Shhh!: Secret Management Practices for Infrastructure as Code
Download as PPTX, PDF0 likes96 views
The document discusses 12 key practices for effective secret management in Infrastructure as Code (IaC) environments, highlighting tools like Hiera, Ansible Vault, and HashiCorp Vault. It analyzes various methodologies and organizations' objectives for implementing these practices, leading to significant improvements in deployment and patch release times. The findings are derived from various internet artifacts, with a particular focus on security measures such as access control, encryption, and secret rotation.
Shhh!: Secret Management Practices for Infrastructure as Code
- 1. Shhh!: 12 Practices for Secret Management in Infrastructure as Code #IEEESecDev https://secdev.ieee.org/2021 Patrick Morrison Akond Rahman Farhat Lamia Barsha
- 2. Infrastructure as Code (IaC) 2 … Use of IaC … IaC Script
- 3. Languages to Implement IaC 3 Ansible Chef Puppet Terraform
- 4. Example IaC Script Include File mode Command File
- 5. Reduced provisioning time 1-2 days to 21 minutes Deployment frequency 1200x improvement Reduced patch release time multiple days to 1 hour 5 Use of IaC
- 6. Motivation for Secret Management 6
- 7. … 7 Secret Management Motivation for Secret Management
- 8. 8 Secret Management Tools for IaC Hiera (Puppet) Ansible Vault (Ansible) Hashicorp Vault
- 9. Research Question 9 What practices can be used for secret management in infrastructure as code scripts?
- 11. Results 11 - 38 Internet Artifacts - 86.8% of them are blog posts - 12 practices
- 12. Results (Practices) 12 Data organization (11): Directories, Hiera for Puppet, Naming Conventions Password Management for Ansible Vault (9): Vault separation, CLI
- 13. Results – Practices (Contd.) 13 Access Control (6) Prioritized Encryption (6)
- 14. 14 Separation (4): Artifact separation, state separation Logging (4) Results – Practices (Contd.)
- 15. 15 Unsealing (4): automation, replication Secret rotation (3) Results – Practices (Contd.)
- 16. 16 Applying transport layer security (2) Efficient searching (2) Results – Practices (Contd.)
- 17. 17 Speed up (2) Limiting authentication (1) Results – Practices (Contd.)
- 18. Results: Mapping Practices to IaC Languages 18 Practice Language Access control All Authentication limits All Data organization All Environment separation All Logging All Password management for Ansible Vault Ansible
- 19. Results: Mapping Practices to IaC Languages (Contd.) 19 Practice Language Prioritized encryption All Rotation of secrets All Secret search Puppet Speedup Ansible TLS usage All Unsealing All
- 20. Limitations 20 - 38 Internet artifacts - 6 search strings - Rater bias
- 21. Contributions 21 - 12 practices to manage secrets for IaC scripts - A mapping of identified practices to secret management tool
- 22. Summary 22 [email protected] akondrahman.github.io @akondrahman Motivation for Secret Management 6 Search Artifacts Apply Inclusion Criteria Apply Open Coding Mine Practices Methodology 14 ü Separation (4): Artifact separation, state separation ü Logging (4) Results – Practices (Contd.)