Defense in Depth for API and DevOps Security

DEFENSE IN DEPTH FOR API
AND DEVOPS SECURITY
PRESENTED BY | Nathanael Coffing June 2018

AGENDA
Issues w/Modern Architecture
• E/W traffic
• Microservices
• Containers
API Security
• Declarative (Runtime)
• Corrective (DevOps Integration)
• Preventative (Mitigation)
All Rights Reserved CLOUDENTITY - Company Confidential

Provide unified management of Identity
and API security for any Workload
Cloud-native Identity microservices

BREACHES CONTINUE TO HAPPEN
The average time to detect a breach in the Americas is 99
days at an average cost of $4M

ISSUES WITH EXISTING APPROACHES
Microservices Shift
Distributed Security Shift
Traffic Model Shift
Web App DB

Microservices Shift
Traffic Model Shift
Client Tier
Business
Logic Tier
Data Tier
Traditional Architecture Distributed Architecture
Business Function
Microservices
Microperimeter Network
Centralized
Policy Store

Microservices Shift
Traffic Model Shift
Perimeter

AUTHORIZATION SHIFT
➢ Complex Static Policies
➢ Centralized Policy Management
➢ Centralized Policy Decision Points
➢ Static Web Gates
➢ Heavy-weight verbose policies
➢ Process Intensive
➢ Attribute Aggregation
➢ Conditional Matches
➢ Multi-step (If/then)
➢ Adaptive Distributed Decisions
➢ Distributed PEP
➢ Distributed PDP
➢ Delegated Policy Provisioning
➢ Centralized PAP
➢ Data Service Agnostic PEP
➢ Cloud-based scale and distribution
➢ Lightweight Dynamic Policies
XACML CARTA

WHAT IS API SECURITY
➢ Identity
➢ Authentication
➢ Authorization
➢ Traffic throttling
➢ Traffic inspection

IDENTITIES IN A TRANSACTION
• Every entity must be treated as a
“first class citizen”
• Relationships between entities are as
important as the identity of the
entity
• Orchestrated interactions for data
aggregation with fluid service bus
updates
• Identity microservices are critical to
protect APIs, Microservices and
traditional Apps
SERVICES
THINGSUSERS
• Customers
• Employees
• Partners
• Monolithic Applications
• Compute Workloads
• API’s
• Microservices
• Connectivity Devices
• Consumption Devices
• Low power things
• High Power things
Distributed Applications Require co-Distributed SecurityAll Rights Reserved CLOUDENTITY - Company Confidential

AUTHENTICATION
APIs SERVICES
• HMAC/Shared Secrets/PKI/
• Ephemeral Certificates
• Transactional JWTs
• Developer Self-Service
THINGS
• Device Fingerprinting and Validation
• HMAC
• Short/Long Lived Certificates
• PoP and Thing Management
USERS
• Social login, SAML, Oauth
• Adaptive Authentication
• TOTP, MFA, Fido UAF
• Token Exchange w/existing IAM Platforms
• User Self-Service/Delegated Administration
11
Password Recovery

UNIFIED AUTHORIZATION
One place for Authorization
• Network level micro-segmentation for SDN
between services
• Coarse grained - Oauth
• Mid grained- RBAC/ABAC
• Fine grained
entitlements/permissions/consent
• Risk for high and low value transactions
Dynamic distributed policies that mitigate risk for any
user, service or thing based on centrally managed
policies.

MICRO SEGMENTATION

MICROPERIMETER-SIDECAR/EDGE GW
Attestation
• Signature Validation
• Process
Secret Offload
• TLS and PKI Keys
• API Keys/Oauth Tokens
Network Micro-Segmentation
• Service to Service AuthZ
API Security
• YAML/OPENAPI Adherence
• Oauth Scope+AuthZ
App AuthZ/Data Augmentation
• User Context
• Fine Grained AuthZ
Token Signature
PrivateKeyManagement
JWTSignatureValidation
ServicetoServiceAuthorization
(NetworkPDP)
APISecurity
Data Enrichment
Function level Service and User Fine
Grained Authorization
JWTSignature
Business Function
ServicetoServiceAuthorization
(NetworkPDP)
Inbound
Traffic
Outbound
Traffic
TrUST
Authz
Engine
VAULT
Session
/Risk
Grid
Parameter
Validation
Signature
inspection
TrUST
Engine Policy

HYBRID CLOUD ARCHITECTURE
Confidential Do not Distribute

CORRECTIVE (DEVELOPER-CENTRIC)

BRIDGE THE DIVIDE--CORRECTIVE
DEVELOPER TESTED | CISO APPROVED

Engage Developers: To Secure Distributed Functions
Dev teams constrained
Josh wants:
To write awesome cloud-native apps, enabling mind-
blowing business features
Josh NEEDS:
Roll out code without worrying about complex
Identity and API security integrations
Simplify Data Layer Integration
To be able to leverage the newest technologies
“ I want to have the flexibility to deploy my code however I
choose, without having to worry about security,
performance or availability. ”
Josh | Dev
Josh
Dev

DEVELOPER: SELF-SERVICE

DevSecOps--CORRECTIVE
Regulation
Risk Acceptability
CISO (PLAN)
Corporate Policies
Developers
(Build)
Code Commit
Permissions/Consent
Policies
Execution
(RUNTIME)
Permissions/
Consent Authorization
Authenticate/Authorize
Developers
Publish Workload Policies
and API specs
Workload
Attestation
Monitor
Monitor
MonitorAnalyze Release

AUDIT TRACEABILITY

DEVELOPER ENABLEMENT
• Self-Service
• Common API for Authentication
• API Inspection
• Unified Authorization
• Audit/Traceability
• Common Data Access
• Cloud-Native Security As a Service

Preventative (Mitigation)

Continuous Adaptive Risk Based AuthorizationTRANSACTIONALSENSITIVITY
DATA SECURITY THREAT INTELLIGENCEBEHAVIORAL
AUTHORIZE INTELLIGENTLY:
24
CONTINUOUS ADAPTIVE
RISK-BASED AUTHORIZATION

Continuous Adaptive Risk Based AuthorizationTRANSACTIONALSENSITIVITY
DATA SECURITY THREAT INTELLIGENCEBEHAVIORAL
25
AUTHORIZE INTELLIGENTLY:
CONTINUOUS ADAPTIVE
RISK-BASED AUTHORIZATION

RISK BASED AUTHORIZATION ENGINE
Dynamic
Rules
Threat Intelligence
Fraud Engine
Behavioral Patterns
Data Security
Infrastructure
Attack Analytics
Machine
Learning
NGAC Policy
Management Istio icon
Kubernet
es Icon
Docker
Icon
AWS
Lambda
APIGee
iconInternal Risk Modifiers
Identity Grid
PDP/PEP
External Risk Modifiers
CE API
GW
Oauth
IconRelationship Builder
TrUST Engine Session/Relationship
Management
SQL
NoSQLAPI
LDAP
Identity Grid

External
IDPs
Identity
Microservices
User Identity
• Social login, SAML,
Oauth
• Adaptive
Authentication
• TOTP, MFA, Fido
UAF
• Token Exchange
• User Self-Service
Device/Thing Identity
• Device Fingerprinting
and Validation
• HMAC
• Short/Long
Certificates
• PoP and Thing
Management
App/Dev Identity
• HMAC/Shared
Secrets/PKI
• Ephemeral
Certificates
• Transactional
JWTs
• Developer Self-
Service
Unified Authorization
• Micro-segmentation
• Oauth
• RBAC/ABAC
• Entitlements &
Consent
• Risk Based
Processing
SAAS Apps
Secure Data
• End to End Audit
• Identity Context
• Verified Claims
CISO
• Policy Planning
Cloudentity
• Runtime Security
Developers
• Build Apps
ORCHESTRATION
DevSecOps

MICROSERVICES ARCHITECTURE

SUMMARY
• ZERO-TRUST NETWORKS
• Identity Begins at Localhost
• AuthN/Z Data, Apps and Users
• End to End API Security regardless of App architecture
• Microservices
• Traditional Apps
• Serverless
• APIs
Unified Dynamic Authorization
• One location for enterprise-wide authorization
• Dynamic risk adaptive end-to-end transactions

Defense in Depth for API and DevOps Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Defense in Depth for API and DevOps Security

Similar to Defense in Depth for API and DevOps Security (20)

Recently uploaded

Recently uploaded (20)

Defense in Depth for API and DevOps Security