2018 - Secure Configuration in the Cloud скачать в хорошем качестве

2018 - Secure Configuration in the Cloud

Category: Devops + Security Abstract: While the pervasive use of PaaS for application deployment in the cloud has been a boon to businesses and developers, it has also introduced new challenges. Given the open, distributed and on-demand nature of DevOps, sensitive assets once well-guarded behind a corporate firewall could now be scattered in the cloud. Examples of such assets include database credentials, external service credentials, API tokens, and private keys for SSH, TLS, VPN sessions. It is imperative to provide a secure and usable mechanism for protecting these assets at every stage of the deployment cycle. Insufficiently protected configuration secrets could result in pivoting and exfiltration of business-sensitive data, and do significant damage to the image as well as financial bottom line of a company. Unfortunately, the high frequency of data breeches we hear about shows that security principals are not always followed. Keeping in line with security recommendations, there is a need to have a strategy for sensitive configuration data management which simplifies the process of creation, renewal and expiration of secret data. Additional techniques include access control at every level (application/micro-service/host), usage audits, monitoring of secrets that lack adequate protection, and secure backups. Various solutions are available in the market that address different aspects of configuration data protection. It is important to understand which aspect each solution addresses, and to know its strengths and weaknesses. In this talk, we will provide an overview of various types of configuration secrets, and their lifecycles. We will also cover available solutions and show how they can protect these configuration secrets. In doing so we will build a list of do’s and don’ts that can serve as recommendations for cloud DevOps. A rough outline of the talk is as follows: Introduction to ephemeral application in the cloud Types of configuration data (passwords, keys, key stores, tokens – textual, file based) Configuration secret lifecycle What not to do (things to avoid) Solutions for protecting sensitive data (e.g. Kubernetes secrets, Keywhiz, Hashicorp Vault) Strength and weaknesses of each solution Misconfiguration pitfalls Conclusion and Recommendations