|
![]() |
Comments
Did you read today's front page stories & breaking news?
SYS-CON.TV
|
![]() From the Blogosphere How to Fully Automate CI/CD | @DevOpsSummit #AI #CI #CD #DevOps #Serverless
....even secrets
By: Derek Weeks
Aug. 17, 2017 05:00 PM
Imagine a world where your Continuous Integration / Continuous Deployment environment is 100% automated, including the passing of credentials. Capital One, a leading U.S. bank, has achieved this, and Andrey Utis, Director, Software Engineering, at Capital One, outlined how they achieved this in this talk, Application Secret Management with KMS, at the All Day DevOps conference. Andrey started by stating what we all know - security needs to be at the forefront. Additionally, a message we heard over and over at the All Day DevOps conference is to automate where you can automate. That combination can be daunting and seemingly impossible. How can we automate security when someone needs to enter credentials and we can't store credentials where everyone can get to them? After all, credentials give you access to databases that often contain personally identifiable information and other protected information. A breach could devastate companies and people, whether intentional or accidental. Andrey's team uses Amazon Web Services (AWS), so they give instances IAM roles that allow them access to other AWS resources. What is the key (pun intended)? On an AWS EC2 instance, there is a magic IP address to which you can make an HTTP call and it will return temporary AWS keys. Those keys then make the API calls to different database services. Here is the solution. AWS KMS is encryption as a service. KMS Context allows you to add "salt" to the encryption. You can only decrypt with the same "salt." KMS Key Policies restricts which IAM role can decrypt with the key/salt. Master KMS keys can be used only to decrypt their own keys. Below is a code sample of a KMS policy. This allows multiple applications to be on one AWS account while limiting access of developers to the applications they are authorized for. Here is the actual protocol:
There is a broader issue with IAM roles because credentials are generated by calling the "magic" metadata IP address 169.254.169.254. Developers in production, even with "read only" access to the instance, could call the KMS API to decrypt the secret. Developers should not be able to generate production IAM credentials at all, so you block the magic IP address with this code: To automate it and make it reusable, they created a Chef cookbook, which they call a "briefcase," to abstract decryption of secrets. They also have the iptables cookbook to block the metadata IP address for all except a whitelist of user groups, such as root and any application specific group that makes AWS API calls (see above code). Andrey mentioned that Vaultmay have a viable solution soon. They use signed EC2 Identity Document to verify the caller. The current downsides are that it only supports authorization by AMI ID, but should support more soon, and secrets are not source controlled/versioned. As Andrey noted, that is not ideal for "configuration secrets" such as database passwords. In a follow-up question, Andrey was asked, "What were the lessons that were most critical to learn?" He answered, "This is a new field. Most companies either don't fully automate or don't fully secure the entire pipeline. So, there is little information out there." Well, there is some more information in Andrey's complete talk, which you can watch online here. If you missed any of the other 30-minute long presentations from All Day DevOps, they are easy to find and available free-of-charge here. Finally, be sure to register you and the rest of your team for the 2017 All Day DevOps conference here. This year's event will offer 96 practitioner-led sessions (no vendor pitches allowed). It's all free and online on October 24th. Download Show Prospectus ▸ Here DevOps at Cloud Expo taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Must Watch Video: Recap of @DevOpsSummit New York Javits Center The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. Nutanix DevOps Booth at @DevOpsSummit New York Javits Center DevOps at Cloud Expo will expand the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike. Recent research has shown that DevOps dramatically reduces development time, the amount of enterprise IT professionals put out fires, and support time generally. Time spent on infrastructure development is significantly increased, and DevOps practitioners report more software releases and higher quality. Sponsors of DevOps at Cloud Expo will benefit from unmatched branding, profile building and lead generation opportunities through:
For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez by email at events (at) sys-con.com, or by phone 201 802-3021. Most Popular Video: Sheng Liang's Containers Talk @DevOpsSummit at Cloud Expo taking place October 31 - November 2, 2017, Santa Clara Convention Center, CA, and is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @DevOpsSummit 2017 Silicon Valley @DevOpsSummit 2018 New York With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation. Track 1. Enterprise Cloud | Cloud-Native Speaking Opportunities The upcoming 21st International @CloudExpo | @ThingsExpo, October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY announces that its Call For Papers for speaking opportunities is open. Themes and topics to be discussed include:
Submit your speaking proposal today! ▸ Here Cloud Expo | @ThingsExpo 2017 Silicon Valley Cloud Expo | @ThingsExpo 2018 New York Download Show Prospectus ▸ Here Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers. Cloud Expo is the single show where technology buyers and vendors can meet to experience and discus cloud computing and all that it entails. Sponsors of Cloud Expo will benefit from unmatched branding, profile building and lead generation opportunities through:
For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez by email at events (at) sys-con.com, or by phone 201 802-3021. The World's Largest "Cloud Digital Transformation" Event @CloudExpo | @ThingsExpo 2017 Silicon Valley @CloudExpo | @ThingsExpo 2018 New York Full Conference Registration Gold Pass and Exhibit Hall ▸ Here Register For @CloudExpo ▸ Here via EventBrite Register For @ThingsExpo ▸ Here via EventBrite Register For @DevOpsSummit ▸ Here via EventBrite Sponsorship Opportunities Sponsors of Cloud Expo | @ThingsExpo will benefit from unmatched branding, profile building and lead generation opportunities through:
For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez (@GonzalezCarmen) today by email at events (at) sys-con.com, or by phone 201 802-3021. Secrets of Sponsors and Exhibitors ▸ Here All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-4, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation. Delegates to Cloud Expo | @ThingsExpo will be able to attend 8 simultaneous, information-packed education tracks. There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content. Join Cloud Expo | @ThingsExpo conference chair Roger Strukhoff (@IoT2040), October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, for three days of intense Enterprise Cloud and 'Digital Transformation' discussion and focus, including Big Data's indispensable role in IoT, Smart Grids and (IIoT) Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) Digital Transformation in Vertical Markets. Financial Technology - or FinTech - Is Now Part of the @CloudExpo Program! Accordingly, attendees at the upcoming 21st Cloud Expo | @ThingsExpo October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, will find fresh new content in a new track called FinTech, which will incorporate machine learning, artificial intelligence, deep learning, and blockchain into one track. Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses. FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds. More than US$20 billion in venture capital is being invested in FinTech this year. @CloudExpo is pleased to bring you the latest FinTech developments as an integral part of our program, starting at the 21st International Cloud Expo October 31 - November 2, 2017 in Silicon Valley, and June 12-14, 2018, in New York City. @CloudExpo is accepting submissions for this new track, so please visit www.CloudComputingExpo.com for the latest information. About SYS-CON Media & Events SYS-CON Media (www.sys-con.com) has since 1994 been connecting technology companies and customers through a comprehensive content stream - featuring over forty focused subject areas, from Cloud Computing to Web Security - interwoven with market-leading full-scale conferences produced by SYS-CON Events. The company's internationally recognized brands include among others Cloud Expo® (@CloudExpo), Big Data Expo® (@BigDataExpo), DevOps Summit (@DevOpsSummit), @ThingsExpo® (@ThingsExpo), Containers Expo (@ContainersExpo) and Microservices Expo (@MicroservicesE). Cloud Expo®, Big Data Expo® and @ThingsExpo® are registered trademarks of Cloud Expo, Inc., a SYS-CON Events company. Latest AJAXWorld RIA Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
|
SYS-CON Featured Whitepapers
Most Read This Week
|