1. DEFENSE IN DEPTH FOR API
AND DEVOPS SECURITY
PRESENTED BY | Nathanael Coffing June 2018
2. AGENDA
Issues w/Modern Architecture
• E/W traffic
• Microservices
• Containers
API Security
• Declarative (Runtime)
• Corrective (DevOps Integration)
• Preventative (Mitigation)
All Rights Reserved CLOUDENTITY - Company Confidential
3. Provide unified management of Identity
and API security for any Workload
Cloud-native Identity microservices
All Rights Reserved CLOUDENTITY - Company Confidential
4. BREACHES CONTINUE TO HAPPEN
The average time to detect a breach in the Americas is 99
days at an average cost of $4M
All Rights Reserved CLOUDENTITY - Company Confidential
5. ISSUES WITH EXISTING APPROACHES
Microservices Shift
Distributed Security Shift
Traffic Model Shift
Web App DB
All Rights Reserved CLOUDENTITY - Company Confidential
6. ISSUES WITH EXISTING APPROACHES
Microservices Shift
Distributed Security Shift
Traffic Model Shift
Client Tier
Business
Logic Tier
Data Tier
Traditional Architecture Distributed Architecture
Business Function
Microservices
Microperimeter Network
Centralized
Policy Store
All Rights Reserved CLOUDENTITY - Company Confidential
7. ISSUES WITH EXISTING APPROACHES
Microservices Shift
Distributed Security Shift
Traffic Model Shift
Perimeter
All Rights Reserved CLOUDENTITY - Company Confidential
8. AUTHORIZATION SHIFT
➢ Complex Static Policies
➢ Centralized Policy Management
➢ Centralized Policy Decision Points
➢ Static Web Gates
➢ Heavy-weight verbose policies
➢ Process Intensive
➢ Attribute Aggregation
➢ Conditional Matches
➢ Multi-step (If/then)
➢ Adaptive Distributed Decisions
➢ Distributed PEP
➢ Distributed PDP
➢ Delegated Policy Provisioning
➢ Centralized PAP
➢ Data Service Agnostic PEP
➢ Cloud-based scale and distribution
➢ Lightweight Dynamic Policies
XACML CARTA
All Rights Reserved CLOUDENTITY - Company Confidential
9. WHAT IS API SECURITY
➢ Identity
➢ Authentication
➢ Authorization
➢ Traffic throttling
➢ Traffic inspection
All Rights Reserved CLOUDENTITY - Company Confidential
10. IDENTITIES IN A TRANSACTION
• Every entity must be treated as a
“first class citizen”
• Relationships between entities are as
important as the identity of the
entity
• Orchestrated interactions for data
aggregation with fluid service bus
updates
• Identity microservices are critical to
protect APIs, Microservices and
traditional Apps
SERVICES
THINGSUSERS
• Customers
• Employees
• Partners
• Monolithic Applications
• Compute Workloads
• API’s
• Microservices
• Connectivity Devices
• Consumption Devices
• Low power things
• High Power things
Distributed Applications Require co-Distributed SecurityAll Rights Reserved CLOUDENTITY - Company Confidential
11. AUTHENTICATION
APIs SERVICES
• HMAC/Shared Secrets/PKI/
• Ephemeral Certificates
• Transactional JWTs
• Developer Self-Service
THINGS
• Device Fingerprinting and Validation
• HMAC
• Short/Long Lived Certificates
• PoP and Thing Management
USERS
• Social login, SAML, Oauth
• Adaptive Authentication
• TOTP, MFA, Fido UAF
• Token Exchange w/existing IAM Platforms
• User Self-Service/Delegated Administration
11
Password Recovery
All Rights Reserved CLOUDENTITY - Company Confidential
12. UNIFIED AUTHORIZATION
All Rights Reserved CLOUDENTITY - Company Confidential
One place for Authorization
• Network level micro-segmentation for SDN
between services
• Coarse grained - Oauth
• Mid grained- RBAC/ABAC
• Fine grained
entitlements/permissions/consent
• Risk for high and low value transactions
Dynamic distributed policies that mitigate risk for any
user, service or thing based on centrally managed
policies.
14. MICROPERIMETER-SIDECAR/EDGE GW
Attestation
• Signature Validation
• Process
Secret Offload
• TLS and PKI Keys
• API Keys/Oauth Tokens
Network Micro-Segmentation
• Service to Service AuthZ
API Security
• YAML/OPENAPI Adherence
• Oauth Scope+AuthZ
App AuthZ/Data Augmentation
• User Context
• Fine Grained AuthZ
Token Signature
All Rights Reserved CLOUDENTITY - Company Confidential
PrivateKeyManagement
JWTSignatureValidation
ServicetoServiceAuthorization
(NetworkPDP)
APISecurity
Data Enrichment
Function level Service and User Fine
Grained Authorization
JWTSignature
Business Function
ServicetoServiceAuthorization
(NetworkPDP)
Inbound
Traffic
Outbound
Traffic
TrUST
Authz
Engine
VAULT
Session
/Risk
Grid
Parameter
Validation
Signature
inspection
TrUST
Engine Policy
18. Engage Developers: To Secure Distributed Functions
Dev teams constrained
Josh wants:
To write awesome cloud-native apps, enabling mind-
blowing business features
Josh NEEDS:
Roll out code without worrying about complex
Identity and API security integrations
Simplify Data Layer Integration
To be able to leverage the newest technologies
“ I want to have the flexibility to deploy my code however I
choose, without having to worry about security,
performance or availability. ”
Josh | Dev
Josh
Dev
All Rights Reserved CLOUDENTITY - Company Confidential
22. DEVELOPER ENABLEMENT
• Self-Service
• Common API for Authentication
• API Inspection
• Unified Authorization
• Audit/Traceability
• Common Data Access
• Cloud-Native Security As a Service
All Rights Reserved CLOUDENTITY - Company Confidential
24. Continuous Adaptive Risk Based AuthorizationTRANSACTIONALSENSITIVITY
DATA SECURITY THREAT INTELLIGENCEBEHAVIORAL
AUTHORIZE INTELLIGENTLY:
24
CONTINUOUS ADAPTIVE
RISK-BASED AUTHORIZATION
All Rights Reserved CLOUDENTITY - Company Confidential
25. Continuous Adaptive Risk Based AuthorizationTRANSACTIONALSENSITIVITY
DATA SECURITY THREAT INTELLIGENCEBEHAVIORAL
25
AUTHORIZE INTELLIGENTLY:
CONTINUOUS ADAPTIVE
RISK-BASED AUTHORIZATION
All Rights Reserved CLOUDENTITY - Company Confidential
30. SUMMARY
• ZERO-TRUST NETWORKS
• Identity Begins at Localhost
• AuthN/Z Data, Apps and Users
• End to End API Security regardless of App architecture
• Microservices
• Traditional Apps
• Serverless
• APIs
Unified Dynamic Authorization
• One location for enterprise-wide authorization
• Dynamic risk adaptive end-to-end transactions
All Rights Reserved CLOUDENTITY - Company Confidential