Secret Server proposal

Slides:

Advertisements

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Agile Infrastructure built on OpenStack Building The Next Generation Data Center with OpenStack John Griffith, Senior Software Engineer,

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

Institut Mines-Télécom “Digital Safe Client via HTML5 ” Mayssa JEMEL Ahmed SERHROUCHNI Journée: Cloud Coffre Fort Numérique 26 Février 2015.

Security SIG August 19, 2010 Justin C. Klein Keane

Opensource for Cloud Deployments – Risk – Reward – Reality

- 1 - Grid Programming Environment (GPE) Ralf Ratering Intel Parallel and Distributed Solutions Division (PDSD)

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Using Heat to Deploy and Manage Applications in OpenStack Trevor Roberts Jr, VMware, Inc. CNA1763 #CNA1763.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Ceilometer + Gnocchi + Aodh Architecture

Mobile + Cloud: Building Mobile Applications with Windows Azure Wade Wegner Blog:

©Copyright Audit Serve, Inc All Rights Reserved Application design issues which cause database management issues Database Authentication Approaches:

SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance

Best-in-class enterprise backup for the mobile enterprise Prepared for [Insert customer name] [Date}

SDN-O LCM for Mercury Release Key Points and Overview

PaaS services for Computing and Storage

Building Azure Mobile Apps

Microservice Powered Orchestration

Job Scheduling and Runtime in DLWorkspace

Intel HF2 ONAP Community POD 01 (AKA: POD-25)

Microservice Bus Tutorial Huabing Zhao

API Manager for Vendorlink

Web Applications Security Cryptography 1

ENOG13 Saint Petersburg Diego Luis Neto SW NL-ix.

MSB Integration Guide.

Amazon Storage- S3 and Glacier

ARC 5: Deployment Options Chris Donley

Online password manager By: Anthony diveronica

Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.

OPEN SOURCE SYSTEMS FOR

Active Directory Fundamentals

0_kit End to End encryption in your app

Cloud Management Mechanisms

EdgeX System Management Nov 6th 2017

ONAP Security using trusted solutions

Configuration Store in ONAP using Distributed KV Store (As part of making ONAP carrier grade) Consul.

Secure communication among services

Certificate and Secret Management Services

ONAP Amsterdam Architecture

ONAP security meeting

Chapter 21: Cloud Computing and Related Security Issues

Chapter 22: Cloud Computing Technology and Security

IBM Certified WAS 8.5 Administrator

Dynamic DNS support for EGI Federated cloud

Isasku, Srini, Alex, Ramki, Seshu, Bin Hu, Munish, Gil, Victor

Multi-VIM/Cloud High Level Architecture

HDFS on Kubernetes -- Lessons Learned

ONAP Beijing Architecture Chris Donley 1/9/18

OpenStack-alapú privát felhő üzemeltetés

Mix & Match: Resource Federation

FEATURE OF THE (EVERY OTHER) DAY

HDFS on Kubernetes -- Lessons Learned

Platform Architecture

Exercise: Hashing, Password security, And File Integrity

5 Azure Services Every .NET Developer Needs to Know

Web Information Systems Engineering (WISE)

Boston Code Camp – April 2019 Jason Haley

SQL Server Devops with production data

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions

Presentation transcript:

Secret Server proposal

Secret Service - Need Background Many services still use password based authentication – Various database servers, Publish/Subscribe brokers, Log Service, VIM and many more… Passwords are stored in files in many services. With many services and service instances, attack surface area is becoming very big. Need Avoid passwors sprawl in files. Avoid passing passwords via environment variables to services Avoid clear passwords in storage.

Secret Server is nothing new…. K8S Orchestrator has built in Secret Server As an admin/user, create a secret in secret server, get the secret reference. Puts these references in yaml files instead of actual secrets. K8 controller on demand basis (while bringing up the POD), creates file system volumes with secrets using secret references. Application in Pods read the secrets from volumes. Volumens disappear when POD exits. Openstack deployments typically have Barbican to store secrets. Secrets can be created using Barbican APIs. Refernece to secret is returned. These refercnces are passed to Openstack services. Secrets can be retrived by calling Barbican APIs by services on demand basis.

Secret Service - Requirements RESTful API support Adding secrets Deletion of secrets Update secrets Token Authentication for above operations User name/password based authentication too Authenticate user using AAF Role based access control using AAF Settings using Distributed KV Store Service registration using MSB Reports and Logs GUI/CLI support using Portal and CLI Security of secrets via AES encryption Usage of AES-256 based master key – Security of master key using TPM/SGX.

Secret Service: Architecture Blocks Sercret Service Service Secret Management Service Secret Client agent External Secret Service Vault Plugin Custom Secret Server plugin HashiCorp Vault Consul SGX/TPM HW

What are secret backend candidiates Choices: K8S Secret Server, Barbican Vault K8S Secret Server: Tightly integrated with K8S, if ONAP needs to be brought up using other orchestrators, then this could be an issue. Secrets in the secret service are not protected. Barbican : Good candidate. But only used in Openstack, Maturity/Scalability may be a concern. Vault: Widely used in multiple projects. Quoram based master key, but can be enhanced to use TPM/SGX/HSMs for security.

Enhancement in Micro Services Additional step of getting secrets using secret references as secret references are passed via environment variables (or in Config store) instead of secrets themselves. Removal of secrets when they are no longer required from its memory/storage.

Proposed next steps Get approval from Security committee Create project proposal by Nov 16th for R2 Present to Architecture committee??? Present to TSC for approval