Application security meetup - cloud security best practices 24062021
- 2. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Oded Hareven,
CEO & Co-founder @ Akeyless
Oded@akeyless.io
{Ret. Captain, Israel Defence Forces, CyberSecurity
Identity Management, PAM, Information Security Infrastructure
Dev, Product, Ops}
The Key Component of Strong Cloud Security
- 3. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Unique Zero-
Knowledge KMS
Technology
Akeyless DFC™
Secrets
Management
SaaS
Platform
Akeyless Vault Platform
Secrets Management as-a-Service
Serving market leaders
enterprises
Pharma, Insurance,
Adtech, Online, E-
commerce,
Gaming
- 4. 4
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Data encryption
Step #1: Protecting Data
• Access Control
• Control who can access the data?
• How to validate his identity?
• Data Encryption
• Control who can access the key?
• How to validate her identity?
Data
Access Control
- 5. 5
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #2: Identity Validation
• Requires Authentication
• Human
• Machine
• Using something that only the human/machine has
• Secret = {password, credentials, api-key, certificate, ssh-key}
• If you can’t keep a Secret - you can’t protect your Data...
Password DB password
DB
User Application
- 6. 6
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #3: Privileged Access
• Beyond application access
• Who’s controlling my workloads?
• Internal/external personnel
• Can they impersonate?
• Admin can do everything...
• PAM
• Control human admin access - session recording
• Regulation and compliance
• Secrets Repository
• Default admin passwords rotation
Password DB password
DB
User Application
Admin
OS Admin OS Admin
Password
Password
- 7. 7
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #4: Root-of-Trust
• Using an Encryption key to encrypt secrets & data
+Using signing key to sign TLS/SSH Certificates = identities
• Where to place the key?
• Configuration - bad practice
• Local store - not secured enough
• KMS - good start
• HSM - considered to be most secure
• Secret-zero: accessing the key requires a secret?
The chicken and the egg...
Hardware Security Module
- 8. 8
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Step #5: Interconnectivity & overlapping
HSM
Root of trust
KMS PAM SSH Mng.
Certificate
Mng.
- 9. 9
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Trends that encourage the
massive use of secrets
1. Containerization
2. Hybrid & multi-cloud
3. DevOps, CI/CD, Automation
4. Zero-Trust
Passwords
Certificate
API-Keys
SQL
Credentials
AES Encryption
RSA Signing Key
SSH Key
And then came the cloud.
Proprietary and Confidential
- 10. 10
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
IAM have never been easier
• Ephemeral resources + Automation + IaC
• Perimeter-less world = data is everywhere
• Root-of-trust in a non-trusted distributed architecture
• Privileged Access (Remote, WFH, COVID-19)
- 11. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Secrets Sprawl: Clear-text, unprotected
Source Code
DevOps Scripts Configuration Files
x
myScript
{
// App.Config
DB password = “T0pSecr3t”
API_Key_AWS = “Cl3aRt3xt$!”
}
x
//myconfig
<
// App.Config
Access_Token = “T0pSecr3t”
API_Key_GCP = “Cl3aRt3xt$!”
/>
x
Void myCode( )
{
// App.Config
Encryption_Key = “aKey43!t”
API_Key_Azure = “Cl3a3xt$!”
}
Secrets are used also within workload management platforms
- 12. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
12
Report:"Managing Machine Identities, Secrets, Keys and Certificates"
Published: 24 August 2020 Analyst: Erik Wahlstrom
Source:
Akeyless is mentioned in this Gartner’s report, p16. under “secrets management solutions”
- 13. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Secrets Management
Fetch Secrets from any platform, script or application
*****
*****
***** API / SDK / CLI / Plugins
Customer
Application
Customer
Database
3rd-party
Service
API
Password =
“Pass12#”
Applications
Encrypted Secrets Store
Human
DevOps, IT, Developers
Secrets Management
- 14. 14
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
First: Integrate with everything
Authentication via
LDAP
SAML
OpenID
Direct channels
Platforms Plugins (examples)
Machine
authentication
Human
authentication
- 15. 15
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
World-wide availability
• Scalability
• Multi-region / multi cloud
• Disaster Recovery: Replication, Backup
• Highly Available
Consider: Self-deployment vs. SaaS
- 19. 19
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Existing solutions varies
HSM
Root of trust
KMS PAM SSH Mng.
Certificate
Mng.
Unified Secrets Management Platform
- 20. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021
Thank you.
Questions?
Further questions & thoughts you’d like to share?
Mostly invited to drop an email to Oded@akeyless.io
- 22. About myself
Information security professional for over 20 years
Founder, partner and investor at various cyber initiatives and startups
Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)
Co-hosting the Silverlining podcast – security engineering
Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification
Member of the board at Macshava Tova – Narrowing societal gaps
Chairman of the Board, Cloud Security Alliance, Israeli Chapter
Cloud Security Course Schedule can be found at:
http://www.onlinecloudsec.com/course-schedule
- 23. About the Cloud Security Alliance
Global, not-for-profit organization
Building security best practices for next generation IT
Research and Educational Programs
Cloud providers & security professionals Certifications
Awareness and Marketing
The globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing”
CSA Israel:
Community of
security
professional
promoting
responsible
cloud
adoption.
- 27. Architecting for availability
• External CDN providers can add resiliency,
flexibility & redundancy
• Look for vendors who can add functionality:
DDOS protection
Web application firewall
Load Balancing
DNS management
- 28. Web Application Firewall options
Architecting for application protection
3rd party as a
service
3rd Party as
Proxy
Provider
service
WAF client on
web instances
- 30. Limiting blast Radius
Limiting blast Radius
Organizations / Subscriptions
Root Account
IAM
Admi
n
Secur
ity
Audit
or
Billing
Admin
Super
Admin
Servic
e 1
Admin
Servic
e 2
Admin
Root Account
IAM
Admi
n
Secur
ity
Audit
or
Billing
Admin
Super
Admin
Servic
e 1
Admin
Servic
e 2
Admin
Root Account
IAM
Admi
n
Secur
ity
Audit
or
Billing
Admin
Super
Admin
Servic
e 1
Admin
Servic
e 2
Admin
OU A OU B OU C
- 31. Understanding storage options
Architecting for data security
Volume Storage
• Attached to a single
instance
• Not shared, accessible
only from the instance
• Useful in storing instance
OS environment ,
application binaries , DB
files and anything
instances need to
operate
Object Storage
• Provider managed
• Files are placed in
buckets
• Versioning & meta data
kept for all objects
• Files are accessible by
API or HTTP
• Independent from AZ or
instances dependencies
• Useful for storing static
applications data,
backups, source code
and config files
Database service
• Provider managed
• Files are accessible by DB
API
• Vary between different
services: (structured,
unstructured and more)
• Usually, customer has no
access to underlying DB
infrastructure
CDN
• Cloud provider
proprietary service or
external 3rd party
services
• Provide flexibility and
resiliency
• Useful in serving static
content at late latency
• Usually accompanied by
additional services: WAF,
DDOS protection, Load
balancer…
- 32. Encryption
Architecting for data security
OS
Storage
DB
Application
Encryption Layer
TDE
Storage Encryption
Volume Encryption
Shared KMS
Dedicated
HSM
Virtual
instance
KEYS
- 33. A r c h i t e c t i n g f o r C I / C D
Source: Cloud Security Alliance
Guidelines
- 34. M o n i t o r i n g To o l s e t
CWPP - Cloud
Workload Protection
Platform
•Protect Workloads
(VM’s, Containers,
serverless
•Traditional end-point
security (AV, VA )
•Additional features
for containers and
serverless
CSPM Cloud Security
Posture Management
•Protect management
dashboard
•Monitor for
Compliance breaks,
misconfiguration,
Identity permissions
CASB - Cloud Access
Security Broker
•Design for SaaS
•Detect threats
•eDiscovery + DLP
•Shadow IT detection
Cloud native application protection
platform (CNAPP)
- 36. A r c h i t e c t i n g f o r L o g M a n a g e m e n t
Portal Logs
• Cover API &
GUI access
Traffic Logs
• Network
traffic inside
VPC
Instances Logs
• Extracted
just like
traditional
OS
Unique logs
• K8's logs
• ELB logs
• Object
storage logs
- 37. OS Logs
A r c h i t e c t i n g f o r l o g m a n a g e m e n t
Cloud
Trail
S3
SIEM
Agent
Cloud WATCH
(Rules & Alerts)
SNS
(notifications)
VPC Flow
Logs
- 38. KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule
- 40. Event Tracking In Microservices
Observability, security, and anything in between
Naor Penso
Sr. Director – Product Security @ FICO
- 41. Naor Penso
Sr. Director – Product Security @ FICO
Previous Positions:
Cybersecurity
CTO
Chief information
security officer
• ~20 years in cybersecurity
• Today, leading product security and security services development @FICO
• Investing, mentoring and advising to multiple start-ups in the cyber domain
- 42. Observability?
Observability is the process of understanding the internal application states
from external outputs, tracking software behaviours across different
datapoints and different services, to provide an holistic view of the
application ecosystem.
To reach Observability you need to Monitor different application outputs including Metrics, Traces, Logs
- 44. 04
Observability Challenges in modern applications
• A business transaction is now built from event snippets spanning across 1-10,000 services
• Stateless services can server any number of customers without “understanding” who they are serving
• There is no one pattern of work;The same service can be used for n use cases
• In some cases, services are ephemeral, servicing one request and disappearing (e.g., Serverless Functions)
Process Invoice File Transfer
(Microservice)
OCR
(Microservice)
ETL
(Microservice)
Currency Conversion
(Microservice)
Data Enrichment
(Microservice)
ETL
(Microservice)
Database
Modern Use case:
Highly Abstract Process
- 45. Process Invoice
04
Observability Solution / Glossary
• Metric: Records a data point, either raw measurements or predefined aggregation, as timeseries with Metadata
• Span:A single operation that is logged (usually the output of one microservice)
• Trace: A agroup of spans (usually representing a transaction)
• Log / Log Record:Typically, the record includes a timestamp indicating when the Event happened as well as other
data that describes what happened, where it happened,
File Transfer
(Microservice)
OCR
(Microservice)
ETL
(Microservice)
Currency Conversion
(Microservice)
Data Enrichment
(Microservice)
ETL
(Microservice)
Database
Based on OpenTelemetry
Span
Span Span Span
Span
Span
trace
- 46. 04
Security & Observability
Due to the highly distributed nature of modern applications
understanding the business context of events and generating the basics
of an audit becomes significantly harder than monoliths.
Examples:
• A currency conversion service may convert currency, not knowing who the conversion is for
• A business transaction can be the encapsulation of interaction between 15 different services
• Some services may fail, some may succeed in a single transaction
• Time of event is broken into many small timestamps representing different services
Who is not known to all, What is 15 different “what’s”,
When &Where are a single points and Success / Fail is ambiguous
- 48. What is
Cornerstone?
02
Cornerstone is a unified and expendable specification of
events, supporting the need for tracking of activities and
changes in a complex technological environment.
01
150+ Fields
02
19 Contexts
03
Expandable & logic Driven
04
Unlimited Use cases
- 49. 04
02
Context Driven Structure
03
Usage Logic
Fundamentals
01
Ground Rules
• Cornerstone does not define what events the product teams should log.The what is a subject
of the business of the application which cannot be anticipated, hence cornerstone provides an
extendible framework to cover and solve for new business needs.
• Cornerstone does not define the how events will be logged. Events will continue being logged
exactly as they have been in the past.
• Cornerstone does define the structure of the event, from basic fields (who, what, when, where)
to extended fields needed for context (who initiated, what was impacted)
- 50. 04
02
The Structure
03
Usage Logic
Fundamentals
01
Ground Rules
Event Specification
Core Event
User
Context
Permission Context
Role Context
Runtime
Context
Cloud Context
Host Context
K8s Context
Container Context
Process Context
Serverless Context
Data
Context
Data Classification
Data Security Context
File Context
Database Context
Data Import / Export Context
Information Context
Network
Context
Web Context
Network Traffic
API Context
- 52. 04
02
The Structure
03
Usage Logic
Fundamentals
01
Ground Rules
• Event Core – example
Mandatory
Optional
Optional
Conditional
Conditional
Conditional
Optional
Optional
Mandatory
Mandatory
Mandatory
Optional
Mandatory
Mandatory
Mandatory
Conditional
Optional
Optional
Optional
Optional
- 54. 04
02
The Structure
03
Usage Logic
Fundamentals
01
Ground Rules Field Types
String
String (Options)
Integer
Boolean
Array
Field Requirements
Mandatory
Conditional
Optional
Mandatory (If
Applicable)
Multitenant
Boolean
Customer UUID
Environment UUID
String
Mandatory
Conditional
Optional
String
True
- 55. 04
02
The Structure
03
Usage Logic
Fundamentals
01
Ground Rules
Microservice Microservice Microservice Microservice
Microservice
Microservice
Unified Logic
Microservice Microservice Microservice
Microservice Microservice
Better RCA
Detection
Uniformity
Metering
Product
Support
Unified Framework
- 58. 04
Monoliths vs. ModernApplications
Monoliths Microservices
Business logic Confined to a single place for all the business logic Spread across multiple services
Interaction Model Internal by design (e.g., calling internal functions) External by design (e.g., Using REST API)
Runtime Model Must have all pieces together to run Every piece can run on its own
Usability Reuse is done in the code level Reuse is done on the service level
State Management
(Generally)
Stateful Stateless
- 61. Unique Zero-
Knowledge KMS
Technology
Akeyless DFC™
Secrets
Management
SaaS
Platform
Akeyless Vault Platform
Secrets Management as-a-Service
Serving market leaders
enterprises
Pharma, Insurance,
Adtech, Online, E-
commerce,
Gaming
- 62. What are secrets and why are they important?
● Tokens, API keys, Encryption Keys, Passwords, etc.
● Needed for most types of applications and services to authenticate to various
resources
● Main concern: Protection
○ Hacking
● Secondary concern: Management and Traceability
○ Revocation
○ Audit logs
- 64. How does K8s store secrets?
● K8s is one of the most popular container
orchestration tool
● It’s becoming the backbone of modern
infrastructure
● Many application still store secrets as plain text
● Built-in secret store, not much better
- 65. So, how can I make my production env. safer?
● Strong encryption algorithm
● Encryption key storage may lead to Secret-Zero
problem
● What about Application-rich clusters?
- 67. Secret secured, almost
● Need to ensure different applications within a
cluster can’t access secrets of other applications
● Segregate to apply Least Privilege Access
● But who can access my cluster?
- 69. Just-in-Time K8s access
● Short-lived PKI certificates or short-lived
temporary Service Account tokens
● You will also get: Traceability, Governance and
management
● Access Revocation to quickly respond to
security incidents
- 70. The Solution
● A Secret Management Platform that protects
your secrets (decryption at application level)
and allowing controlled access to your cluster
● Trusted Machine Identity (Cloud IAM, Akeyless
Universal Identity, Service Accounts) - to
address the Secret Zero Problem
● Using either:
○ Self Deployed Solutions
○ SaaS Platforms