LASCON 2018 has ended
Back To Schedule
Thursday, October 25 • 10:00am - 11:00am
Secure Configuration in the Cloud

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Category: Devops + Security Abstract: While the pervasive use of PaaS for application deployment in the cloud has been a boon to businesses and developers, it has also introduced new challenges. Given the open, distributed and on-demand nature of DevOps, sensitive assets once well-guarded behind a corporate firewall could now be scattered in the cloud. Examples of such assets include database credentials, external service credentials, API tokens, and private keys for SSH, TLS, VPN sessions. It is imperative to provide a secure and usable mechanism for protecting these assets at every stage of the deployment cycle. Insufficiently protected configuration secrets could result in pivoting and exfiltration of business-sensitive data, and do significant damage to the image as well as financial bottom line of a company. Unfortunately, the high frequency of data breeches we hear about shows that security principals are not always followed.
Keeping in line with security recommendations, there is a need to have a strategy for sensitive configuration data management which simplifies the process of creation, renewal and expiration of secret data. Additional techniques include access control at every level (application/micro-service/host), usage audits, monitoring of secrets that lack adequate protection, and secure backups. Various solutions are available in the market that address different aspects of configuration data protection. It is important to understand which aspect each solution addresses, and to know its strengths and weaknesses.
In this talk, we will provide an overview of various types of configuration secrets, and their lifecycles. We will also cover available solutions and show how they can protect these configuration secrets. In doing so we will build a list of do’s and don’ts that can serve as recommendations for cloud DevOps.
A rough outline of the talk is as follows:
  1. Introduction to ephemeral application in the cloud
  2. Types of configuration data (passwords, keys, key stores, tokens – textual, file based)
  3. Configuration secret lifecycle
  4. What not to do (things to avoid)
  5. Solutions for protecting sensitive data (e.g. Kubernetes secrets, Keywhiz, Hashicorp Vault)
  6. Strength and weaknesses of each solution
  7. Misconfiguration pitfalls
  8. Conclusion and Recommendations


Muein Muzamil

Senior Software Architect, Gemalto
Muein Muzamil is a member of the technical community at Gemalto and works as a senior software architect in the Enterprise and Cybersecurity group based in Austin, TX. His research interests include evolving authentication solutions, federated authentication, one-time password (OTP... Read More →
avatar for Najam Siddiqui

Najam Siddiqui

Solution Architect, Software Security Architect, Gemalto
Najam Siddiqui is a member of the technical community at Gemalto and works in Enterprise and Cybersecurity group based in Austin, TX. His research interests include identity and access management solutions, web application firewalls (WAF), strong authentication solutions, Web application... Read More →

Thursday October 25, 2018 10:00am - 11:00am CDT
Presidio Room