Secure Microservices Adoption #MicroXchg2017

Transcript

1. Secure Microservices Adoption Grygoriy Gonchar (@ggonchar) Software Security Architect @Kreditech

2. Microservices

3. Componentization via services

4. Decentralised data management

5. As a result isolated security risks

6. Not every service is equally important

7. Isolated Microservices reduce overall security risks

8. But service distribution introduce new risks

9. Authentication & Authorization

10. Problem: End-users need to interact with multiple services

11. Problem: End-users frequently include many roles

12. Possible solution: API Gateway deals with all end-user requests

13. Possible solution: Backend for frontend (BFF) for different end-users

14. Defining Trust Boundaries

15. Security checks around Trust Boundary

16. For different use-cases fit different AuthN & AuthZ solutions

17. BFF encapsulates end-user roles and is responsible for resource AuthZ

18. Entity level AuthZ is a part of Downstream Microservices contract

19. As a Customer I want to access/update my order

20. As a Delivery Agent I want to access/update my order

21. Missing access control

22. Internal Trust Boundaries

23. TLS CCA - certificate as client identity

24. Validating client certificates server { ssl_verify_client on; ssl_client_certificate /etc/nginx/certs/zone-1-ca.crt; if

    ($ssl_client_s_cn !~ '/CN=shopping-cart-srv/') { return 403; } } http://nginx.org/en/docs/http/ngx_http_ssl_module.html

25. Why TLS client certificates You pay once for automated short-lived

    TLS certificates - you get both strong transport security and authentication Mutual authentication can be implemented Single service identity reduce amount of application secrets, asymmetric security - no shared secrets Application code can even don’t know about TLS but risk of misconfiguration exists Certificate hierarchies as additional layer of defence

26. Tools for friendly automation already there Let’s Encrypt Netflix Lemur

    HashiCorp Vault

27. Big picture

28. Solution Summary BFF can delegate AuthN and encapsulate roles complexity

    from Downstream Microservices End-user types and roles are easier to change Downstream Microservices deal with entity level AuthZ and are agnostic to end- user types and roles Downstream Microservices deal only with trust between services using TLS client certificates Downstream Microservices are more context agnostic and reusable

29. Secrets Management

30. More services - more secrets (passwords, certificates etc.)

31. https://12factor.net/

32. No secrets in code “A litmus test for whether an

    app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.” https://12factor.net/config

33. No secrets in code https://github.com/awslabs/git-secrets $ git-secrets --scan -r my-project/

    conf//application.yml:8: AWS_ACCESS_KEY_ID: 'FR4EFR3Y76R2HE4H’ conf//application.yml:9: AWS_SECRET_KEY: 'wcwdc9wd8w8qqDDqq0 [ERROR] Matched one or more prohibited patterns

34. Secret Management Software Store secrets encrypted Transfer secrets encrypted Audit

    all access Rotate automatically Fine-grained access control

35. Secret Management Software Store secrets encrypted Transfer secrets encrypted Audit

    all access Rotate automatically Fine-grained access control - !permit role: *my-application privilege: [ read ] resource: *database-password - !permit role: *deployment-agent privilege: [ write ] resource: *database-password https://developer.conjur.net/reference/policy-markup.html

36. Secret Management Software Conjur https://www.conjur.com/secretsmanagement Vault https://github.com/hashicorp/vault Docker 1.13 Secrets

    https://docs.docker.com/engine/swarm/secrets/ Kubernetes Secrets https://kubernetes.io/docs/user-guide/secrets/ DC/OS Secrets https://docs.mesosphere.com/1.8/administration/secrets/ Many more https://github.com/sweis/crypto-might-not-suck

37. Vulnerable Dependencies

38. Microservices promote usage of different technologies

39. https://pivotal.io/security example of excellent vulnerability reporting

40. https://srcclr.com/ scans dependencies automatically

41. https://github.com/coreos/clair scans Docker containers

42. https://github.com/docker/docker-bench-security

43. Conclusions

44. Microservices Architecture Separation into Microservices can reduce security risks Distribution

    and technology diversity introduce new risks Thoughtful AuthN & AuthZ strategy required Secure Microservices adoption require automation to mitigate new risks (secrets management, vulnerability assessment etc.)

45. Automate your security http://martinfowler.com/bliki/MicroservicePrerequisites.html

46. Use other security practices Thread Modeling Secure Coding Practices Security

    Testing Incident Response Planning … many more

47. Questions? @ggonchar