GET /microservices/secured #JavaDay2016

Transcript

1. GET /microservices/secured Grygoriy Gonchar (@ggonchar)
 Software Security Architect 
 @Kreditech

2. Microservices

3. Componentization via services

4. Decentralised data management

5. As a result isolated security risks

6. Not every service is equally important

7. Separating sensitive data in Microservices can further reduce risk

8. Isolated Microservices reduce overall security risks

9. But service distribution introduce new security risks

10. Missing access control

11. Defining Trust Boundaries

12. Internal Trust Boundaries

13. TLS Client Certificates

14. TLS CCA - certificate as client identity

15. Validating client certificate by LB / Proxy

16. Validating client certificate by Service with SSL path-through

17. Validating client certificates server {
 ssl_verify_client on;
 ssl_client_certificate /etc/nginx/certs/ca.crt;
 if

    ($ssl_client_s_cn !~ '/CN=shopping-cart-srv/') { 
 return 403;
 }
 } http://nginx.org/en/docs/http/ngx_http_ssl_module.html

18. Why TLS client certificates 1. You pay once for automated

    short-lived TLS certificates - you get both strong transport security and authentication 2. Mutual authentication can be implemented 3. Application code can even don’t know about it

19. Tools for friendly automation already there Let’s Encrypt Netflix Lemur

    HashiCorp Vault

20. Verifying User Identity

21. Multiple services verifying user identity

22. Services verify identity of users and other services

23. API Gateway - single service verifying user identity

24. Services verify only identity of other services

25. Why API Gateway 1. Greatly simplifies security design 2. Simplifies

    session management 3. Can do more than security

26. Why API Gateway NOT 1. Gateway might have lack of

    domain knowledge for authorization decisions 2. Changes and ownership topics might become complicated 3. Affects availability

27. Vulnerable Dependencies

28. Microservices promote usage of different technologies

29. https://pivotal.io/security example of excellent vulnerability reporting

30. https://srcclr.com/ scans dependencies automatically

31. https://github.com/coreos/clair scans Docker containers

32. Secrets Storage

33. More services - more secrets (passwords, certificates etc.)

34. https://12factor.net/

35. No secrets in code “A litmus test for whether an

    app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.” https://12factor.net/config

36. No secrets in code https://github.com/awslabs/git-secrets $ git-secrets --scan -r my-project/


    conf//application.yml:8: AWS_ACCESS_KEY_ID: 'FR4EFR3Y76R2HE4H’
 conf//application.yml:9: AWS_SECRET_KEY: 'wcwdc9wd8w8qqDDqq0\re4RRfs'
 [ERROR] Matched one or more prohibited patterns

37. Secret Management Software KeyWhiz: https://github.com/square/keywhiz
 Vault: https://github.com/hashicorp/vault
 Knox: https://github.com/pinterest/knox
 Confidant:

    https://github.com/lyft/confidant
 Secretary: https://github.com/meltwater/secretary
 Sops: https://github.com/mozilla/sops
 Summon: https://github.com/conjurinc/summon
 Biscuit: https://github.com/dcoker/biscuit https://github.com/sweis/crypto-might-not-suck

38. Why Secret Management Software Store secrets encrypted Audit all access

    Rotate automatically Fine-grained access control

39. Why Secret Management Software Store secrets encrypted Audit all access

    Rotate automatically Fine-grained access control - !permit role: *my-application privilege: [ read ] resource: *database-password
 
 - !permit role: *deployment-agent privilege: [ write ] resource: *database-password https://developer.conjur.net/reference/policy-markup.html

40. https://conjurinc.github.io/summon/ secrets as env vars

41. Conclusions

42. Microservices Architecture 1. Isolated Microservices reduce security risks 2. Secure

    Microservices adoption require automation to mitigate new risks

43. Automate your security http://martinfowler.com/bliki/MicroservicePrerequisites.html

44. Questions?