Application security meetup - cloud security best practices 24062021

1. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Oded Hareven, CEO & Co-founder @ Akeyless Oded@akeyless.io {Ret. Captain, Israel Defence Forces, CyberSecurity Identity Management, PAM, Information Security Infrastructure Dev, Product, Ops} The Key Component of Strong Cloud Security

2. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Unique Zero- Knowledge KMS Technology Akeyless DFC™ Secrets Management SaaS Platform Akeyless Vault Platform Secrets Management as-a-Service Serving market leaders enterprises Pharma, Insurance, Adtech, Online, E- commerce, Gaming

3. 4 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Data encryption Step #1: Protecting Data • Access Control • Control who can access the data? • How to validate his identity? • Data Encryption • Control who can access the key? • How to validate her identity? Data Access Control

4. 5 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #2: Identity Validation • Requires Authentication • Human • Machine • Using something that only the human/machine has • Secret = {password, credentials, api-key, certificate, ssh-key} • If you can’t keep a Secret - you can’t protect your Data... Password DB password DB User Application

5. 6 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #3: Privileged Access • Beyond application access • Who’s controlling my workloads? • Internal/external personnel • Can they impersonate? • Admin can do everything... • PAM • Control human admin access - session recording • Regulation and compliance • Secrets Repository • Default admin passwords rotation Password DB password DB User Application Admin OS Admin OS Admin Password Password

6. 7 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #4: Root-of-Trust • Using an Encryption key to encrypt secrets & data +Using signing key to sign TLS/SSH Certificates = identities • Where to place the key? • Configuration - bad practice • Local store - not secured enough • KMS - good start • HSM - considered to be most secure • Secret-zero: accessing the key requires a secret? The chicken and the egg... Hardware Security Module

7. 8 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #5: Interconnectivity & overlapping HSM Root of trust KMS PAM SSH Mng. Certificate Mng.

8. 9 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Trends that encourage the massive use of secrets 1. Containerization 2. Hybrid & multi-cloud 3. DevOps, CI/CD, Automation 4. Zero-Trust Passwords Certificate API-Keys SQL Credentials AES Encryption RSA Signing Key SSH Key And then came the cloud. Proprietary and Confidential

9. 10 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 IAM have never been easier • Ephemeral resources + Automation + IaC • Perimeter-less world = data is everywhere • Root-of-trust in a non-trusted distributed architecture • Privileged Access (Remote, WFH, COVID-19)

10. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Sprawl: Clear-text, unprotected Source Code DevOps Scripts Configuration Files x myScript { // App.Config DB password = “T0pSecr3t” API_Key_AWS = “Cl3aRt3xt$!” } x //myconfig < // App.Config Access_Token = “T0pSecr3t” API_Key_GCP = “Cl3aRt3xt$!” /> x Void myCode( ) { // App.Config Encryption_Key = “aKey43!t” API_Key_Azure = “Cl3a3xt$!” } Secrets are used also within workload management platforms

11. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 12 Report:"Managing Machine Identities, Secrets, Keys and Certificates" Published: 24 August 2020 Analyst: Erik Wahlstrom Source: Akeyless is mentioned in this Gartner’s report, p16. under “secrets management solutions”

12. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Management Fetch Secrets from any platform, script or application ***** ***** ***** API / SDK / CLI / Plugins Customer Application Customer Database 3rd-party Service API Password = “Pass12#” Applications Encrypted Secrets Store Human DevOps, IT, Developers Secrets Management

13. 14 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 First: Integrate with everything Authentication via LDAP SAML OpenID Direct channels Platforms Plugins (examples) Machine authentication Human authentication

14. 15 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 World-wide availability • Scalability • Multi-region / multi cloud • Disaster Recovery: Replication, Backup • Highly Available Consider: Self-deployment vs. SaaS

15. 16 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM

18. 19 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. Unified Secrets Management Platform

19. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Thank you. Questions? Further questions & thoughts you’d like to share? Mostly invited to drop an email to Oded@akeyless.io

20. Building secure Cloud architecture Moshe Ferber CCSK, CCSP, CCAK When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb

21. About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)  Co-hosting the Silverlining podcast – security engineering  Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule

22. About the Cloud Security Alliance  Global, not-for-profit organization  Building security best practices for next generation IT  Research and Educational Programs  Cloud providers & security professionals Certifications  Awareness and Marketing  The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing” CSA Israel: Community of security professional promoting responsible cloud adoption.

23. Architecting for availability US WEST AZ1 AZ2 AZ3 AZ4 Singapore AZ1 AZ2 AZ3 AZ4 Mumbai AZ1 AZ2 AZ3 AZ4 Regions vs. Availability Zones

24. Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WW W WW W WW W Mumbai AZ-3

25. Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WW W WW W WW W

26. Architecting for availability • External CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management

27. Web Application Firewall options Architecting for application protection 3rd party as a service 3rd Party as Proxy Provider service WAF client on web instances

28. Architecting for application separation Source: Cloud Security Alliance CCSK certification

29. Limiting blast Radius Limiting blast Radius Organizations / Subscriptions Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin OU A OU B OU C

30. Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually, customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…

31. Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Volume Encryption Shared KMS Dedicated HSM Virtual instance KEYS

32. A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines

33. M o n i t o r i n g To o l s e t CWPP - Cloud Workload Protection Platform •Protect Workloads (VM’s, Containers, serverless •Traditional end-point security (AV, VA ) •Additional features for containers and serverless CSPM Cloud Security Posture Management •Protect management dashboard •Monitor for Compliance breaks, misconfiguration, Identity permissions CASB - Cloud Access Security Broker •Design for SaaS •Detect threats •eDiscovery + DLP •Shadow IT detection Cloud native application protection platform (CNAPP)

34. Security Center Logs Posture & configuration Workloads vulnerabilities Threat intelligence Identity data Monitoring Tool set

35. A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS Unique logs • K8's logs • ELB logs • Object storage logs

36. OS Logs A r c h i t e c t i n g f o r l o g m a n a g e m e n t Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs

37. KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

38. Questions?

39. Event Tracking In Microservices Observability, security, and anything in between Naor Penso Sr. Director – Product Security @ FICO

40. Naor Penso Sr. Director – Product Security @ FICO Previous Positions: Cybersecurity CTO Chief information security officer • ~20 years in cybersecurity • Today, leading product security and security services development @FICO • Investing, mentoring and advising to multiple start-ups in the cyber domain

41. Observability? Observability is the process of understanding the internal application states from external outputs, tracking software behaviours across different datapoints and different services, to provide an holistic view of the application ecosystem. To reach Observability you need to Monitor different application outputs including Metrics, Traces, Logs

42. 04 Monoliths vs. ModernApplications https://medium.com/hengky-sanjaya-blog/monolith-vs-microservices-b3953650dfd

43. 04 Observability Challenges in modern applications • A business transaction is now built from event snippets spanning across 1-10,000 services • Stateless services can server any number of customers without “understanding” who they are serving • There is no one pattern of work;The same service can be used for n use cases • In some cases, services are ephemeral, servicing one request and disappearing (e.g., Serverless Functions) Process Invoice File Transfer (Microservice) OCR (Microservice) ETL (Microservice) Currency Conversion (Microservice) Data Enrichment (Microservice) ETL (Microservice) Database Modern Use case: Highly Abstract Process

44. Process Invoice 04 Observability Solution / Glossary • Metric: Records a data point, either raw measurements or predefined aggregation, as timeseries with Metadata • Span:A single operation that is logged (usually the output of one microservice) • Trace: A agroup of spans (usually representing a transaction) • Log / Log Record:Typically, the record includes a timestamp indicating when the Event happened as well as other data that describes what happened, where it happened, File Transfer (Microservice) OCR (Microservice) ETL (Microservice) Currency Conversion (Microservice) Data Enrichment (Microservice) ETL (Microservice) Database Based on OpenTelemetry Span Span Span Span Span Span trace

45. 04 Security & Observability Due to the highly distributed nature of modern applications understanding the business context of events and generating the basics of an audit becomes significantly harder than monoliths. Examples: • A currency conversion service may convert currency, not knowing who the conversion is for • A business transaction can be the encapsulation of interaction between 15 different services • Some services may fail, some may succeed in a single transaction • Time of event is broken into many small timestamps representing different services Who is not known to all, What is 15 different “what’s”, When &Where are a single points and Success / Fail is ambiguous

46. What is Cornerstone? 02 Cornerstone is a unified and expendable specification of events, supporting the need for tracking of activities and changes in a complex technological environment. 01 150+ Fields 02 19 Contexts 03 Expandable & logic Driven 04 Unlimited Use cases

47. 04 02 Context Driven Structure 03 Usage Logic Fundamentals 01 Ground Rules • Cornerstone does not define what events the product teams should log.The what is a subject of the business of the application which cannot be anticipated, hence cornerstone provides an extendible framework to cover and solve for new business needs. • Cornerstone does not define the how events will be logged. Events will continue being logged exactly as they have been in the past. • Cornerstone does define the structure of the event, from basic fields (who, what, when, where) to extended fields needed for context (who initiated, what was impacted)

48. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Event Specification Core Event User Context Permission Context Role Context Runtime Context Cloud Context Host Context K8s Context Container Context Process Context Serverless Context Data Context Data Classification Data Security Context File Context Database Context Data Import / Export Context Information Context Network Context Web Context Network Traffic API Context

49. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules

50. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules • Event Core – example Mandatory Optional Optional Conditional Conditional Conditional Optional Optional Mandatory Mandatory Mandatory Optional Mandatory Mandatory Mandatory Conditional Optional Optional Optional Optional

51. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules • User Context / example Mandatory in context Optional Optional Optional Optional • Data Import / Example:

52. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Field Types String String (Options) Integer Boolean Array Field Requirements Mandatory Conditional Optional Mandatory (If Applicable) Multitenant Boolean Customer UUID Environment UUID String Mandatory Conditional Optional String True

53. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Microservice Microservice Microservice Microservice Microservice Microservice Unified Logic Microservice Microservice Microservice Microservice Microservice Better RCA Detection Uniformity Metering Product Support Unified Framework

54. 04 Cornerstone Outlook

55. 04 Monoliths vs. ModernApplications Monoliths Microservices Business logic Confined to a single place for all the business logic Spread across multiple services Interaction Model Internal by design (e.g., calling internal functions) External by design (e.g., Using REST API) Runtime Model Must have all pieces together to run Every piece can run on its own Usability Reuse is done in the code level Reuse is done on the service level State Management (Generally) Stateful Stateless

56. Questions?

57. Kubernetes Secrets Securing Your Production Environment Ori Mankali, VP R&D, Akeyless

58. Unique Zero- Knowledge KMS Technology Akeyless DFC™ Secrets Management SaaS Platform Akeyless Vault Platform Secrets Management as-a-Service Serving market leaders enterprises Pharma, Insurance, Adtech, Online, E- commerce, Gaming

59. What are secrets and why are they important? ● Tokens, API keys, Encryption Keys, Passwords, etc. ● Needed for most types of applications and services to authenticate to various resources ● Main concern: Protection ○ Hacking ● Secondary concern: Management and Traceability ○ Revocation ○ Audit logs

60. Problem #1 Kubernetes Secrets

61. How does K8s store secrets? ● K8s is one of the most popular container orchestration tool ● It’s becoming the backbone of modern infrastructure ● Many application still store secrets as plain text ● Built-in secret store, not much better

62. So, how can I make my production env. safer? ● Strong encryption algorithm ● Encryption key storage may lead to Secret-Zero problem ● What about Application-rich clusters?

63. Problem #2 Segregation of pods & namespaces

64. Secret secured, almost ● Need to ensure different applications within a cluster can’t access secrets of other applications ● Segregate to apply Least Privilege Access ● But who can access my cluster?

65. Problem #3 Cluster Access Management

66. Just-in-Time K8s access ● Short-lived PKI certificates or short-lived temporary Service Account tokens ● You will also get: Traceability, Governance and management ● Access Revocation to quickly respond to security incidents

67. The Solution ● A Secret Management Platform that protects your secrets (decryption at application level) and allowing controlled access to your cluster ● Trusted Machine Identity (Cloud IAM, Akeyless Universal Identity, Service Accounts) - to address the Secret Zero Problem ● Using either: ○ Self Deployed Solutions ○ SaaS Platforms

68. Demo Time

69. Thanks everyone Q&A

70. Thank You! Questions? To be continued…

Application security meetup - cloud security best practices 24062021

Esté a ler uma amostra.

Confira estes a seguir

Application security meetup - cloud security best practices 24062021

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Application security meetup - cloud security best practices 24062021 (20)

Mais de lior mazor (12)

Mais recentes (20)