Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Server proposal

Published byRalf Dennis Modified over 6 years ago

Similar presentations

Presentation on theme: "Secret Server proposal"— Presentation transcript:

1 Secret Server proposal

2 Secret Service - Need Background
Many services still use password based authentication – Various database servers, Publish/Subscribe brokers, Log Service, VIM and many more… Passwords are stored in files in many services. With many services and service instances, attack surface area is becoming very big. Need Avoid passwors sprawl in files. Avoid passing passwords via environment variables to services Avoid clear passwords in storage.

3 Secret Server is nothing new….
K8S Orchestrator has built in Secret Server As an admin/user, create a secret in secret server, get the secret reference. Puts these references in yaml files instead of actual secrets. K8 controller on demand basis (while bringing up the POD), creates file system volumes with secrets using secret references. Application in Pods read the secrets from volumes. Volumens disappear when POD exits. Openstack deployments typically have Barbican to store secrets. Secrets can be created using Barbican APIs. Refernece to secret is returned. These refercnces are passed to Openstack services. Secrets can be retrived by calling Barbican APIs by services on demand basis.

4 Secret Service - Requirements
RESTful API support Adding secrets Deletion of secrets Update secrets Token Authentication for above operations User name/password based authentication too Authenticate user using AAF Role based access control using AAF Settings using Distributed KV Store Service registration using MSB Reports and Logs GUI/CLI support using Portal and CLI Security of secrets via AES encryption Usage of AES-256 based master key – Security of master key using TPM/SGX.

5 Secret Service: Architecture Blocks
Sercret Service Service Secret Management Service Secret Client agent External Secret Service Vault Plugin Custom Secret Server plugin HashiCorp Vault Consul SGX/TPM HW

6 What are secret backend candidiates
Choices: K8S Secret Server, Barbican Vault K8S Secret Server: Tightly integrated with K8S, if ONAP needs to be brought up using other orchestrators, then this could be an issue. Secrets in the secret service are not protected. Barbican : Good candidate. But only used in Openstack, Maturity/Scalability may be a concern. Vault: Widely used in multiple projects. Quoram based master key, but can be enhanced to use TPM/SGX/HSMs for security.

7 Enhancement in Micro Services
Additional step of getting secrets using secret references as secret references are passed via environment variables (or in Config store) instead of secrets themselves. Removal of secrets when they are no longer required from its memory/storage.

8 Proposed next steps Get approval from Security committee
Create project proposal by Nov 16th for R2 Present to Architecture committee??? Present to TSC for approval

9

Download ppt "Secret Server proposal"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Agile Infrastructure built on OpenStack Building The Next Generation Data Center with OpenStack John Griffith, Senior Software Engineer,

Agile Infrastructure built on OpenStack Building The Next Generation Data Center with OpenStack John Griffith, Senior Software Engineer,
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Institut Mines-Télécom “Digital Safe Client via HTML5 ” Mayssa JEMEL Ahmed SERHROUCHNI Journée: Cloud Coffre Fort Numérique 26 Février 2015.

Institut Mines-Télécom “Digital Safe Client via HTML5 ” Mayssa JEMEL Ahmed SERHROUCHNI Journée: Cloud Coffre Fort Numérique 26 Février 2015.
Security SIG August 19, 2010 Justin C. Klein Keane

Security SIG August 19, 2010 Justin C. Klein Keane
Opensource for Cloud Deployments – Risk – Reward – Reality

Opensource for Cloud Deployments – Risk – Reward – Reality
- 1 - Grid Programming Environment (GPE) Ralf Ratering Intel Parallel and Distributed Solutions Division (PDSD)

- 1 - Grid Programming Environment (GPE) Ralf Ratering Intel Parallel and Distributed Solutions Division (PDSD)
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.

Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Using Heat to Deploy and Manage Applications in OpenStack Trevor Roberts Jr, VMware, Inc. CNA1763 #CNA1763.

Using Heat to Deploy and Manage Applications in OpenStack Trevor Roberts Jr, VMware, Inc. CNA1763 #CNA1763.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Ceilometer + Gnocchi + Aodh Architecture

Ceilometer + Gnocchi + Aodh Architecture
Mobile + Cloud: Building Mobile Applications with Windows Azure Wade Wegner Blog:

Mobile + Cloud: Building Mobile Applications with Windows Azure Wade Wegner Blog:

Similar presentations

Ads by Google