Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Designing secure cloud applications

Designing secure cloud applications

Fbe54abf4094d19f1548783d072a7fa7?s=128

Nenne (Adora) Nwodo

September 30, 2020
Tweet

Transcript

  1. None
  2. A few benefits of moving to the cloud

  3. None
  4. None
  5. Security risks in cloud applications

  6. Security risks in cloud applications

  7. Security risks in cloud applications

  8. None
  9. None
  10. None
  11. Will my application contain sensitive customer data? Where and how

    is my applications data stored? Will this application be available over the internet (publicly) or just internally? How do I plan to verify my users identity? What sensitive tasks are performed in my application? Does my application perform any risky software activities?
  12. None
  13. Federated Identity Valet Key Gatekeeper

  14. None
  15. None
  16. None
  17. Benefits of using the gatekeeper:

  18. None
  19. None
  20. None
  21. None
  22. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  23. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  24. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } }
  25. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  26. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  27. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  28. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  29. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  30. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  31. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } } Code snippet from docs.microsoft.com
  32. None
  33. None
  34. Claims based access control

  35. Federated identity pattern use case

  36. Claims based access control Image from docs.microsoft.com

  37. None
  38. Identity

  39. Core security

  40. Core security - Threat modelling S - T - R

    - I - D - E -
  41. Core security - Threat modelling

  42. Bonus - Implementation

  43. Additional reading

  44. www.adoranwodo.com @adoranwodo