25–29 Sept 2023
Centro de Ciencias de Benasque
Europe/Madrid timezone

Lockers: An Innovative and Secure Solution for Managing Secrets in the EGI Cloud Infrastructure

26 Sept 2023, 14:20
20m
Centro de Ciencias de Benasque

Centro de Ciencias de Benasque

Av. de Francia, 17, 22440   Benasque Huesca, Spain   42.603194, 0.523222
Presentation (15' + 5' for questions) Development of innovative software and services IBERGRID Contributions with Demonstrations

Speaker

Viet Tran (Institute of Informatics SAS Slovakia)

Description

Secret management stands as an important security service within the EGI Cloud federation. This service encompasses the management of various types of secrets, including tokens and certificates, and their secure delivery to the target cloud environment. Historically, accessing secrets from virtual machines (VMs) has relied on OIDC access tokens, a method that harbors potential security vulnerabilities. In the event of VM compromise, these access tokens can be pilfered, enabling attackers to gain access to all user secrets.

The Locker mechanism introduces an innovative and robust approach to securely deliver secrets to VMs. Users can effortlessly create a locker, deposit their secrets within it, and then furnish the locker's token to their VMs. Key security attributes of the locker system include:

  • Temporary and autoclean: Lockers have a limited lifespan and quantity. Upon expiration, lockers are automatically purged, along with all the secrets contained within them.

  • Isolation: Access to the secrets within a locker is exclusively through its associated token, which can solely be used for accessing the locker's secrets—nothing more. This isolation allows users to store tokens in Continuous Integration/Continuous Deployment (CI/CD) pipelines and similar tools, mitigating the risk of exposing personal secrets.

  • Malfeasance detection: The locker mechanism possesses the capability to detect if a token has been compromised and is being misused.

By adopting the locker approach, users can securely deliver secrets to VMs within the EGI Cloud federation, all while safeguarding their personal credentials from exposure. This innovative solution enhances the overall security posture of the cloud infrastructure, providing a robust foundation for secret management.

Primary author

Viet Tran (Institute of Informatics SAS Slovakia)

Presentation materials