构建Uber的多云秘密管理平台以增强安全性
At Uber, we run over 5,000 microservices, 5,000 databases, and over 500,000 analytical jobs per day to support millions of people worldwide using our apps. Over 150,000 secrets facilitate authentication among these large, distributed ecosystems with multiple stakeholders. This also includes over 400 third-party vendor integrations and 400 SaaS applications.
在Uber,我们每天运行超过5,000个微服务、5,000个数据库和超过500,000个分析作业,以支持全球数百万使用我们应用程序的人。超过150,000个秘密促进了这些大型分布式生态系统中多个利益相关者之间的身份验证。这还包括超过400个第三方供应商集成和400个SaaS应用程序。
Cyberattacks continue to rise industry-wide, with exposed credentials being a leading cause. With this in mind, we set out on a mission to build a centralized, automated, and scalable solution for secrets management. To combat secrets sprawl, shadow IT vaults, and insecure secret sharing, and to facilitate the rotation of secrets when necessary, we kicked off a transformative journey building a Secret Management Platform. We assembled a set of thought leaders within the company to define Uber’s Secret Management Standard and a visionary solution (Figure 1). In this article, we’ll share how we built Uber’s Secret Management Platform, solving key challenges and setting a new standard for secrets management.
网络攻击在整个行业中持续上升,暴露的凭证是主要原因之一。考虑到这一点,我们开始了构建集中式、自动化和可扩展的秘密管理解决方案的使命。为了应对秘密扩散、影子IT库和不安全的秘密共享,并在必要时促进秘密的轮换,我们启动了一项变革之旅,构建秘密管理平台。我们在公司内部组建了一批思想领袖,以定义Uber的秘密管理标准和一个具有远见的解决方案(图1)。在本文中,我们将分享我们如何构建Uber的秘密管理平台,解决关键挑战并为秘密管理设定新标准。
Figure 1: Secret Management Platform vision.
图1:秘密管理平台愿景。
Secrets scattered across code, configs, and other unencrypted systems can make it easier for malicious actors to find and exploit them. We deployed both preventive and remediation strategies to address potential secret sprawl.
分散在代码、配置和其他未加密系统中的秘密可能使恶意行为者更容易找到并利用它们。我们部署了预防和修复策略,以应对潜在的秘密扩散。
Developers make code changes as part of their daily work. To prevent secrets from getting into codebases, we introduced a CLI tool that runs as the pre-commit hook in Git®. This tool blocks commits containing secrets, stopping leaks at the earliest stage of the...