Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Towards Client-Side Field-Level Cryptography fo...

Towards Client-Side Field-Level Cryptography for Streaming Data Pipelines @ Current 2022, Austin Texas

Abstract:

Apache Kafka offers several security features ranging from authentication and authorization mechanisms to over-the-wire encryption. This notwithstanding, end-to-end encryption between Kafka-based client applications, which fully protects payloads from fraudulent access at the broker's side can still be considered a blind spot. After highlighting the main benefits of explicit data-at-rest protection, this session discusses in-depth how to selectively encrypt and decrypt sensitive payload fields in the context of streaming data pipelines built upon Apache Kafka Connect and ksqlDB apps. In particular, an ecosystem community project named Kryptonite for Kafka - written and open-sourced by the speaker - is introduced. During this demo-driven talk, you will experience how to benefit from:

*a configurable single message transformation (SMT) that lets you perform encryption and decryption operations in Kafka Connect worker nodes without any additional code
*and a custom user-defined function (UDF) for ksqlDB to conveniently encrypt and decrypt specific columns in your SQL-based stream processing apps

Client-side field-level cryptography makes streaming data pipelines more secure by safeguarding your most sensitive and precious data against any form of uncontrolled or illegal access once it hits the Apache Kafka brokers.

Kryptonite for Kafka Project Repository:

https://github.com/hpgrahsl/kryptonite-for-kafka/

Live Demo Scenario Repository:

https://github.com/hpgrahsl/current22-k4k-demo

Recording:

https://www.confluent.io/events/current-2022/towards-client-side-field-level-cryptography/

Hans-Peter Grahsl

October 04, 2022
Tweet

More Decks by Hans-Peter Grahsl

Other Decks in Programming

Transcript

  1. 61 % of breaches involved credential data1 1 Verizon DBIR

    2021 - https://www.verizon.com/dbir @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 3
  2. 85 % of breaches involved the human element1 1 Verizon

    DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 4
  3. compromised external cloud assets more common than on-premises assets1 1

    Verizon DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 6
  4. Let's don't forget about the price tag of data breaches.

    @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 7
  5. Let's don't forget about the price tag of data breaches.

    @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 8
  6. $4.24M average cost of data breach2 2 IBM Cost of

    Data Breach Report - https://www.ibm.com/security/data-breach @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 9
  7. $180 per record cost of customer PII2 2 IBM Cost

    of Data Breach Report - https://www.ibm.com/security/data-breach @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 10
  8. It's me ... Hans-Peter • Developer ! Advocate @ Red

    Hat • Open-Source Enthusiast • Confluent Community Catalyst since 2019 • MongoDB Champion since 2020 • based in Graz, Austria " @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 11
  9. ? data in use by BROKERS @hpgrahsl | #Current22 -

    Austin, Texas | Oct 4-5, 2022 28
  10. BROKERS see everything ... and so does any legitimate Kafka

    client @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 29
  11. ? ? ? end-to-end encryption ? ? ? @hpgrahsl |

    #Current22 - Austin, Texas | Oct 4-5, 2022 32
  12. Cryptography • Tink by Google • AEAD based on AES

    GCM • DAEAD based on AES SIV • key rotation support @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 56
  13. Keyset Management • within SMT config (not recommended) • externalized

    to separate file (okayish) • remote / cloud KMS (recommended) • preliminary Azure Key Vault support @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 57
  14. ! Little Ideas ! • wildcard / regex matching for

    field names • dynamic keyset selection based on payload • additional KMS providers (GCP, AWS, ...) @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 58
  15. ! Bigger Ideas ! • add cryptography options (e.g. FPE)

    • extend scope beyond Kafka Connect and ksqlDB • make CSFLC language / runtime agnostic @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 59
  16. @hpgrahsl Let's stay in touch ! on Twitter @hpgrahsl |

    #Current22 - Austin, Texas | Oct 4-5, 2022 60
  17. ! TRY IT " • Project Code https://bit.ly/current22-k4k • Demo

    Scenarios https://bit.ly/current22-demo @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 61
  18. Data should continue to be a valuable asset, not become

    a costly liability. @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 62
  19. Photo Credits in order of appearance (c) John Salvino -

    https://unsplash.com/photos/bqGBbLq_yfc (c) Wolf Zimmermann - https://unsplash.com/photos/6sf5rf8QYFE (c) Jason Leung - https://unsplash.com/photos/SAYzxuS1O3M (c) Dev Asangbam - https://unsplash.com/photos/sh9vkVbVgo (c) Keenan Constance - https://unsplash.com/photos/VTLcvV6UVaI (c) Steve Johnson - https://unsplash.com/photos/hokONTrHIAQ (c) Pete Linforth - https://pixabay.com/illustrations/biometrics-access-identification-4503187/ (c) Miguel Á. Padriñán - https://www.pexels.com/photo/close-up-shot-of-keys-on-a-red-surface-2882687/ (c) Camila Quintero Franco - https://unsplash.com/photos/mC852jACK1g (c) Gerd Altmann - https://pixabay.com/illustrations/board-excuse-me-excuse-discharge-1848736/ (c) Vijaya narasimha - https://pixabay.com/photos/crevasse-sand-stone-hills-rock-399957/ (c) Gerd Altmann - https://pixabay.com/photos/trust-man-hood-map-prompt-4321822/ (c) Matheo JBT - https://unsplash.com/photos/HLhvZ9HRAwo (c) Rob Laughter - https://unsplash.com/photos/WW1jsInXgwM (c) Markus Spiske - https://unsplash.com/photos/iar-afB0QQw (c) Nerene Grobler - https://unsplash.com/photos/sLxcfdsqLQ (c) Wilhelm Gunkel - https://unsplash.com/photos/L04Kczg_Jvs (c) Matt Walsh - https://unsplash.com/photos/tVkdGtEe2C4