Slides from Jeff Mitchell's talk "The Secure Introduction Problem: Getting Secrets Into Containers" at ContainerDays NYC 2016: http://dynamicinfradays.org/events/2016-nyc/programme.html#secrets
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Into Containers" (Jeff Mitchell)
1. Think Like a Vault Developer:
Secure Introduction & Containers
Jeff Mitchell
HashiCorp
@jefferai
2. â Understand basic tenets of security, as the Vault team
thinks about them
â Explore properties necessary for secret management and
(initial) secret distribution
Goals
3. â Understand basic tenets of security, as the Vault team
thinks about them
â Explore properties necessary for secret management and
(initial) secret distribution
Goals
BORING
4. â Applied security in action: secure introduction, response
wrapping and orchestrators
â Not a Nomad/Vault talk but will use these as examples
Goals
5. Non-Goals
â Discussion of crypto theory
â Crypto properties (algorithm selection, etc.) are important for
applied security
â Can stay high-level
â Comparison of container/hypervisor/OS security
â Letâs talk Linux/Docker
8. âSecurityâ
â Security is the practice of risk management
â Deciding which risks can be accepted and which cannot
â Guarding against violations of norms
â Risk increases with system complexity
â More points of failure, confusion, ingress and egress
10. âSecretâ
â A secret is something that will elevate your risk if exposed
to unauthorized entities
â Undesired consequences are harm
â Unauthorized data access
â Identity spoofing
â Private data egress
â Regulatory fines
11. Exposure
â An exposed secret
â Elevates risk
â May cause harm
â An exposed secret is a threat
12. Secrets vs. Identifiers
â Some things that can be disclosed are identifiers
â Username (identifier) vs. Password (secret)
â TLS certificate (identifier) vs. TLS key (secret)
â GitHub user name (identifier) vs. API key (secret)
â Identifiers arenât completely risk-free
â Have chosen to ignore that risk
13. What is âTrustâ?
â A trusted entity is one that will not divulge the secrets it
has access to
â Modeling trusted entities is a companion to modeling
threats
â Two concepts
14. Circle of Trust
Entities we trust with any secret. For this talk:
RAM
root
Secret
Management
ToolEmployees?
CPU
Cloud?
15. Circle of Trust
Things not in circle of trust:
Persistent
Storage
Random
Users
General
apps/services
NSA
Random
Wi-Fi Hotspot
Your Motherâs
Notepad.txt Employees?
CPU
Cloud?
RAM
root
Secret
Management
Tool
CPU
Cloud?
Employees?
16. Circle of Trust
Only allowed long-term storage is in circle of trust
Persistent
Storage
Random
Users
General
apps/services
NSA
Random
Wi-Fi Hotspot
Your Motherâs
Notepad.txt Employees?
CPU
Cloud?
RAM
root
Secret
Management
Tool
CPU
Cloud?
Employees?
17. Chain of Trust
â The set of links (e.g. network hops) that any particular
secret travels through from source entity A to destination
entity B
â Source/destination must be in circle of trust
18. Links
â Any link in a chain of trust is a potential access
point/interception point
â Accidental logging
â Exploitation by attacker
â Lookup by operator
â Conspiracy of One/Compromised employee
â Employee Post-Itâą
19. Problem Space
â We can now establish a problem space:
â Managing secrets in a given environment means establishing trust
chains in the environment
â Links in the chains have associated risk
â Minimize hops and minimize risk-per-link
20. Problem Space
â In other words: figuring out how to securely get a secret
from producer to consumer
21. Problem Space
â In other words: figuring out how to securely get a secret
from producer to consumer
DUH
22. Problem Space
â Thinking securely means you have to take the roundabout
approach
â Understanding trust, trust levels, and trust chains along the way is
incredibly important
â Only after understanding trust can you figure out where
and how to minimize risk
23. Problem Space
â Risk cannot be fully mitigated; must assume any given
secret will eventually be divulged
â Ultimate goal: zero trust
â Donât give the opportunity for risks to occur in the first place
29. Secret Protection
â Establishing a chain of trust requires defining the
requirements it must fulfill to keep secrets protected
â Good news: we (often) only need to do this for one secret!
â First secret authenticates us to allow direct access to more
30. Secure Introduction
â If you can protect this secret, you can protect any secret
â ...generally
â This concept is secure introduction (SI)
31. Secure Introduction
â How do you protect secrets (perform SI)?
â First: establish success criteria based on your
organizationâs acceptable risk
â Any given organization needs a security policy and associated
success criteria that meets their individual needs
34. Success Criteria
â The security properties that must be implemented/met to
implement the accepted security policy
â For secure introduction for this talk:
â Donât let them live forever (rotate/expire)
â Distribute them securely
â Limit exposure if disclosed
â Have a break-glass procedure
â Detect unauthorized access
35. Rotation/Expiration
â As lifetime increases, chance for exposure â â
â Caches/logs
â Cracked over time/enough packets (WPA-TKIP, RC4)
â Debugging
36. Rotation/Expiration
â Secrets should be rotated âfrequentlyâ and have lifetimes
as short as possible
â User passwords vs. machine secrets
â xkcdâs ______ ______ ______ ______ â bad policies + frequent
rotation = written down user passwords
â Less frequently/more used = more likely overseen
â Machines: itâs just data - plan/build for rotation and rotate often
37. Distribution
â The literal movement along the chain of trust
â To/From
â People
â Machines
â Base level: never plaintext, always covered
â Encryption
â Wrapping
â Etc.
38. Limit Exposure
â Principle of least privilege
â DB credentials: only specific tables/operations
â Login credentials: not root
â API credentials: minimal function set
39. Access Detection
â Things have a way of being leaky
â Env vars are a common way to pass in container secrets.
Also:
â Often logged, sometimes multiple places
â Easily discoverable by operator
â Both Docker commands and non-Docker commands can spill the
beans
40. Access Detection
â Equally as important as protecting a secret is knowing if
an unintended party has intercepted it
â Audit logs are greatâŠ
â ...but do you look at them?
â Active detection (when possible) is even better
41. Break-Glass
â Compromised?
â Stop all further access to protected resources
â Perform forensics
â Rotate all secrets after re-establishing identities of legitimate
secret-holders
â âŠ
â Figure this out during the planning process -- not after!
44. â Explosion of FOSS Secret Management (SM) tools
â KeyWhiz
â Knox
â Conjur
â Many more
Secret Management Tools
45. â Explosion of FOSS Secret Management (SM) tools
â KeyWhiz
â Knox
â Conjur
â Many more
â Vault!
Secret Management Tools
46. â If you only take away two things from this talk, make sure
they are the following:
47. â If you only take away two things from this talk, make sure
they are the following:
â Write your own crypto
48. â If you only take away two things from this talk, make sure
they are the following:
â Write your own crypto
â Use it in a Secret Management tool
49. â If you only take away two things from this talk, make sure
they are the following:
â Write your own crypto
â Use it in a Secret Management tool
NO!
NO!
50. â If you only take away two things from this talk, make sure
they are the following:
â Use a Secret Management tool
â Donât roll your own
51. Secret Management Tools
â Discussion of SM tools true for Vault and its capabilities
â Vault has a focus on providing security primitives
â Enables creation of complex workflows
â Weâll see how this provides necessary flexibility
53. SM + SI
â Explicit focus on the secure introduction problem
â Core competency from ground up
â Necessary tools/capabilities/primitives
â 100k containers can support existing SI paradigms
â But imagineâŠ
â Managing 100k LDAP/AD users churning at high rate
â Generating/dropping 100k Kerberos keytabs
â ...and youâve solved SI anyways
54. SMs <3 Schedulers
â Anyone working with tasks (containers) at scale uses a
scheduler
â Nomad
â Mesos
â Fleet
â Swarm
â Kubernetes
55. SMs <3 Schedulers
â Schedulers are sources of truth...and provide hooks
â SM tools and schedulers can be a magical combination
60. Preconditions
â A Vault token has:
â Unlimited or limited use-count
â Limited time-to-live (TTL), possibly renewable
â Set of authorization policies
â e.g. use first secret (auth token) to get application secrets
â Consistent ID in audit logs
â Token-scoped secure storage tied to token lifetime
â âcubbyholeâ
â Claim: These primitives allow excellent secret coverage
74. Howâd we do?
â Look at previous list:
â Donât let them live forever (rotate/expire)
â Outer token expires (use limit) with only copy of inner token value
â Distribute them securely
â Inner token covered the entire way
â Limit exposure if disclosed
â Only specific policies granted, can only access specific secrets
â Have a break-glass procedure
â Can lock down access at SM tool
â Audit logs ensure we know area of exposure
â Detect unauthorized access
75. Access Detection
â Can detect unauthorized access of ârealâ authentication
token due to time and use limit
â Application:
â Reads inner token: success
â Reads storage but no inner token found: log error and recover
(e.g. fail job)
â Invalid token? Check current time vs. issue time + TTL:
â Expired? YELLOW FLAG: investigate, but probably just bad timing
â Not expired? RED FLAG: Unauthorized use
76. Response Wrapping
â This paradigm is so useful that itâs available for nearly any
Vault call and known as response wrapping
â Mechanism not container- or authentication-specific
â CM tool drops wrapped secret on EC2 instance
â File with wrapped value injected into chroot
â Etc.
77. Job-Finish Revocation
â Wrapped responses containing tokens also return the
tokenâs accessor (reference)
â Scheduling agent/system can correlate accessor with job
â Revoke token / child leases immediately on job finish
78. Integration
â Nomad integration uses a variation of this scheme but
basic concept is the same
â User-supplied token at job submission time checked for access to
avoid privilege escalation via job submission
â Agent can unwrap secrets and mount into ramdisk
â Etc.
79. Integration
â HashiStack tools follow the Unix model; we set out to
tackle this problem in a generic way
â Any scheduler can implement Nomadâs approach (or a
variation)
â Primitives to do so are there in Vault
â Kubernetes (https://github.com/kelseyhightower/vault-controller)
â Mesos
(https://github.com/ChannelMeter/vault-gatekeeper-mesos)
80. Wrap-Up
â Donât ignore risk, minimize it
â Understand your circles and chains of trust
â Use Vault, or some other SM tool
â Orchestration tools are great facilitators of secure
introduction