Posted on

Migrating Secrets Using HashiCorp Vault and Safe CLI

Vault and Safe

Vault is a secret management service by HashiCorp. It is a tool that will help you in storing secrets (API keys, passwords, etc.) and accessing them securely. You can use Vault with a user interface as well as through CLI. 

In this post, we will not be going deep into what Vault is, but instead, will look at how we can migrate secrets from one Vault to another. We can migrate secrets from Vault using Vault CLI, but it can get a little complicated to do so. Therefore, to make things easy, we will use Safe CLI, which is a wrapper around Vault. It will help us in managing and migrating our secrets by using simple commands. It also helps us connect to different vault instances very quickly for migration purposes.

Posted on

Managing Secrets Deployment in GitOps Workflow

Introduction

Kubernetes is an open-source system that helps to automate the deployment, autoscaling, and management of container-based applications. It is widely used for building and deploying cloud-native applications on a massive scale, leveraging the elasticity of the cloud. Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), and Amazon Kubernetes Service (AKS) are the popular managed services for running a production-grade, highly available Kubernetes cluster on AWS, GCP, and Azure without needing to stand up or to maintain the Kubernetes control plane.

There are many ways to spin up Kubernetes clusters either on-prem or on a public cloud (AWS, GCP, and Azure), but in today’s automation world, it is a common practice to use a continuous delivery pipeline to deploy releases to their Kubernetes cluster. As a best practice, all the YAML manifests should be version-controlled in a Git repository.

Posted on

5 Best Security Practices for Kubernetes and Oracle Kubernetes Engine

In this article, readers will learn about each best practice in Open Source Kubernetes as well as Oracle’s Kubernetes managed service (OKE) running on Oracle Cloud Infrastructure (OCI).

Kubernetes has gained rapid traction over the last three years and is being deployed in production by many companies. While in general, Kubernetes does follow the core software security principles, some ownership of security falls on the shoulders of the end users. Just like a shared security responsibility model exists between all cloud providers and the customers, there is a shared security responsibility for managed Kubernetes services being offered by cloud providers. Managed Kubernetes Services Cloud providers like Oracle Cloud Infrastructure Container Engine for Kubernetes (also known as Oracle Kubernetes Engine or OKE), Azure Kubernetes Service (AKS), and others are typically responsible for managing and securing the control plane (API Server, scheduler, etcd, controllers) of the Kubernetes cluster and customers of the managed service are responsible for the securing the data plane (node pools, ingress, networking, service mesh etc).

Posted on

Four Ways to Keep Kubernetes’ Secrets Secret

We have talked a lot about the speed at which DevOps innovation has moved and how security has consistently struggled to catch up. Kubernetes is quickly putting this idea to shame and stretching security teams to their limit. In just five short years, Kubernetes has exploded in usage, but security wasn’t always at the front of everyone’s minds.  

One of the most shocking recent Kubernetes developments was the discovery of the most severe Kubernetes vulnerabilities ever, CVE-2018-1002105, which we discuss further here.  The silver lining here is that the vulnerability led to the realization that Kubernetes developers need better security practices.  To be fair, security, as with DevOps, is a process of continuous improvement. In this blog, we will discuss best practices for securing Kubernetes.

Posted on

Top Secrets Management Tools Compared

As apps become more complex in the way they use microservices, managing API keys and other secrets becomes more challenging as well. Microservices running in containers need to transfer secrets to allow them to communicate with each other. Each of those transfers, and each of the secrets being exchanged, needs to be secured properly for the entire system to remain secure.

Hard-coding API keys and other secrets is definitely NOT an option. Despite the obvious nature of the previous statement, a lot of developers still expose the credentials of their microservices or apps on GitHub. Fortunately, there are tools designed to make managing secrets easier. We are going to compare the best secrets management tools in this article.

Posted on

Safely and Swiftly Share Secrets Using DevOps

"To make all athletes better through passion, design, and the relentless pursuit of innovation," is Under Armour's stated mission. They have certainly delivered on the innovation promise in their products. Today, we will look at their innovation a few layers removed from your moisture-wicking socks or state-of-the-art Olympic speed skating suits.

Under Armour has several digital products, such as MyFitnessPal, under the umbrella of Under Armour Connected Fitness. It is here that Kyle Rockman (@Rocktavious) is an infrastructure engineer, coding infrastructure that supports the software engineers that develop the applications that you use to track protein shakes and Twinkie consumption. Kyle spoke at the 2017 AllDayDevOps conference about how he and his team are innovating. Specifically, their tool to compose and share hierarchical environment variable configuration to make updating hundreds of microservices easy. Yes, it is true. They were able to make it easy to share environment variables and make the updating process more transparent and easy.

Posted on

An Intro to Azure Key Vault

Azure Key Vault is a secure way of storing your keys, certificates, and secrets so your application can access everything it needs to but you don’t have them being stored insecurely anywhere such as in source control.

I have been wanting to give Azure Key Vault a try for a while now, as it can make use of Azure Active Directory to give your web app an identity so it can authenticate itself into the key vault to access secrets. It's pretty clever, but with a lot of moving parts, it's a bit complex.

Posted on

Vault: A Secure Way to Keep Your App’s Secrets

In this blog, we will discuss the Vault. In modern scenarios, we want to secure our system as much as possible. We don't want to store our secret keys and certificates in the system or configurations. We need a place where we can keep our secrets with more security and access them securely whenever we need them. We can use the Vault.

Vault is the secure place to store the secrets, password, token, APIKeys of the system with the control of their access. It provides security by encrypting the keys.

Posted on

Privacy Secrets Your Systems May Be Unknowingly Telling

Permissions and Privacy in User Data

Privacy has overtaken security as a top concern for many organizations. For IT professionals, the difference between privacy and security may not be apparent. Protecting sensitive data from the prying eyes of malicious users seems to be an obvious goal of application security. But privacy is more than just protecting sensitive data. Privacy is also the users’ ability to keep their data private, no matter if the data is considered sensitive or not. Giving users the ability to control who has permission to see their data and who does not have permission is an important goal of privacy.

How to Ensure Personal Data Is Kept Personal

Many IT professionals today are unaware of exactly how to ensure users’ data is kept private, or even how to determine if the users’ privacy has been violated. Relying on a member of the IT team to “know it when they see it” is not a scalable way to ensure their users’ privacy. Often, IT staff are not subject matter experts concerning the data their organization is collecting. If the sensitivity of the data is not documented and privacy standards have not been explained to everyone who works with the data, it creates an opportunity for incorrect assumptions to be made concerning what data needs to be protected, when it needs to be protected, and where it needs to be protected.