DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

How does AI transform chaos engineering from an experiment into a critical capability? Learn how to effectively operationalize the chaos.

Data quality isn't just a technical issue: It impacts an organization's compliance, operational efficiency, and customer satisfaction.

Are you a front-end or full-stack developer frustrated by front-end distractions? Learn to move forward with tooling and clear boundaries.

Developer Experience: Demand to support engineering teams has risen, and there is a shift from traditional DevOps to workflow improvements.

Related

  • KubeVirt: Can VM Management With Kubernetes Work?
  • The Bare Metal Bet That Made Our Multiplayer Platform Hum
  • Multi-Cluster Networking With Kubernetes and Docker: Connecting Your Containerized Environment
  • From Monolith to Containers: Real-World Migration Blueprint

Trending

  • Automating Kubernetes RBAC Sync With LDAP Entitlements Using Python
  • Software Specs 2.0: An Elaborate Example
  • Defining Effective Microservice Boundaries - A Practical Approach To Avoiding The Most Common Mistakes
  • Serverless IAM: Implementing IAM in Serverless Architectures with Lessons from the Security Trenches
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. How to Eliminate Secret Zero and Stop Nesting Secrets

How to Eliminate Secret Zero and Stop Nesting Secrets

Need help securely authenticating your client requests? Check out this post on how to eliminate Secret zero and to stop nesting secrets.

By 
John Walsh user avatar
John Walsh
·
Sep. 07, 18 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
5.8K Views

Join the DZone community and get the full member experience.

Join For Free

One of the biggest challenges organizations face is how to securely authenticate client requests for services and to securely distribute secrets without a secret zero. Many secrets management solutions rely upon a master key or secret zero to protect the crown jewels. Secret zero is an irresistible target for attackers, so it is typically stored in a Hardware Security Module (HSM), which itself requires credentials to access it, and those credentials must be stored securely too — you get the idea. This scenario is often compared to Russian nesting dolls, where opening one doll reveals many smaller dolls. This only gives you the illusion of security as you exchange one vulnerability for a different one.

Some secrets management solutions claim to solve the secret zero problems by splitting the master credentials in two by requiring both a role identifier and some other secret information to gain an access token to the vault. This is more secure than some alternatives, but further investigation reveals that the solution is simply introducing a new secret zero by a different name because now the vault token needs to be protected. It seems like no matter how hard you try, there will be a secret zero that must be protected.

Avoid Secret Zero Problems by Using Strong MFA Factors in the Orchestration Layer

A better way to address the secret zero dilemmas is through the use of strong multi-factor authentication that leverages trusted systems that are already in place. A stolen credential will have no value if the machine or attacker using it can’t be authenticated.

CyberArk Conjur avoids the Secret zero problem by working with the underlying container orchestration systems running your applications to automatically authenticate machines requesting secrets with strong multi-factor authentication. To authenticate secret requests, the solution uses multiple attributes only available to trusted containers, such as the IP address range assigned to valid containers, securely random UUIDs, cryptographic keys, role, name, and other automatically generated/configured attributes in the orchestration system of choice. An application presenting only one of these factors is not enough to authenticate it. The presence of just one of these factors presented by an application would not be reason enough to authenticate it. Multiple factors must be presented for an application to be considered bona fide.

How to Replace Secret Zero With Strong Native MFA

The most important step in the container security process is to establish the identity of client containers, so it is important that this process be as strong as possible. Conjur provides a container authenticator that issues strong identity credentials to containerized applications running on platforms such as CloudFoundry, Pivotal CloudFoundry, Kubernetes, or OpenShift.

The Conjur Authenticator provides two operations: login and authenticate. The login operation is performed once by each client container to obtain a signed certificate for the life of the container. When using Kubernetes or OpenShift, the certificates expire after three days and the login process must be repeated to get a new one. This is all handled transparently by the sidecar authentication client.

The login operation uses the container platform’s APIs to install the signed certificate out-of-band and out-of-the-normal request flow to resist spoofing. The authenticate operation is performed regularly by each application to obtain a short-lived IP-restricted (not currently supported in the Kubernetes authenticator) access token. The token is encrypted with the client’s public key and delivered over a mutual TLS connection, which prevents eavesdropping and allows both the client and server to confirm one another’s identities.

Each authentication call will use the certificate installed during the login process to request a new short-lived access token. The IP address restriction prevents the token from being stolen and used outside of the container cluster. The encryption ensures that an attacker cannot use a token without having access to the private key that resides in the client container’s memory space. With these authentication and security methods in place, no single secret can unlock everything, and containers can be dynamically created without a large administrative overhead.

Conclusion

There are a lot of different ways to secure secrets, and unfortunately, a lot of them hinge on keeping one secret protected, leaving their system’s security clinging precariously to the protection of that single secret. A more elegant secrets management solution will use the underlying orchestration platform and tools rather than requiring operators to go through more processes and to install extra modules only to end up with another secret zero to protect.

It’s Easy to Get Started

If you want to learn more about how the Conjur Kubernetes-native integration works read John Tuttle’s “Kubernetes Authentication with Conjur” blog post. More details on Conjur Enterprise integrations can be found in our documentation. You can get started immediately with the hosted version of our Conjur Open Source tutorial. This tutorial will take you through the basics of creating a security policy, machine identity, and secrets management with Conjur Open Source. 

Kubernetes Nesting (computing)

Published at DZone with permission of John Walsh, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • KubeVirt: Can VM Management With Kubernetes Work?
  • The Bare Metal Bet That Made Our Multiplayer Platform Hum
  • Multi-Cluster Networking With Kubernetes and Docker: Connecting Your Containerized Environment
  • From Monolith to Containers: Real-World Migration Blueprint

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: