Bestand wählen
Merken

Keeping Secrets - A Practical Approach to Managing Credentials

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
alright cool so the task of keeping secrets of practical approach to managing credentials but when it's presented as C and as I said I'm a suffrage in its territory and then working in software from a since about 1999 and and my early days I was a unix admin I worked on a wide range of systems a Linux HP-UX and all across the board I pretty much stuck with larger organizations until about 2012 and that's what I want my 1st start at Ivan started using a slightly more modern patterns for deployment so and in 2014 I went to circuitry and I was 1 of the 1st 3 engineers hired to build a modern SAT platform to help of modernize insurance operations on so starting at a true Dev Ops shop from day 1 was amazing there is no code the data started I got help inform all the decisions and stuff like power to manage credentials and stuff like that what we're going to do for our deployment strategy and and under the showing off the all the attack and methodologies that we use socotra for deployment keeping secrets but they also just were hiring checkout socotra upon slash engineers for a start careers from for information so the problem the
the body is the problem this body wants to be you wants be faster got that look in his eyes but it was the state so still the Torah shell and and he feels like he can be both at the same time but he has a really hard time doing and that's that's what we were faced with all the time when it comes to continuous delivery and managing secrets we want the secrets to be safe we want them to be per environment but we want the storage to being corrected but we want to be able to deploy very quickly and you know what all through the nineties late nineties in the 2 thousands I was doing things like deploying software and then you cluster SSH into like 500 servers and and change in setting a password for an about right is a debate on this phone thing OK we person that's to people who think that an and then then things that slightly better there were you know around 2008 there were awesome tools like Shep introduced unencrypted data bags and the words a little bit better way of handling it but but most recently i've been very a very happy with small and that's what I'm gonna show you today I'm a show you how of to the patterns we use at approaches for continuous deployment and injecting secrets per environment into the deployment of configuration the so the purpose of the talk it
stood defined workflows for managing secrets upper organizations that value continuous and I plan to show how to use Haji? or ball as a system of record for secrets and plan on defining workflows for how the secrets can get injected into the appropriate places so that your applications can consume them I'm on the show you methods and workflows from development all the way through to production so when we talk about the single be talking about what we do in development all the way through to production and spoiler alert it's the same thing we use all the same method apologies from local development all the way through to production elementary have works so understand about 10 minutes going over some important points about ball there's really a ton of information about how the set of all and how to configure it and all the best practices around that so I'm not going to do or not to go into that what gonna going to our some of the really important points for treating it as a system of records this is going to be the source of truth in the secret in your organization and that's really really important so there's a handful of things that you don't really get from me getting started guides that I plan to show you and and so on and spent some time back then I'm going to spend a little bit of time just talking about a continuous delivery of methodology that we use and then I'm going to spend the remainder of the time talking about how secrets are injected into the configuration for all way from development to production so I develop these methodologies and some of these libraries of mature you out at socotra and he was actually a with what I was preparing for this talk I was planning on showing you all this stuff that we're doing atico trip but I did something that I think is slightly more interesting and I took an open source project that I've been working on with a friend called basal it's a CMS tool and week employed all of those methodologies and libraries that were developed a secretary to deploy this as well so prove to myself and and and good open source stuff for the so that a you can look at examples and get our proposal OK
so ball is a service that stores encrypted stores passwords encrypted data store and make secrets available the request to the server so the end result of introducing banya infrastructures they habits this system of record through secrets on a touch upon the operational details of using ball for this purpose and we're going to go from there
so ball as a system of record so for secrets this is a really important piece of infrastructure for at Ford your organization but I recommend going to all project . 0 checking it out and playing with things in that environment but when you get ready to actually use this for something real this things that have to be done ball has to be reliable has to be highly available ball tolerance it has have auditing capabilities those auditing capabilities might be for compliance or they might be just a figure out what happens if something goes wrong you have to have that you have to have reasonable network security you have to have backups you have never restore procedure and not only do you have to have restore procedure where you have to have a restore procedure that's practiced regularly and you have to have a reasonable an approach to access controls for the different roles in your and finally you have to have defined and documented procedures for interacting with secrets for reading secrets writing secrets removing circuits ominous show you uh so methodologies for that most in the show you a library that's available to you idea can suffer build nonlinear purposes
so reliability that doesn't with super reliable but uh we have your ball cluster will be there must be no single point of failure in order to eliminate a single point of failure from a systems perspective you have to choose a storage mechanism that makes sense and and ball has the concept of storage backends which again is extensive documentation about this or that support high-availability the dynamo DB the zookeeper consul and other recommend consul at for the following reasons 1st and foremost it's automated provisioning chat it just makes it superheating and it makes it makes it possible to provision this the same way the provision everything else provided use chapter mechanisms and has mechanisms for service discovery Pellerin that'll councils good at and so you get that right out of the box was if you do something with Dynamo or its zookeeper you're likely gonna have to build that stuff yourself and is also well-defined method for backup and recovery phase the 7 well documented and and this pattern to doing this kind of stuff
so here I show you an example architecture and and the URL is ridiculous we all but if you just search for a consul to point consummated US you find this but I'm also I can make this available as well but bigger you see that you have multiple nodes spread out across multiple availability zones and a then you using consul to manage this cluster and by following this sky you will get this kind of architecture for you lost
so honored and it's important to happened over time so you should enable auditing on every action and the way you do this is where the ball audio enabled a and then you can choose the different kinds of of logging capabilities that has the lot of files so destination a socket so whatever makes sense in your organization and that's what we should use it so network security
and server communication should all happen over TLS as we want the transmission of this data to be encrypted between build nodes and developer of workstations and of all infrastructure but network access should really only be granted to systems that need it and the ideal situation is that you're build nodes and your workstations are in some kind of a book on some kind of network where you can communicate with this thing over an internal IT that's the best practice that's a best-case scenario however people use people use tools like circle and Travis people using certain technologies that don't lend themselves to being able to do that so if you absolutely have to you should really tight network access control firewall security groups or or and whatever that mechanism is for your the organization and if this so that has happened over the internet at a minimum you should do that you should do I have to make sure that things communicating over TLS and again the steps for doing this kind configuration a well documented evolve documentation
so you have to have a back up and restore procedure you have to have this this road to recovery here of you need backup regularly like and this is whatever makes sense for your organization if you're a small start up where you have a handful of engineers and secrets of changing infrequently than it could be totally fine to do a backup once a week if you're in a larger organization a mid-size organizations organization and secrets of changing all the time then you need to do backups more frequently so it's a coterie pet practice restoring everything but once a week which sounds crazy unless you have everything automated and then it's not that bad but I highly highly recommend that if you introduce this kind of system that you have not just the procedure for restoring the secrets but you also have the practice doing it the you have a natural drill to go through this with some regularity again it might not make sense for your organization to do this once a week but you need to do with some frequency to ensure that it works as intended in case there is a disaster and and most importantly documented procedure to validate that the restore work this could mean dumping all of your secrets added both places in the some kind of common format and doing a death now the the most the most simple way to do it but come up with a validation process to ensure that this consistency because again this is a system of record you hold a certain kind of importance even if it's not compliance it's your sanity online so next ways about access
controls and here we have an example the of a very simple access control scheme we have engineer access control a bill access control an admin access control and again this is very very simple but you can see here that all the secrets for production approach are deployed to secret production and all the students were developed secret development here were allowing engineers and access to read from development but denying them access to production for the build node that's the middle 1 were allowing I read for both production and development as we're gonna need secrets for production and development actually deployed both those environments and fragments for the people are actually interacting with the secrets we allow right to both secret had I this is using the generic secrets back and uh and um and again which is very well documented football so now that you have policies for each type of
you that you have what you need to have the token per user because again would come down auditing and compliance of figuring out what happened you can have shared accounts uh doesn't it does not make sense to do that so you will create a token for each engineer would fall Baltic can create policy and then the role that you want assigned to that user and then you would manage and then that token will be provided to the user aaai so now you know that we have
all this we need to define procedures for interacting with secrets you want to ensure that you have a well planned out plan for inserting secrets and you wanna map out which secrets will be available at which happen you wanna keep the documentation of up-to-date as much as possible so we ended during its current of evil was well but was we document out all the sequence that we had 1st and we came up with the packing structure that made sense so again using the generic seeker back and we have secret environment KWS and then an access key or secret develop their environment and lab dt password so we mapped out over secrets and then we at who sorry we that that all over secrets and documented them before we started in certain areas of and I'm going to show you the documents on just 2nd work how we actually document what the secrets and so the ministers will be entering secrets and you want a way to automate the installation of also you can control stuff like the binary in the server dressed again we do this with shaft and it works out marvelously but you should include enough information and documentation for new Engineer Administrator to understand exactly what their role is in interacting with secrets again I I can't emphasize this partner I think that you you have to have a well planned out strategy for this before you just start dumping anything in the because this is a very very important system that everything every engineer and every those can interact with and you have to have a well planned out strategy for how these things are going to go so I recommend doing this kind of documentation of before before you inject 1 secret so then you wanna document seeker pack and you look at the pattern names may be intuitive right like it makes sense what and where he password of but to actually say something about it so that people know what it is they know that this is the per environment passive for em laughter they know that'll be it assigned an environment variable at runtime and they know that if they wanna change the secret but they have to go to this place before the duty injection so at this
point you have a successful well but you have a highly available fault-tolerant cluster using the high availability High Availability back end of Council you have the ability to order because of the you you know what's going on you have the solid backup strategy you have planned recovery drills at to ensure that your backups are actually valid you created policies and processes for assigning users and new documented procedures for interacting with your secrets including what secrets are will pass so that's a little bit about Bolton kind set up their the
stuff that you won't really get from the guides number go on to talk about a continuous delivery model I so unexplained how these continuously deployed all start with an explanation of the system architecture and I'll move on to the actions that engineers due to trigger these automated deployments the basal has a very
simple architecture and it's deployed in AWS and it's using the elastic containers service I the nodes themselves the application nodes on an autoscaling group across 2 different availability zones of Yale B and a rapid 3 record associated with every deployment on refer to this group of resources as a basal deployment the what happens with the basal plane is that every time there's an action against the repo it creates a new deployment and it either is seen as a development for production deployment and on the go through the mechanics about how we handle I changing DNS records and and dealing with that that kind of stuff after we create new deployments Ch
so here is a development environment will a workflow basal uses get float for branching emerging so this 2 long branches and basal master and develop engineers create branch is often develop and they create pull request for the destination branch is developed so whatever pull request is created there's a temporary words of the branch with develop in the build pipelines executed so the bill pipeline will detect that to build is a pore quest and it'll create this set of resources it will create a the Yale B autoscaling group the nodes within the autoscaling group n it will create a DNS record that points to a unique ID . basal . com but at that point there's a validation process it's a series of re request against the unique ID that basal as to the conduct head and it'll go through invalidated the application is working as intended and then alter all those resources down this is to ensure that every change that's made is deployable and works is to 10 as intended so
once we have once we've emerged and to develop so we have user friendly forms branch it was validated in a poor quest build word create all these resources validated and then destroyed them but now we actually want to merge this guy about when we merge this to develop the exact same process run together we run the exact same things that do the deployment we create the resources in the exact same way that we did before except this time just 1 difference instead of carry all these resources down we point this we change the city name of developed up is about to the new deployment Yale B and now were able to access the most recent change on developed and this is a of this is to be a time where a handful of future branches are coming together and to create a specific release and you can actually go to develop up is but tech to validate their the things that you expect to work work is intended before actually pushing this guy to production are so in when all of the feature
requests a and developed when all the bugs affect small the enhancements are there when developed looks the way that you want production to look you can then create we create a pore quest from developed master and we create a pull request the CI server does exactly what you'd expect of you it does the exact same thing again yeah except this time it detects that the branch destination branch his master and he calls this a production deploy and again the 1 distinct step that's different from everything else is that the sea name for basal attacked is modified at that point to be the ELP there are the name of the Yale B for the new deployment and then we destroy all your resources that were comprising based biotech before are so now to the part about see we have 3 different parts of our
bill orchestration which prepare imagine deploy Running a basal build is the aggregate of many different commands right like that we run NPM to actually create the application Wade but to build the application we run Dr. package all of our run doctor to push it into his yard but we run terraformed to create the deployment resources that I've been talking about and of course we have to run of all commands well so I've chosen rates to codify the build deployment tasks so these 3 different phases there's prepare image and deploy and on the talk about prepare for some show a little code snippet here so when we prepare for the building
we do a handful of things that are important the 1st thing we do is we require a GenCall as build it say on public region and I spilled it has 3 functions it has to get secrets it has but system safe and system retried and system savings history Trier this is all kind of what you'd expect system has some safeguards around the room system call and I say free try it will retry commands that have transient failures due to Internet dependencies sure we've also discussed that happen and so as Bill is available in regions in source and source codes available might get have account we have so we do a couple things right off the bat we make determinations about what what this bill actually is is a production is a develop what's that what's the ch bad the checks on so and then we do the part that this talk is all about we make environment a determination again based on the branch and then we get the secret based on the environment for where were deployed and I showed you those paths to the secret before so 0 and 1 that 1 of the things I forgot to mention is that all of this is overridable by setting these environment variables so if you have these guys set when you're running your rate command building your secrets local get the secrets from your environment variables so if you wanna change secrets to see what happens when when you have a or a letter you have your own AWS account and you wanna change your you know your access q something like that and not get it directly from from ball you can list override like that I yet so it'll get this secret for the appropriate environment Enel store in memory and it'll make that secret available line and I mentioned that the so the
next part is about building the images this is about hundred home document for this guy and and as you can see here I'm not using any secrets in the doctor image I don't wanna store Dr. images with secrets in them and put them somewhere the people can have I want the stock images to be agnostic I want them to be environment independent and so I want to create something then that is environment independent and they can take parameters and environmental parameters on the show you how that works in the next slide so however I do need to use these access keys to access the CR so you can see that I injectors access keys there are before the state of US command of an absence of secrets are available from the 1st part of the environment that you're interacting with set of that can assess available to you down line and now comes the now comes
the actual deployment part so I'm using terraform for deployment and you can see here that all of the secrets all of this stuff they came from prepared are parameters in the deployment of uh in the execution of the 1 with the creation of these resources so you can see that I have these use of them passing the axis keys on passing in and some cool off keys on passing in the DB password and I'm writing terraform with this stuff and they are getting templatized into the ECS task definition and they will be available as environment variables inside the running Doctor contain so at this point you can do when you walk with the Secrets right like the environment variables in the doctor container it's running you can use you can do something which shaft 2 uh you create templatized a convict files and what we did for basal was we made it so that basal would read from spit specified environment variables on execution time so there is no reason to do there's no reason to do anything else at that point we inject these things as environment variables basal starts up but it has a list of things that it expects to be there and those things are there and those things are per environment because of the determinations that we made in the prepare phase and because the deployment itself is parameterized thank you so what
so this is the easiest task definition this is the AWS API expects of these things again get passed through the system as as variables in the rate file and the past I to the terraform command which populates these and writes them to the AWS API to actually I have these things injected into the writing Dr. contained I so when the clusters up and running these environment variables will go contain all passwords and basal just read them and start up the way that it starts at the so I think that this is the thing that I want to pay the most attention to when doing this was thinking about where the secrets would end up great Lakes when already said that we want vault as this this system of record this is the source of truth root password but it feels very important to know where these guys are gonna end up at the end of the day and for me but I didn't want them written to the disk in a kind of public service or something like that so you have to consider your risk factors when it comes to at you where these things and up and but the thing that made the most sense for us was to store these things in memory on the CI server and to inject them into the actual running container at start time so that they were never written to disk and it a place where someone to find them or that they were written to logs or something like that so I think you know when you're when you're doing this stuff what actually happens to that secret when it's cryptid and where it ends up and where it's made available to the resources that are gonna read from it is a really important thing to consider for us the thing that made the most sense both with this approach project and basal was to inject these things at run time so that they would be available like that I so this was born out of out of years of managing secrets in in weird ways in the past past a key pass wallets and and passing them around the and that actually add isoco approaches what we end up doing is we have a pretty extensive configuration you know multi tens of lines of configuration files for a job a recipe EPI service we end up doing is we pass all the stuff in as environment variables to the into the container and then we do a shaft and the chaperone is actually the entry point for the container so they will taking in all these environment variables and this recipe will apply all these environment-specific environment variables and create can be files of using templates and it works out the nicely so basal is a case where we do everything we do everything with environment variables so culture everything model variables to you but it takes it 1 step further and actually creates convict files using show at execution time so that concludes my talk I want to leave some time for some q in AI not sure people have the questions about how this stuff works for more than having um any
particular reason for not going from the recipes into like Voltaire local soil and grabbing the promise that way yes that all of the environment variables so like the cleaner way of doing it or will the reason that I didn't do that is because if the server the compromise adding 1 I don't want those things to be I don't want the application server to have access to law joint 2 things in my so I talk about respect is I mention this only 2 things that have axis of all my infrastructure it's engineer machines which we have tight control over and build nodes which we have tight control over and so I will be the about from a network access and network security perspective I want to go that route with having said that I am tempted to do a proof of concept the other way and trying free really tight access controls around the application notes themselves and see how that would work and see what we can do with pen-testing and if it actually makes makes a difference so allow question about Israel the lot cocaine yes still I roommates that talking can last maximum of order 30 that days so yes yes so so well what kind of way so you recommend itself the we can to the coding that cookbook to the new that talking yes so we actually a we actually have a manual procedure for doing for doing this and and I know that it feels a little bit it feels a little bit heavy-handed but this certain things around secrets that just can't be on it right like like for example if we want to store all the secrets in a file that would be great if great we like auto generate all this stuff but like that's exactly we're trying to avoid right we don't do that kind of stuff so when it comes to kind of taking up a little sick weighted my point when it comes to doing certain things with the the ball we just have manual procedures that we do with some regularity and a part of our planning and a part of the projection so that we can but it sure that we're taking them into account when trying to accomplish our goal but when it comes to the token renewal of and how to propagate at right now that process for us is manual OK think it not it it the I mean so there's a real token verbal and it will actually there's a handful of different times were you renewal of for example the root token is balanced by the fall for a certain amount of time there's a renewal process for that token but then you have to do and this places that token has to be so when you do that renewal you have to ensure that you can that you have the procedures in place so make sure that it ends up where it needs to be after the renewal having said that tho and there is a way to disable that if it is the order renewal if it's an issue in your environment or not just disabled but there's also ways to change so again when it comes to a mapping out what you're going to do with your secrets I think that it makes sense to account for this this kind of thing in your plan the the and have you considered using live volts ability to like dynamically generated passwords per like select example here the DDB password is something that I would do something around like dynamic generation for each container uniquely units with the only for the lifetime of the container will that pass should be valid and then it just disappears and thus if anybody galaxis it's gone so we we actually use the aid US expect and 1st of so that there's a bunch of different secret back ends and I I about the generic 1 where you store secret the pattern you're able to retrieve them at that but there's another 1 called uh the AWS back in and that is exactly we're talking about you associate a policy with that and it'll create but he's dynamically every time and then you can take those keys injective and the keys will only live the lifetime of the deployment of the container that's exactly what we do at socotra never prepare phase much like we were using for basal and it it would generate those keys and del propagate all the way down and when it comes to the destroy when there's like a promotion of the deployment of production it'll take it'll take those keys and will destroy them so they're are no longer valid having said that this does take some finesse getting it right but it is it is a very very nice pattern that we follow that I I really like and and you know again speaking to compromise and if there is ever compromise the because you turn that down that you create new deployment holy cities you tear down the other deployment as part of that it takes with those keys and I don't have to worry about in the active quite this ring up so it looks like you guys are using just token stuff and build system to the reality of you looked at looked like using the application role authentication where you have to have teeny bits of information here so that you can actually store 1 with the codon have 1 be actually on the build system yet so I been talking about war during 4 days old but for us to code we do what we do that again lecturing of of and mine the villa just so you know I just see the know yet so you talked about things being well documented and to a standard of practices where are those well documented it yet I think is I we're using further the the small project were using as a tool box but for the bigger forget socotra which is a big project with a lot of engineers were using confluence I think we actually really interesting to do some kind of some kind of feature of vault where you can order generate documentation as a coach we order generate documentation for everything in just like part of the plan that because this doesn't exist involved right now on this is a fairly manual processes 340 on and on the thank Miss they and
Nichtlinearer Operator
Satellitensystem
Systemverwaltung
Physikalisches System
Systemplattform
Code
Whiteboard
Entscheidungstheorie
Task
Spannweite <Stochastik>
Datenmanagement
Software
Mustersprache
Strategisches Spiel
Information
Hilfesystem
Leistung <Physik>
Bit
Punkt
Nabel <Mathematik>
Selbst organisierendes System
Mathematisierung
Automatische Handlungsplanung
Kartesische Koordinaten
Kraftfahrzeugmechatroniker
Datensatz
Software
Mustersprache
Programmbibliothek
Canadian Mathematical Society
Kontrollstruktur
Passwort
Elektronischer Programmführer
Speicher <Informatik>
Softwareentwickler
Konfigurationsraum
Architektur <Informatik>
Open Source
Güte der Anpassung
Stellenring
Physikalisches System
Quellcode
Biprodukt
Divergente Reihe
Zugriffskontrolle
Menge
Projektive Ebene
Wort <Informatik>
Information
Programmierumgebung
Aggregatzustand
Resultante
Maschinenschreiben
Selbst organisierendes System
Datensicherung
Datensicherung
Physikalisches System
Datensatz
Datennetz
Programmbibliothek
Widget
Computersicherheit
Kontrollstruktur
Passwort
Speicher <Informatik>
Figurierte Zahl
Datennetz
Computersicherheit
Physikalisches System
Algorithmische Programmiersprache
Datensatz
Dienst <Informatik>
Digitaltechnik
Server
Projektive Ebene
Programmierumgebung
Kraftfahrzeugmechatroniker
Architektur <Informatik>
Punkt
Quader
Güte der Anpassung
Hochverfügbarkeit
Einfache Genauigkeit
Physikalisches System
Zeitzone
Datensicherung
Knotenmenge
Multiplikation
Dienst <Informatik>
Generator <Informatik>
Perspektive
Front-End <Software>
Mustersprache
Computerarchitektur
URL
Ordnung <Mathematik>
Speicher <Informatik>
Phasenumwandlung
Telekommunikation
Server
Extrempunkt
Selbst organisierendes System
Firewall
Gruppenoperation
Gruppenkeim
Internetworking
Knotenmenge
Datennetz
Arbeitsplatzcomputer
Computersicherheit
Kontrollstruktur
Softwareentwickler
Konfigurationsraum
Kraftfahrzeugmechatroniker
Softwareentwickler
Kreisfläche
Datennetz
Computersicherheit
Gebäude <Mathematik>
Datentransfer
Telekommunikation
TLS
Physikalisches System
Elektronische Publikation
Knotenmenge
Server
Socket
Prozess <Physik>
Selbst organisierendes System
Systemverwaltung
t-Test
Validität
Nummerung
Physikalisches System
Biprodukt
Datensicherung
Frequenz
Algorithmische Programmiersprache
Datensatz
Regulärer Graph
Kommandosprache
Widget
Kontrollstruktur
Dateiformat
Wiederherstellung <Informatik>
Softwareentwickler
Programmierumgebung
Widerspruchsfreiheit
Folge <Mathematik>
Systemverwaltung
Spielkonsole
Automatische Handlungsplanung
Textur-Mapping
Binärcode
Variable
Mustersprache
Widget
Passwort
Passwort
Datenstruktur
Inklusion <Mathematik>
Konfigurationsraum
Systemverwaltung
Rechenzeit
Physikalisches System
Programmierumgebung
Variable
Algorithmische Programmiersprache
Mapping <Computergraphik>
Flächeninhalt
Rechter Winkel
Injektivität
Ein-Ausgabe
Client
Strategisches Spiel
Server
Information
Programmierumgebung
Schlüsselverwaltung
Prozessautomation
Stereometrie
Bit
Punkt
Prozess <Physik>
Gruppenoperation
Datenmodell
Hochverfügbarkeit
Zahlenbereich
Physikalisches System
Datensicherung
Algorithmische Programmiersprache
Stetige Abbildung
Informationsmodellierung
Kommandosprache
Strategisches Spiel
Kontrollstruktur
Wiederherstellung <Informatik>
Elektronischer Programmführer
Computerarchitektur
Subtraktion
Prozess <Physik>
Punkt
Gruppenoperation
Mathematisierung
Gruppenkeim
Kartesische Koordinaten
Strategisches Spiel
Physikalisches System
Datensatz
Knotenmenge
Direkte numerische Simulation
Elastische Deformation
Softwareentwickler
Schreib-Lese-Kopf
Kraftfahrzeugmechatroniker
Architektur <Informatik>
Verzweigendes Programm
Validität
Reihe
Programmierumgebung
Biprodukt
Zeitzone
Dienst <Informatik>
Menge
Wort <Informatik>
Computerarchitektur
Repository <Informatik>
Programmierumgebung
Wärmeleitfähigkeit
Subtraktion
Prozess <Physik>
Punkt
Benutzerfreundlichkeit
Mathematisierung
Gebäude <Mathematik>
Verzweigendes Programm
Programmierumgebung
Biprodukt
Programmfehler
Bildschirmmaske
Mereologie
Server
Wort <Informatik>
Softwareentwickler
Subtraktion
Hash-Algorithmus
Mathematisierung
Gebäude <Mathematik>
Kartesische Koordinaten
Dialekt
Code
Internetworking
Task
Physikalisches System
Spezialrechner
Variable
Determiniertheit <Informatik>
Speicher <Informatik>
Chi-Quadrat-Verteilung
Bildgebendes Verfahren
Phasenumwandlung
Gerade
Lineares Funktional
Schlüsselverwaltung
Gebäude <Mathematik>
Stellenring
Verzweigendes Programm
Systemaufruf
Quellcode
Physikalisches System
Bitrate
Biprodukt
Dialekt
Inverser Limes
Verschlingung
Festspeicher
Mereologie
Programmierumgebung
Parametersystem
Punkt
Stochastische Abhängigkeit
Rechenzeit
Mailing-Liste
Kartesische Koordinaten
Elektronische Publikation
Radon-Transformation
Task
Rechenschieber
Spezialrechner
Variable
Menge
Determiniertheit <Informatik>
Mereologie
Passwort
Mini-Disc
Programmierumgebung
Schlüsselverwaltung
Bildgebendes Verfahren
Gerade
Aggregatzustand
Bit
Punkt
Prozess <Physik>
Extrempunkt
Ausbreitungsfunktion
Kartesische Koordinaten
Gesetz <Physik>
Login
Erneuerungstheorie
Einheit <Mathematik>
Konfluenz <Informatik>
Regulärer Graph
Prozess <Informatik>
Trennschärfe <Statistik>
Spannungsmessung <Mechanik>
Mustersprache
Kontrollstruktur
Wurzel <Mathematik>
Gerade
Phasenumwandlung
Schlüsselverwaltung
Datennetz
Computersicherheit
Template
Gebäude <Mathematik>
Stellenring
Quellcode
Biprodukt
Bitrate
Algorithmische Programmiersprache
Generator <Informatik>
Dienst <Informatik>
Rechter Winkel
Festspeicher
Beweistheorie
Server
Projektive Ebene
Information
Ordnung <Mathematik>
Programmierumgebung
Schlüsselverwaltung
Message-Passing
Standardabweichung
Lesen <Datenverarbeitung>
Subtraktion
Quader
Automatische Handlungsplanung
Task
Virtuelle Maschine
Knotenmenge
Multiplikation
Datensatz
Variable
Informationsmodellierung
Task
Unterring
Perspektive
Mini-Disc
Passwort
Cluster <Rechnernetz>
Konfigurationsraum
Zehn
Diskretes System
Rechenzeit
Routing
Token-Ring
Physikalisches System
Elektronische Publikation
Mapping <Computergraphik>
Mereologie
Injektivität
Codierung
Authentifikation

Metadaten

Formale Metadaten

Titel Keeping Secrets - A Practical Approach to Managing Credentials
Serientitel Chef Conf 2017
Autor Antenesse, Chris
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/34589
Herausgeber Confreaks, LLC
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Tokens, passwords, certificates, API keys, and other secrets are vital to applications and infrastructure functioning properly. In the modern world of rapid, continuous delivery, we want to maintain agility and keep our secrets safe. While speed and safety feel mutually exclusive, modern tools with appropriate practices enable both at the same time. This talk will discuss patterns and show practical methods for keeping secrets safe from developer environments to production where tight access controls and continuous delivery are priorities.

Ähnliche Filme

Loading...
Feedback