Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spring I/O 2023 - Barcelona

Badr
May 23, 2023

Spring I/O 2023 - Barcelona

Many applications require some sort of secret, such as a database password, a certificate. The growing popularity of Kubernetes and cloud adoption has gotten the attention of attackers and raised the stakes for developers. There are many challenges of secrets management in spring-boot applications.

This session will summarise the different available patterns for securing cloud native application secrets. It will demo open-source secrets management solutions like Conjur for securing access, enforcing policy, and authenticating access requests. Now, developers and DevOps engineers search for the capabilities to properly secure secrets in DevOps Pipelines.

To do their job, developers need to write applications that require secure access to resources via secrets, and security teams need to mitigate risk. This can lead to contention between developers and security teams.

The Talk will cover the following topics:

-Increase the awareness of the vulnerabilities and risks. Remove No hard-coded credentials
-Simplify secrets management
-Introduction to the secret zero problem
-Secure all application types, everywhere with JWT and Cert Based Authentication
-Strong authentication and authorization - ABAC – apply least privilege
-When to use Sidecar and init container patterns to improve applications security in kubernetes ?
-What is the Secretless pattern?
-How to get full auditing and control by security team ?

Badr

May 23, 2023
Tweet

More Decks by Badr

Other Decks in Technology

Transcript

  1. cyberark.com/devsecops Badr NASS LAHSEN Cyber Security Architecture & EMEA DevSecOps

    SME May 18th, 2023 @bnasslahsen @nass_lahsen Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  2. cyberark.com Who Are We CyberArk is the global leader in

    privileged access management, a critical layer of IT security protecting access to data, infrastructure and applications across the enterprise, in the cloud and throughout the DevOps pipeline. 3 cyberark.com Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  3. cyberark.com cyberark.com Why Shift Security Left for Software Development How

    to manage Spring-Boot Applications Secrets? Summary and Q&A What is Application Identity Security? 4 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  4. cyberark.com 5 71% 66% 67% Millions Of organizations experienced an

    attack on their software supply chain in 2021 Of attacks in 2020-2021 compromised code Of organizations have not done a formal assessment or education on software supply chain risk Of organizations affected CyberArk, 2022 Identity Security Threat Landscape Report ENISA, Threat Landscape of Software Supply Chain attacks PWC, 2022 Global Digital Trust Insights 5 Copyright © 2023 CyberArk Software Ltd. All rights reserved. * https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
  5. cyberark.com Massive Breach at Uber in September 2022 Outcome: Attacker

    gains broad administrative access to critical Uber IT systems Attack Path: • Phase 1: Attacker gains entry to Uber network via social engineering • Phase 2: Discover hard-coded secret in PowerShell script for PAM solution • Phase 3: Escalate privileges and spread the breach everywhere 6 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  6. cyberark.com Developer Identity/Access Endpoint Test/Provision Run /Operate Build • Weak

    authentication • Authentication fatigue • Lack of credential rotation • Lack of audit • Over-permissioning • Local admin rights • Credential theft risk • High variability of unknown applications • Relaxed security policy • Exposed Credentials • Compromised OSS • Code Injection, Theft, and Tampering • Malicious Use of Interactive Access • Stolen Access Keys • Hijacked Compute/Resources • Exposed Data • Stolen IP CI/CD 8 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  7. cyberark.com Machine Identities Outnumber Human Identities 45 to 1 Human

    Accounts Apps and other non-human identities *From Global survey of 1,750 security decision makers 45 Non-human Identities to 1 human Identity (machines, applications, workloads, etc.)* 10 10 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  8. cyberark.com 11 SOLUTION SECRETS MANAGEMENT • Cannot rotate, track, audit,

    or enforce security policies • Are exposed in code repositories – Git. Hardcoded secrets = “breach waiting to happen” Secrets = privileged access for non-human identities • Credential, Access Key, SSH key, etc. • Apps use secrets to securely access IT and other resources. • If the attacker has the secret, they can access the resource. Secrets and other non-human credentials need to be protected 11 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  9. cyberark.com Islands of Security Hiera Databags Vault Secrets Secrets Secrets

    Azure Key Vault Secrets Git Secret Azure DevOps GitHub Secrets Mgr /KMS Azure Key Vault Secrets Manager There are many ways to vault secrets, But: • Developers must learn multiple solutions • Hard to establish & share best- practices • Short-cuts often taken • SoD not enforced • GRC reporting is impossible 12 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  10. cyberark.com 13 Most Frequent Audit Findings for Secrets … is

    that while there is frequently standardisation in the management of privileged human identities, the situation is very different in the non-human domain X No audit or logs X No rotation or Security governance X No centralized control APPS CI/CD CLOUD RPA X No visibility to security team (shadow IT) X Secrets stored in different vaults (some are not secure) X Hard coded credential in code or config files 13 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  11. cyberark.com Challenge that enterprises face … 14 Where will the

    secrets live? What secret store? Will the application be ported? How will secrets management impact my applications? How can I increase my application’s security? How will I audit account usage? Will developers use the secrets management solution? 14 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  12. cyberark.com 15 APP ID Create Auditable Identity for Apps Access

    is Authorized, Logged and Auditable Establish Identity to Applications Limits Discovery & Reduces Attack Surface Enables Compliance with Audit & Best Practices Removes Security Island Dilemma Regularly Perform Secrets Rotation No Updates to Files, Code or DBs when Secrets Rotated No Application Downtime Required to Rotate Secrets Removal of Hard-Coded Credentials Credential Rotation MFA Enforce Strong Authn for Apps Authn 15 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  13. cyberark.com • Humans have built-in authentication support: –Built-in vault for

    passwords –Back-channels for MFA (e.g. phones) • Non-humans need a way to bootstrap identity authentication that doesn’t put credentials at risk • But how to manage that initial secret required by apps to bootstrap identity? • This is the Secret-Zero problem. Human Identity 16 16 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  14. cyberark.com • Strong Application Authentication - enable a secure way

    for applications running on various platforms to authenticate using a JSON Web Token (JWT) or a Certificate. • Support for advanced use cases - provide a generic and flexible authentication method based on the workload attributes. • Allow the organization to comply with protocol's security standards. • Provide an authentication endpoint to any modern workload which can identified with a JWT or a Certificate. • The authenticator is responsible for authenticating workloads / non-human identities and acting as an authorization layer to the secrets. • Easy to extend and adopt 17 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  15. cyberark.com Copyright © 2023 CyberArk Software Ltd. All rights reserved.

    / conjur authn-azure auth-k8s tenant-1 cluster-1 Team2 Vault data Team1 Apps (hosts) Apps (hosts) Team3 Apps (hosts) Team1-Safe Team2-Safe Team3-Safe managers managers managers consumers consumers consumers cluster-2 Security admins Team admins Grants 18 18
  16. cyberark.com Identity Attribute Authenticator IAM Roles authn-iam Azure Resources authn-azure

    Namespace, Deployment, Stateful Set, Others authn-k8s OpenID Connect (OIDC) Identity Layer authn-oidc Google identity platform authn-gcp LDAP User Credentials authn-ldap Json web token authentication authn-jwt Leverage unique native capabilities of non-human identity for highest level of security Application Conjur 19 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  17. cyberark.com 1) Admin allow-lists app identity Options for identity granularity

    include (but not limited to): • Identity = Cluster/Namespace • Identity = Cluster/Namespace/Service Account 2) Authenticator client in app pod submits CSR w/platform attributes to CyberArk Conjur 3) CyberArk Conjur verifies attributes w/platform service 4) CyberArk Conjur issues cert & key creds to authenticator client in app pod 5) Authenticator client in app pod uses creds to authenticate, get CyberArk Conjur access token and shares via shared memory volume. Policy 1 2 csr identity 5 access token 4 CyberArk Secrets Manager 3 verify 20 20 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  18. cyberark.com GOOD DEVELOPER EXPERIENCE IS IMPORTANT! SO IS COLLABORATION! Developers

    Security 22 22 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  19. cyberark.com APIs Conjur Spring Use Case 1 authenticate get token

    get secret login request authenticate authorize authorize 3 2 4 short lived access token User Conjur provides Conjur policy Spring Security 23 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  20. cyberark.com 1. An application requests an identity token from a

    JWT provider 2. The JWT provider sends a JWT back to the application 3. The application sends an authentication request to CyberArk Conjur using the JWT Authenticator REST API. 4. CyberArk Conjur fetches a public key from the JWT provider, by accessing the JWKS endpoint of the vendor. (jwks-uri or public-keys value) 5. CyberArk Conjur attempts to authenticate and authorize the request. If successful, CyberArk Conjur sends a short-lived access token back to the application. 6. The application can use the CyberArk Conjur token to retrieve secrets stored in Conjur (Summon/Conjur API APIs 24 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  21. cyberark.com • Securing etcd—secret data is stored in etcd. By

    default, etcd data is not encrypted. • You can’t share the manifest file or push it into a repo. • Users who consume a secret can see its value. • Root exploit — anyone with root access on any node can read any secret. • No visibility or change management. • No built in rotation -> A tool for scanning Kubernetes cluster for risky permissions in Kubernetes's Role-based access control (RBAC) authorization model. https://github.com/cyberark/KubiScan 25 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  22. cyberark.com • Native ways to consume secrets for a great

    developer experience • Cloud-agnostic • One integration across all Kubernetes/OpenShift platforms that can be re-used everywhere Secrets Provider (Push to Kubernetes Secrets) Make the secrets available in Kubernetes Secrets Secrets Provider (Push to Files) Makes secrets available to the application as environment variables files on the pod memory Summon Fetches secrets and makes them available to the application as environment variables Native experience for developers that already use Kubernetes Secrets Easier deployment using HELM No code change to the application Supports rotations No code change required APIs Uses API calls to retrieve secrets Available APIs for Java, Ruby and Go Supports rotations Secretless Broker Brokers the connection to the target resource No secrets delivered to the application No code changes required Supports rotations K8s Secrets Summon APIs Secretless Broker Push To Files 26 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  23. cyberark.com 27 • Secrets Provider for Kubernetes 1. cyberark-secrets-provider-for-k8s init

    container, starts and authenticates to the Follower using the Kubernetes Authenticator 2. cyberark-secrets-provider-for-k8s init container reads all Kubernetes Secrets required by the pod 3. For each mapped Kubernetes secret, the cyberark-secrets- provider-for-k8s init container: • Retrieves Conjur secrets • Updates the Kubernetes secret with the Conjur secret value 4. cyberark-secrets-provider-for-k8s init container runs to completion 5. Application container starts and consumes the Kubernetes Secrets K8s Secrets Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  24. cyberark.com 28 1. The Secrets Provider is deployed in the

    same Pod as your application container. The authentication container starts up and parses Pod annotations from a Kubernetes Downward API volume. The Pod annotations are organized in secret groups, with each secret group indicating to the Secrets Provider: 2. The Secrets Provider authenticates to Conjur using the Kubernetes Authenticator. 3. The Secrets Provider reads all Conjur secrets required across all secret groups. 4. The Secrets Provider renders secrets files for each secret group, and writes the resulting files to a volume that is shared with your application container. 5. The Secrets Provider container runs to completion. 6. Your application container starts and consumes the secrets files from the shared volume. Push To Files Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  25. cyberark.com Summon 3 1 2 1 2 3 Summon invoked

    with authenticated identity Summon fetches secrets using identity Processes launched with secrets in environment Learn more at: https://cyberark.github.io/summon/ 29 Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  26. cyberark.com 30 30 Modern Solution Architecture Vault Credentials No Solution

    Hardcode Credentials Secretless Broker Architecture Isolate Applications Secure – manage credentials in vault with comprehensive audit Simpler – Developers can focus on writing code More Secure – Applications cannot leak what they don't have UserName = “app” Password = “y7qeF$1” Host = “10.10.3.56” ConnectDatabase(Host, UserName, Password) At Risk – Widely exposes credentials Potential for App to Leak Secrets Secretless Broker Copyright © 2023 CyberArk Software Ltd. All rights reserved.
  27. cyberark.com üThink about secrets management across hybrid and multi cloud

    environments üSimplify secrets management with a uniform developer and security experience independent of cloud providers, tools üEnd-to-end encryption of secrets through mutual TLS (Transport Layer Security) using SPIFFE- compliant resource identifiers. üRobust authentication and authorization incorporating RBAC policies üIt’s important to have a federated governance to guarantee and all identities and provide autonomy to the development teams üRemember the overhead and the risks related to security islands üIdeally, credentials should not be exposed to any 3rd party and should reside only in memory üStrong container authentication based on its attributes üLeverage Applications Secrets rotation, to mitigate attack risks üYou should get full central audit trail of your secrets – Vendors Agnostic 32 Demos: https://github.com/bnasslahsen/conjur-spring-boot-demos/tree/spring-io-23