UPDATE, 1/12/16 Our own Alex Schoof spoke at Velocity EU 2015 in Amsterdam on managing secrets at scale in the cloud. It was a highly rated talk that earned a write-up in InfoQ. Alex will be presenting this talk at tonight’s DevOps DC Meetup in Arlington, VA. You can view the slides from his talk on SlideShare and view his talk on Vimeo below: ORIGINAL POST Modern systems are full of secrets. There are secrets we think about all the time, like private keys for SSL certificates or the password for the prod database, and there are secrets that we ignore or forget, like the secret used to generate HMACs for session cookies. All these secrets present management hurdles: They need to be safely and securely distributed to servers that need them. They must have some kind of...
At Re:Invent 2014, AWS launched their new Key Management Service, or KMS. As its name implies, KMS is an AWS service that helps securely manage encryption keys in the cloud. Traditionally, keys have been managed in haphazard ways, from SCP-ing keys around your instances to baking them into machine images. The safe way to manage high-value keys has been to employ dedicated Hardware Security Modules (HSMs), either on-premise or with the AWS CloudHSM service. In either case, HSMs are expensive and hard to use. The new KMS service provides HSM-style key management that is both inexpensive and easy to use via a web service API. First, we'll look at what KMS is and how you can use it to manage encryption keys. Then, we'll look at credstash, a simple system that uses KMS and DynamoDB to...
If you work with network infrastructure, you know that it has a tendency to grow warts, that is, it drifts from its original configuration. One of our goals in building Fugue as the operating system (OS) for the cloud and a single source of truth and trust for your infrastructure is to prevent this drift from occurring by maintaining your infrastructure's known good status. After all, "a trusted system only does what its author intends." Previously, we've focused on the "warts" grown by compute instances, but this problem is present in other infrastructure components, such as networks. Configuration drift in networks often occurs when manual intervention is involved to deploy and maintain them. I have seen network configurations that take up hundreds of rows in spreadsheets and are...
We’re thrilled to have won the top prize in the InvestMaryland Challenge, (cybersecurity category) last night. It was a fun evening, and we’re honored to have won in a category with such tough competitors including Light Point Security and fellow Core Capital Partners and NEA portfolio company ZeroFox. Congrats to all the winners and finalists! Read about it at the Baltimore Business Journal and the Baltimore Sun.
From Lizzy McLellan’s article on Luminal in The Daily Record: The exterior walls of Luminal’s downtown Frederick headquarters are made of brick. But the company isn’t focused on walls. Its software aims to make a computer system more secure from the inside, instead of relying only on exterior defenses. Read the full article in PDF format.
Startups don't care about security. We hear this a lot. It may be a descendant of "developers don't care about security… that's InfoSec's concern," a situation where at least someone in the organization was paying attention to security. In the developer-dominated world of tech startups, such a statement would be nonsensical. If a startup has dedicated InfoSec staff, they're probably not a startup anymore. To be fair, early-stage startups have a lot on their plate: fundraising, product development, acquiring customers. Speed is of the essence for startups and they need to avoid distractions that can slow them down. Worrying about security too early can feel a lot like building at scale when you only have five customers. In most cases, a focus on security doesn't contribute to the...
Software agents are everywhere in the cloud. These little programs perform often complex or repetitive functions on our behalf so we don't have to. Some agents help us keep our systems updated and avoid configuration drift. Others roam our compute infrastructure in an attempt to keep everything safe from threats. Software agents are designed to make our job easier. However, in cases of large and complex systems where the true value of the agent should be realized, the opposite can occur. Getting approval to install agent software on machines can involve a lot of red tape. Deploying and managing hundreds of agents on multiple hosts can be a real hassle. They can sap compute resources and impede performance. And while agents help us monitor our systems, who's monitoring the agents? ...
.png?width=36&height=36&name=linkedin%20(1).png){kind=small}
.png?width=36&height=36&name=twitter%20(1).png){kind=small}
