Whether you're following your own infosec policy or trying to meet the requirements of GDPR, ANSI, PCI DSS, HIPAA, or NIST you will want to answer the question: "Are my secrets secure?" in my OpenStack cloud.
Barbican is the OpenStack service that allows operators and users to store secrets securely. It consists of an OpenStack API that provides keystone authentication, oslo policy and quotas, and back-ends in which the secret is actually stored.
But secrets are only as secure as the storage back-end that is deployed behind Barbican.
This talk will focus on the types of secure storage back-ends available, how they work, and the advantages and disadvantages of each back-end. We'll include discussion of HSMs, SGX and TPMs, and Vault.
The security of your secrets is important. This session will give you the information you need to confidently make decisions about secret storage for your cloud.
Know which secret storage plugins are available in Barbican. These include HSMs, SGX and TPMs, Hashicorp Vault and other mechanisms.
For each one, we'll talk about the basic out of the box setup, the threat model, and the relative cost. We'll make recommendations on the best option for different use cases. We'll compare these different deployments and configurations to weigh how each affects access, privacy, and resilience.