How vulnerable are your systems after the first line of defense? Do attackers get a stronger foothold after each compromise? How valuable is the data your systems can leak? “Death Star” security describes a system that relies entirely on an outermost security layer and fails catastrophically when breached. As services multiply, they shouldn’t all run in a single, trusted virtual private cloud. Sharing secrets doesn’t scale either, as systems multiply and partners integrate with your product and users. David Strauss explores security methods strong enough to cross the public Internet, flexible enough to allow new services without altering existing systems, and robust enough to avoid single points of failure. David covers the basics of public key infrastructure (PKI), explaining how PKI uniquely supports security and high availability, and demonstrates how to deploy mutual authentication and encryption across a heterogeneous infrastructure, use capability-based security, and use federated identity to provide a uniform frontend experience while still avoiding monolithic backends. David also explores JSON Web Tokens as a solution to session woes, distributing user data and trust without sharing backend persistence. A good written summary of the key talking points: https://www.infoq.com/news/2016/04/oreilysacon-day-one

1. Don’t Build
“Death Star” Security
Maintaining agility and security
in distributed and microservice architectures

2. About Me
● Drupal
○ Infrastructure (drupal.org)
○ Security
○ Performance/scalability,
especially database
● Systemd
○ Committer
○ Scalable cgroups management
○ Structured logging integration
○ Launch-on-demand adapter maintainer
● Pantheon
○ CTO and Co-founder
○ Billions of monthly page views
○ Millions of containers

3. Your infrastructure is the Empire…

4. …and Rebel scum from Tatooine threatens it.

5. “Death Star” security is reinforcing the edge…

6. …but suffering catastrophe when that’s breached.
BOOM!

7. We’re not here to talk about basics or your edge
● Layer 2 or 3 Firewalls
● Web Application
Firewalls
● OWASP Top 10
● DDoS Controls
● Applying updates quicklyFor the purposes of this presentation:
Your first line of defense is gone!

8. Where Do Attackers Go Next?
● Collecting authentication data
● Using the foothold behind the firewall
○ Attacking other internal systems
○ Exploiting the assumption of trust
● Collecting sensitive user, payment, and patient data
● Phishing attacks from privileged email accounts

9. Authentication Security

10. Challenge: Password Data Breach
827ccb0eea8a706c4c34a16891f84e7b
That's amazing! I've got
the same combination on
my luggage!
President Skroob

11. Pattern: Better Password Hashing
Password: 12345
Salt: 4c34a8371ce2d3116
Pepper: 27ccb0eea8a706c
HMAC
SHA512 827ccb0eea891f84e7b8a7891f84e7b06c4c34a16891f84e7

12. Pattern: Add in Password Stretching
Password: 12345
Salt: 4c34a8371ce2d3116
Pepper: 27ccb0eea8a706c
PBKDF2
(100k rounds) 84e7b8827ccba891f84e7b8a7891f84e7b06c4c34a16891f

13. Pattern: Requiring Decent Passwords

14. Pattern: Multifactor Authentication
Something You Have
Something You Are
or

15. Pattern: Federated Authentication

16. Pattern: Authentication Before Application
Apache
with
SAML
Drupal or WordPress
with PHP-FPM

17. Have You Met the Confused Deputy?

18. Challenge: Ambient Authority and Confused Deputies
Set a course for
Alderaan.
Governor Tarkin
How it’s
supposed
to work:
Setting course,
Governor.
Helm/Weapons
How it
can fail: Set a course for
Coruscant.
Imposter Tarkin
Setting course,
Governor.
Helm/Weapons
AlderaanBOOM!
CoruscantBOOM!

19. Pattern: Capability-Based Security
Set a course for
ef28bc28 (signed
token for Alderaan).
Governor Tarkin
How it’s
supposed
to work:
Setting course,
Governor.
Helm/Weapons
Attemptedh
ack:
Code
validation
Set a course for, um,
3a2eb45a
(invalid token).
Imposter Tarkin
Sorry, that code isn’t
working in my helm
system, Governor.
Helm/Weapons
AlderaanBOOM!
Code
validation

20. Pattern: Mandatory access control (MAC), like selinux
Set a course for
Alderaan.
Governor Tarkin
How it’s
supposed
to work:
Setting course,
Governor.
Helm/Weapons
May
target
Rebel
Set a course for
Coruscant.
Imposter Tarkin
Setting course,
Governor.
Helm/Weapons
Coruscant
[Label: Imperial]
Alderaan
[Label: Rebel]BOOM!
May
target
Rebel DENIED
Attemptedh
ack:

21. Antipattern: Mandatory access control (MAC) as an afterthought

22. Better: Boundaries First, Container-Style

23. Staying Hands-Off Sensitive Data

24. Pattern: Delegated Handling of Sensitive Data
Payments Marketing
User
Agent
Your ApplicationHTTP GET
HTTP POST
External Service Sensitive
Data

25. Pattern: Black Hole APIs
● Don’t simply divide
permissions into read
versus read+write.
● The ability to just write
allows one side to
irretrievably rid itself
of access to sensitive
information.

26. Protecting Data on the Move and Endpoints

27. Pattern: Key Management
● AWS Key Management System
● Alliance Key Manager by Townsend Security
○ Lockr (for Drupal and WordPress)
● Vault by HashiCorp
● Many more…
Database
● Audit Trail
● Alerts
Key Manager
App

28. Pattern: Anonymizing Data
david@pantheon.io
xa34s@au39sm.io

29. Pattern: Physical Security and Device Encryption

30. Pattern: Smart Cards and Hardware Tokens
PIN or Password
SSH Server

31. Preventing a Breach from Spreading

32. Pattern: Systems Isolation
Web-Facing Systems Intranet Systems
Load
Balancer
Application
Server
Database
Server
Cache
Server
Active
Directory
Exchange
File
Shares
HR Records
FirewallorMore

33. Challenge: Shared Secrets (Including Passwords)
DatabaseApp
Password or Key
Compromise
Point #1
Compromise
Point #2

34. Anti-pattern: Security Through Obscurity
“An analysis of the plans
found in their insecure
git repository has
demonstrated a weakness
in the battle station.”

35. Pattern: Public Key Infrastructure
Admin
Firewall
CDN nginxHTTPS MySQL
Solr
HTTPS
File System
NFS or Similar
SSH Jump or VPNTunnel
Server
Key
SSH
Key
User HTTPS
Server
Certificate MariaDB
PHP-FPM
+ Drupal
Client
Certificate
Server
Certificate
Client
Certificate
Client
Certificate
Client
Certificate
Server
Certificate
Server
Certificate
Server
Certificate

36. Creating a Local Certificate Authority (CA)
● Once: Create a certificate authority (CA):
○ Create a private key for the CA.
○ Create the certificate for the CA.
○ Distribute the certificate to your servers.
● Every time: Follow the normal certificate-creation steps:
○ Create a private key.
○ Create a certificate signing request (CSR).
○ Sign the certificate on the CA.
○ Deploy the certificate alongside the private key.

37. MySQL PKI: Server Side
[mysqld]
ssl-ca=ca.crt
ssl-cert=server.crt
ssl-key=server.key
CREATE USER 'backups'@'backup-host'
REQUIRE SUBJECT '/C=US/ST=California/L=San Francisco/
O=Pantheon/
CN=backups.pantheon.io/emailAddress=hosting@pantheon.io';
Supports rolling secret rotation for multiple clients!

38. MySQL PKI: Client Side
<?php
$pdo = new PDO('mysql:host=ip;dbname=db', 'user', 'pass', array(
PDO::MYSQL_ATTR_SSL_KEY => '/etc/mysql/tls/client.key',
PDO::MYSQL_ATTR_SSL_CERT => '/etc/mysql/tls/client.crt',
PDO::MYSQL_ATTR_SSL_CA => '/etc/mysql/tls/ca.crt'
)
);
$statement = $pdo->query('SHOW TABLES;');
$row = $statement->fetch(PDO::FETCH_ASSOC);
echo htmlentities($row['_message']);

39. Tomcat PKI: Server Side
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
keystoreFile="/etc/tls/servlet.ks"
keystorePass="secret"
clientAuth="true" sslProtocol="TLS"
truststoreFile="/etc/tls/servlet.ks"
truststorePass="secret" domain="catalina" />

40. nginx PKI: Server Side
...
server {
listen 443 ssl;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_client_certificate ca.crt;
...

41. Python PKI: Client Side
import requests
requests.get('https://api.pantheon.io',
cert=('client.crt', 'client.key')
verify='ca.crt')

42. Questions?
@DavidStrauss
david@pantheon.io
linkedin.com/in/davidstrauss