Secret management is a difficult problem in a distributed and scalable environment. Chef-vault is a Chef tool built on top of encrypted data bags that eliminates the need to share the decryption key with all users and nodes of an infrastructure.
At the Velocity Conference in Amsterdam, Alex Shoof explained how to manage secrets in a scalable and distributed environment. Shoof proposed a system based on five fundamental principles for secret management.
At DockerCon EU 2015, InfoQ sat down with Gareth Rushgrove, a senior software engineer at Puppet Labs, and explored the concepts behind his conference presentation “Shipping Manifests, Bill of Lading and Docker”. The range of topics discussed included the benefits of system package management (manifest) metadata, the use of Docker labels, and the implications on security and compliance audits.
On October 7, 2015 Google announced its App Engine security service, Google Cloud Security Scanner, has reached general availability. This past February, Google launched a beta version of this service.
At the recent Re:Invent conference, Amazon announced a new security assessment and compliance service. The service is called Amazon Inspector and is currently in preview.
Docker Inc. has announced a new set of security enhancements at DockerCon EU, celebrated in Barcelona on 16-17th/Nov. These enhancements includes hardware signing of container images, content auditing through image scanning and vulnerability detection and granular access control policies with user namespaces.
Rising from the ashes of GigaOm the tribal gathering of cloud elders that is Structure has returned, and got off to a strong start with Battery Ventures' Adrian Cockcroft presenting on the State of the Cloud and Container Ecosystems. Cockcroft paid particular attention to the impact of containers, which wasn’t even a major discussion topic at the last Structure conference in 2013.
After an informative presentation by Armon Dadgar at QCon New York that explored security requirements within modern production systems, InfoQ sat down with Dadgar and asked questions about HashiCorp’s Vault, an open source tool for managing secrets at scale.
Amazon Web Services recently introduced VPC endpoints to enable a "private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT instance, a VPN connection, or AWS Direct Connect". VPC endpoint policies provide granular access control to other service's resources. Initially available are connections to S3, other services will be added later.
Intel has introduced a new feature for its Integrated Native Development Experience (INDE) called Multi-OS Engine that aims to make it easier for Java developers to port their Android apps to the iOS platform.
The web-based LastPass password management service has been hacked according to the company, and the result is that some user data, including email addresses and authentication hashes were obtained by unknown assailants. The breach highlights the risks users take by storing all of their passwords in a centralized location.
SQL Server 2016 seeks to make encryption easier via its new Always Encrypted feature. This feature offers a way to ensure that the database never sees unencrypted values without the need to rewrite the application.
In an article published in their blog, ZeroDB team explains how it works. ZeroDB is an end-to-end encrypted database, which means that the database server does not need to be secure for the data to be safe. The way this works is that query logic is being pushed down to the client. The client also holds the decryption keys for data. The client encrypts data with a symmetric key at time of creation
Google has quietly introduced an app reviewing process that monitors new apps or updates for policy violations. This process uses automatic tools and sometimes human reviewers that add a few hours of delay in the publishing process.
Shortly after releasing the AWS CloudTrail Processing Library (CPL), Amazon Web Services has also integrated AWS CloudTrail with Amazon CloudWatch Logs to enable alarms and respective "notifications from CloudWatch, triggered by specific API activity captured by CloudTrail". The implied support for monitoring JSON-formatted logs has recently been officially released as well.