrypted secret

plaintext secret

encrypted secret

orchestrationserver

application decryption

target applicationencrypted store

encrypted secret

encrypted secret

plaintext secret

encrypted secret

APPLICATION  DECRYPTION

Advantages  – CompartmentalizaIon  – IntegraIon

Disadvantages  – Key  management  – Secrets  at  rest  – One  more  turtle…

OPERATIONAL  COMPARTMENTALIZATION

secret deploymentapplication deploymentoperational compartmentalization

encrypted store

orchestrationserver

artifact repo

orchestrationserver

plaintext secret

target application

ORGANIZATIONAL  COMPARTMENTALIZATION

Advantages  – Clear  responsibiliIes  – IntegraIon

Disadvantages  – OrganizaIonal  silos  – Lack  of  transparency

secret deploymentapplication deploymentoperational compartmentalization

encrypted store

orchestrationserver

artifact repo

orchestrationserver

plaintext secret

target application

TOOLS

SCM  encrypIon

OrchestraIon  tools

Secret  service

SCM  ENCRYPTION

EncrypIon  of  enIre  SCM  repo  or  individual  items  within  them.

SCM  ENCRYPTION

Strengths  •  IntegraIon  •  SCM-­‐based  audit

SCM  ENCRYPTION

Weaknesses  • Secret  rotaIon  support  • Data  at  rest  • AudiIng  of  usage  • More  turtles…

SCM  ENCRYPTION  TOOLS

Blackbox

GitCrypt

Transcrypt

ORCHESTRATOR  ENCRYPTION

ORCHESTRATOR  ENCRYPTION

Strengths  • AutomaIon  • Familiar  workflow

ORCHESTRATION  ENCRYPTION

Weaknesses  • Similar  to  SCM  encrypIon,  plus:  • Vendor  lock-­‐in  • Another  turtle…

ORCHESTRATION  ENCRYPTION  TOOLS

Chef  Vault

Ansible  Vault

Blackbox

Chef  

hiera-­‐eyaml

TOOLS

SCM  encrypIon

OrchestraIon  tools

Secret  service

THE  SECOND  TURTLE

Goals  • Key  RotaIon  • Limit  secrets  at  rest

PULLING

application-pull

target application

encrypted store

secure channel

plaintext secret

secret server

encrypted secret

plaintext secret

SECRET  SERVICES

A  separate  endpoint  providing  secrets  on  demand  over  a  secure  channel.

SECRETS  SERVICES

Strengths  • Minimizes  at  rest  • Facilitates  rotaIon  • CompartmentalizaIon  • Ephemeral  credenIals  • Access  policies  • AudiIng

SECRETS  AS  A  SERVICE

Weaknesses  • AdopIon  • Single  point  of  failure  • Few  opIons  • One  more  turtle…

SECRETS  AS  A  SERVICE

HashiCorp  Vault

Square  KeyWhiz

TOOLS

SCM  encrypIon

OrchestraIon  tools

Secret  service

THE  THIRD  TURTLE

Goals  • Ephemeral  credenIals  • Instances  without  remote  access  • Immutable  infrastructure  • CredenIal-­‐less  architecture

???

TOOLS

OrchestraIon  tools

Secret  service

FINAL  THOUGHTS

39

THE  BIG  PICTURE

application

private key

orchestrationpackage

secret

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret

application

private key

orchestrationpackage

secret

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret1. publishes artifact

application

private key

orchestrationpackage

secret

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret1. publishes artifact 2. push orchestration package

application

private key

orchestrationpackage

secret

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret1. publishes artifact 2. push orchestration package

3. download app package

application

private key

orchestrationpackage

secret

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret1. publishes artifact 2. push orchestration package

3. download app package 4. download secret

application

private key

orchestrationpackage

secret

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret1. publishes artifact 2. push orchestration package

3. download app package 4. download secret

5. decrypt secret

application

private key

orchestrationpackage

secret

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret1. publishes artifact 2. push orchestration package

3. download app package 4. download secret

5. decrypt secret

6. start application

application

private key

orchestrationpackage

artifact repo

build serverorchestration

server

secret store

public key encrypted

secret1. publishes artifact 2. push orchestration package

3. download app package 4. download secret

5. decrypt secret

6. start application

7. delete secret

IN  CLOSING

So  how  do  you  find  the  last  turtle?  

- TacIcal  human  intervenIon  - Audit  - Automate  - Evolve

Q  &  A

Daniel  Somerfield  daniel.somerfield@thoughtworks.com  

h:p://danielsomerfield.github.io/turtles