Event Details

Please note: All times listed below are in Central Time Zone

Are you secrets secure?

Whether you're following your own infosec policy or trying to meet the requirements of GDPR, ANSI, PCI DSS, HIPAA, or NIST you will want to answer the question: "Are my secrets secure?" in my OpenStack cloud.

Barbican is the OpenStack service that allows operators and users to store secrets securely.  It consists of an OpenStack API that provides keystone authentication, oslo policy and quotas, and back-ends in which the secret is actually stored.

But secrets are only as secure as the storage back-end that is deployed behind Barbican.

This talk will focus on the types of secure storage back-ends available, how they work, and the advantages and disadvantages of each back-end. We'll include discussion of HSMs, SGX and TPMs, and Vault.

The security of your secrets is important.  This session will give you the information you need to confidently make decisions about secret storage for your cloud.

What can I expect to learn?

Know which secret storage plugins are available in Barbican.  These include HSMs, SGX and TPMs, Hashicorp Vault and other mechanisms.

For each one, we'll talk about the basic out of the box setup, the threat model, and the relative cost.  We'll make recommendations on the best option for different use cases.  We'll compare these different deployments and configurations to weigh how each affects access, privacy, and resilience.

Thursday, November 15, 10:50am-11:30am (9:50am - 10:30am UTC)
Difficulty Level: Beginner
Cisco Systems
Dave McCowan leads security initiatives for the Private Cloud Engineering Team at Cisco.  He has been an OpenStack contributor for 6 years.  He is a former PTL for the Barbican project where he continues as a core reviewer.  He's an enthusiast of security of all kinds and holds a CISSP. FULL PROFILE
Red Hat
Ade works for Red Hat, and has been involved in various security and OpenStack projects (Dogtag, FreeIPA, Barbican, TripleO) for several years.  He is a former Barbican PTL.  Most recently, he's been working on FIPS compliance in OpenStack. FULL PROFILE