June 13, 2019
Managing secrets for systems
Many teams use a password manager, such as UW-IT's LastPass service, to manage secrets for desktop applications and even for systems.
As IT teams mature their DevOps practices and increase automation of their software environments, there is a demand for secrets management tools and services, such as Hashicorp Vault. These tools promote security practices such as key rotation through automated provisioning of short-lived, dynamic secrets.
This session will review existing key management practices and tools, gauge our organizational interest and readiness to pursue a centrally-managed key service, and consider the model for a new service.
UW Tower, T22 Boardroom
|10:30 am||Intro, agenda||Announcement|
Existing key management practices and solutions for systems at the UW, including:
Service model (and the beginning of a business case)
|11:50 am||Next steps and wrap-up|
Secrets Management Solutions
Minimum Best Practices
- Encrypt on disk
- Avoid secrets in source control (and put in automated checks)
- Avoid secrets in backups(and put in automated checks)
- Rotate keys at least on departure of staff
- Ensure access of least privilege
- Manage master keys securely and redundantly e.g. root account
The following table describes some of the secrets management solutions being employed or considered by various UW teams. Teams will often use a hybrid of different solutions.
Automation opportunities increase by row (1-6).
|1||No master repo, encrypted on disk, manually copied between cluster members|
|2||Master repo, mirrored on file system, encrypted on disk, manually copied between cluster members|
|3||Master repo, mirrored on file system, distributed via local custom, privileged automation|
Managed cloud-native platform ("AWS IAM model")
|5||Managed key vault service|
|6||Security identity framework|
UW-IT Managed Secrets Service? Who would consider using it?
- Managed Servers
- UW Medicine