Speaker

Rob Barnes

Rob Barnes

Senior Developer Advocate, HashiCorp

East Grinstead, United Kingdom

Robert, also known as DevOps Rob, is a Senior Developer Advocate at HashiCorp. His focus is primarily on Cloud security. He comes from a Network engineering background and more recently in his career, he has been working as a Cloud Consultant, helping customers extract maximum value from the Cloud. His experience spans across multiple sectors, from Banking and Fintech to Transport, Charities and Cyber Security. He is a strong advocate for open source, security best practices and building diverse Communities.

Area of Expertise

  • Information & Communications Technology

Topics

  • Cloud & DevOps
  • Cloud App Security
  • Cloud Security Architecture
  • Cloud strategy
  • Cloud & Infrastructure
  • Cloud Computing on the Azure Platform
  • cloud

Auto-generating and renewing TLS certificates to secure Kafka Transport

Generating and distributing TLS certificates to secure Kafka transport between nodes is a complicated and time consuming task. It involves generating certificates, securing the keys used to generate them and creating a break glass procedure in instances of certificate leaks. In the instance of certificate leaks we need to minimize the impact by issuing certificates with a short Time To Live, which introduces operational challenges of certificate rotation.

This demo-driven talk, will show how to use HashiCorp Vault, to create an automated workflow that securely generates and distributes TLS certificates to Kafka nodes, manage the automated renewal and revocation of certificates across the platform, and dynamically generate keystore files. I’ll also show how these certificates can be signed by a Hardware Security Module. By the end of this talk, you will have learned how to implement this workflow with minimal effort, when running Kafka on bare metal, virtual machines or Kubernetes.

Securing application access to RabbitMQ with HashiCorp Vault

Configuring application access to RabbitMQ without compromising credentials in the source code is a challenging problem to solve. Following security best practices, each set of RabbitMQ credentials represents a single application Identity. Managing application identities at scale as applications and platforms grow becomes an operational burden.

In this demo-driven talk, I will show how you can use HashiCorp Vault to offset the operational overhead of Identity and Access Management. In a few lines of code, I will demonstrate how to configure applications to securely access RabbitMQ using short lived, on-demand credentials. I will also illustrate how the principle of least privileged access can be applied to applications using Vault with RabbitMQ’s Role Based Access Control.

By the end of this talk, you will learn how to configure Vault using Terraform to broker application identity on behalf of RabbitMQ and refactor a simple Go application to implement this authentication workflow.

Event-Driven Access Controls

In this talk, you will learn how to create an automated process system that automatically grants access to infrastructure for on-call engineers when an incident is triggered and revokes access once the incident is resolved.

The talk walks you through the steps required to build a fully automated event-driven workflow using HashiCorp Boundary, Consul, and Vault that gives engineers the required access while adhering to the principle of least privilege, managed by a central security policy.

Zero Trust RabbitMQ with HashiCorp Vault

Whilst RabbitMQ has the ability to encrypt data in transit, it does not have the functionality out of the box to encrypt data at rest. This shifts the responsibility of encryption of data placed on message queues on developers. Implementing cryptography correctly in our applications is challenging and time consuming.

In this demo-driven talk, I will show you how you can use HashiCorp Vault’s API to implement a simple workflow that offsets the complexity of cryptography to Vault. In just a few lines of code, I will demonstrate how message producers will be able to encrypt its data, whilst message consumers can decrypt message payloads with minimal development effort. I will also show how to troubleshoot common errors from the API.

By the end of this talk, you will learn how to implement symmetric and asymmetric encryption of your application data before placing it on RabbitMQ message queues. You will also learn how to implement this workflow using Format Preserving Encryption (FPE).

Pushing the Boundary of Nomad

Providing remote access to applications and systems requires secure routing to the destination and credentials to authenticate the user. Traditionally, you achieve this using a Virtual Private Network (VPN) or a Bastion server to bridge into the private network. Credentials are generally provided individually, created as part of a manual process, and with password rotation on a best-intention basis. This is problematic as access is usually too broad, difficult to audit, and complex to maintain.

In a zero-trust world, access is granted from point to point, not to the network edge; credentials are unique to the session, and everything is fully auditable. HashiCorp Boundary and Vault provide this solution giving you greater control over access to your systems.

In this talk, Nic and Rob will walk you through the steps needed to configure Boundary, Vault, and Nomad to provide secure access to dynamic workloads.

Encrypting Kafka messages at rest to secure applications

Whilst Kafka has the ability to encrypt data in transit, it does not have the functionality out of the box to encrypt data at rest. This places the responsibility of encryption of data placed on message queues on developers. Implementing cryptography correctly in our applications is challenging and time consuming.

In this demo-driven talk, I will show you how you can use HashiCorp Vault’s API to implement a simple workflow that offsets the complexity of cryptography to Vault. In just a few lines of code, I will demonstrate how message producers will be able to encrypt its data, whilst message consumers can decrypt message payloads with minimal development effort. I will also show how to troubleshoot common errors from the API.

By the end of this talk, you will learn how to implement symmetric and asymmetric encryption of your application data before placing it on Kafka message queues. You will also learn how to implement this workflow using Format Preserving Encryption (FPE).

Rob Barnes

Senior Developer Advocate, HashiCorp

East Grinstead, United Kingdom