Cloud Native Security Webinar Series

2 October 2020 11:00 CEST
Cloud Native Security Webinar Series
Dynamic Cloud Native Security Webinar series 

Secrets Management with Vault

  1. CISO Automation - Intro to Secrets & Vault 
  2. Dynamic Credentials - Credentials done right
  3. Dynamic Certificates - Dynamic mTLS
  4. Bank Vaults + Customer use case (Interview with ABN AMRO Bank)
  5. HashiCorp Vault Operations

Audience: CISO, Security Consultants, DevSecOps, Platform Teams

About this Webinar

4 September Webinar 1- CISO Automation - Introduction to Secrets & Vault

Time: 11:00 CEST - 11:45 CEST

Illuminati -- all your secrets belong to Vault

 

This webinar will talk about the problem of automating trust and outline a solution architecture based on an industry best practice HashiCorp toolset along with the organisational structures necessary to use the solution.

 

Problem Statement

You’re transitioning from manual operations to automated infrastructure. Because you’re smart you’re using a DevSecOps approach for the win, but you’re struggling because your source-code and scripts are full of credentials, passwords, certificates, and all manner of sensitive data. You’ve created a secure-coding team to disseminate best-practice based on OWASP. But, how do you automate trust? How do you enforce good secret hygiene and gain control of your systems? 

 

Solution

The first part of the solution is understanding where trust comes from and how it is propagated. This train of thought brings you rapidly to the related concepts of compliance as code, system identity, and secrets management. The solution involves governance committees and tools working together to ensure control is maintained.

 

Tools

  • Hashicorp Sentinel (policy as code)
  • Hashicorp Vault (secrets management)
  • Hashicorp Consul (SPIFFE)

 

Speaker Bryan Dollery, Chief Technology Strategist at Nuaware

18 September Webinar 2 - Dynamic Credentials - credentials done right

Time: 11:00 CEST - 11:45 CEST

In this webinar, we will look at Hashicorp Vault’s dynamic secrets engine, but that’s not enough -- it’s not all about the tools, it’s also about how you use them, so we will also look at the organisation structures you need to be able to make use of this great technology.                 

Problem Statement

In the previous instalment, we learned that a credential belongs to the owner of the service it secures, not to the user, and that to maintain control of our resources we must never expose a secret to a person. How then do we provide an application with the credentials it needs to access a resource like a database?

Solution

Dynamic credentials are a fantastic solution to this problem. We allow a 3rd party to negotiate a new set of credentials with the resource and issue them to the service that needs them. The problem of trusting the 3rd party was solved in the first webinar in this series. This tech can help you remove credentials from your code forever, abstracting that concern from your services.

Tools

  • Hashicorp Vault (secrets management)

 

Speaker Bryan Dollery, Chief Technology Strategist at Nuaware

2 October Webinar 3 - Dynamic Certificates - dynamic mTLS  

Time: 11:00 CEST - 11:45 CEST

This webinar will talk you through the service mesh concept as it applies to identity and mTLS, and talk about the organisational structures needed to support this approach to security.

 

Problem Statement

Encryption in transit is such a good idea that we do it all the time, right? SSH and HTTPS all the time. All services secure. At least, that’s just a myth we tell ourselves to help us sleep at night. In reality, the certs/keys we use to secure this traffic are completely stale and insecure themselves. Once a hacker has a cert they can decrypt our traffic with ease and we’d never know. Certs are kept in code or other insecure stores and rotating them is hard.

 

Solution

With Hashicorp tools we can configure dynamic certificates for every session on the wire. We can configure a service mesh using Hashicorp Consul that generates dynamic certificates using Hashicorp Vault, against identities issued with SPIFFE. This is the most secure possible way of doing mTLS. Rather than having one cert per service, you now have one cert per connection.

 

Tools

  • Hashicorp Vault (secrets management)
  • Hashicorp Consul (SPIFFE)

 

Speaker Bryan Dollery, Chief Technology Strategist at Nuaware

16 October Webinar 4 - Customer use case: Bank Vaults (Interview)

Time: 11:00 CEST - 11:45 CEST

This webinar is given by Bryan Dollery, one of the project’s founders who led the project, designed the architecture and approach, and led the delivery team for the first year. Helping out with the webinar will be Sarah Polin, who Bryan selected as his replacement when he left the project and who has seen it bloom from AWS to Azure and beyond.

 

Problem Statement

Introduce Secrets Management at an established European bank.

 

Solution

Create a secrets management team as part of CISO and give them the tools and influence necessary to roll out these concepts to 300+ development teams and all manner of services. The project is now a year old and we have learnt a lot. Basically, it’s not about the tools, it’s about how you use them.

 

Speakers

  • Sarah Polan: Secrets Management Advocate & Trainer at ABN AMRO Bank
  • Bryan Dollery, Chief Technology Strategist at Nuaware

30 October Webinar 5: HashiCorp Vault Operations 

Time: 12:00 CEST - 12:45 CEST

This webinar focuses on running Vault in production, the alternative architectures that you can choose from, and the trade-offs of each. We will cover basic Vault architecture, HA/DR, K8S and the Vault operator from Banzai Cloud.

 

Problem Statement

How should you run Vault in production? Should you follow the Hashicorp runbook, or write your own? Should you have a central cluster, and what does it mean if you chose to distribute an installation per Kubernetes cluster? And the question you’ve all been asking: does this really work with Kubernetes?

 

Tools

  • Hashicorp Vault (secrets management)

 

 

Speakers

  • Bryan Dollery, Chief Technology Strategist at Nuaware

 

 

Speakers

Bryan Dollery

Chief Technology Strategist at Nuaware

Sarah Polan

Secrets Management Advocate at ABN AMRO
Register here!