Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deploying Vault by HashiCorp for Secure Cloud D...

Nicki Watt
January 28, 2016
Technology
4
800

Deploying Vault by HashiCorp for Secure Cloud Deployments

Slides to accompany my talk done for HashiCorp Vault webinar on 28/01/2016.

Nicki Watt

January 28, 2016
Tweet

More Decks by Nicki Watt

See All by Nicki Watt
USING GRAPH THEORY & 
NETWORK SCIENCE TO EXPLORE YOUR 
MICROSERVICES ARCHITECTURE
nickithewatt
2
720
Mucon 2019 - Exploring microservice architecture through graph theory
nickithewatt
0
450
Devoxx UK 2019 - Exploring Microservice Boundaries Through Network Science
nickithewatt
0
110
Goto Chicago 2019 - Journeys To Cloud Native Architecture: Sun, Sea And Emergencies
nickithewatt
0
33
Cloud Native London 2018 - Journeys To Cloud Native Architecture: Sun, Sea And Emergencies
nickithewatt
2
95
HashiDays London 2017 - Evolving your Infrastructure with Terraform
nickithewatt
3
990
Microservices Manchester 2016: Security, Microservices & Vault
nickithewatt
4
580
HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools
nickithewatt
3
670
CodeMesh 2015 : Boot my (secure)->(portable) clouds!
nickithewatt
0
290

Other Decks in Technology

See All in Technology
生成AIとAWS CDKで実現! 自社ブログレビューの効率化
ymae
2
330
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
210
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
1
640
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
180
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
670
プロポーザルのつくり方
〜個人技編〜 / How to come up with proposals
ohbarye
2
140
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
10分でわかるfreeeのQA
freee
1
3.4k
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
Forget efficiency – Become more productive without the stress
ufried
0
150
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
120

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Practical Orchestrator
shlominoach
186
10k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Thoughts on Productivity
jonyablonski
67
4.3k
Measuring & Analyzing Core Web Vitals
bluesmoon
1
41
A Philosophy of Restraint
colly
203
16k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Optimizing for Happiness
mojombo
376
69k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k

Transcript

  1. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Using Vault for secure cloud deployments Nicki Watt

    @techiewatt 28/01/2016 1

  2. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 Agenda • Setting the scene
 • Where

    does Vault fit in? • How is it being used? • Conclusion 


  3. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 3 Setting the scene

  4. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 4 Act 1 : “Take advantage of cloud

    computing”

  5. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5 Act 2 : “Efficiently (and securely) Take

    advantage of cloud-like computing”

  6. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 6

  7. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7

  8. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8 Enable creation of fast, repeatable, secure environments

    capable of running in different clouds!

  9. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9 Where does Vault fit in?

  10. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

  11. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud • Automate everything
 • Separate config

    from code • API driven clouds & tools • Prefer modular, open source tools
 Principles - ASAP

  12. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12 How is it being used?

  13. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 1: Securing the automated IaaS

    process

  14. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

  15. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init

  16. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init The cloud-env mgmt App

  17. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Init Request new env The cloud-env mgmt

    App

  18. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env specific mount, policy & add

    secrets Init Request new env The cloud-env mgmt App

  19. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env specific mount, policy & add

    secrets Init Request new env Spin up new env The cloud-env mgmt App

  20. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Unseal Create env specific mount, policy & add

    secrets Init Request new env Spin up new env Get IaaS creds, generate OTP & real token The cloud-env mgmt App

  21. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up

    new env Get IaaS creds, generate OTP & real token Create env specific mount, policy & add secrets Request new env

  22. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22 • Centralised secure storage: • cloud &

    other infrastructure provider credentials
 • Option to leverage simplified lifecycle management: • dynamic secret backend
 • Audit-ability Benefits

  23. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23 • No native terraform integration (yet) •

    Terraform #2221, #4169 • Vault API • Allows for custom integrations where required • Make use of existing AWS policies • Awaiting next release (Vault PR #895)
 Considerations:

  24. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud Part 2: Securing the automated Config

    management process

  25. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 25 https://www.opencredo.com/2015/08/10/boot-my-secure-government-cloud

  26. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 26 —>

  27. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Unseal Init Spin up

    new env Get IaaS creds, generate OTP & real token Create env specific mount, policy & add secrets Request new env

  28. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The cloud-env mgmt App Spin up new env

    Get IaaS creds, generate OTP & real token Create env specific mount, policy & add secrets Request new env TOKEN: USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

  29. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- TOKEN: USES: 1 REAL TOKEN /cubbyhole cloud provider

    management subnet dev subnet orch-vm /env + gitcred1 = x + gitcred2 = z

  30. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN:

    USES: 1 REAL TOKEN /cubbyhole /env + gitcred1 = x + gitcred2 = z

  31. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm TOKEN:

    USES: 0 /cubbyhole REAL TOKEN /env + gitcred1 = x + gitcred2 = z

  32. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env

    + gitcred1 = x + gitcred2 = z

  33. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env

    + gitcred1 = x + gitcred2 = z

  34. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + gitcred1 = x + gitcred2 =

    z cloud provider management subnet dev subnet orch-vm

  35. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + gitcred1 = x + gitcred2 =

    z cloud provider management subnet dev subnet orch-vm

  36. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cloud provider management subnet dev subnet orch-vm /env

    + gitcred1 = x + gitcred2 = z

  37. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /env + secret1 = x + secret2 =

    z cloud provider management subnet dev subnet orch-vm

  38. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 38 • Secure bootstrap process: • OTP, real

    token not exposed
 • Eased changing config man tool • Ansible —> Puppet
 • No secrets explicitly stored on disk for puppet usage • https://github.com/jsok/hiera-vault Benefits

  39. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39 • Mount per env • Currently easiest

    way to delete all secrets until next release (0.5.0) which includes PR #617
 • Puppet Hiera plugin has potential for generating a lot of traffic with Vault • Considering ConsulTemplate Considerations:

  40. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 40 Conclusion

  41. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 41 • Vault fits in well with broader

    principles & aims of overall solution • Vault is a single focused tool - this is good! • Vault is new • we are still experimenting, but happy thus far!


  42. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 42 Thanks Questions