Zero Trusted Networks - Why perimeter security is dead

Transcript

1. SEARCH GUARD ZERO TRUSTED NETWORKS © 2018 floragunn GmbH -

   All Rights Reserved OR: WHY PERIMETER SECURITY IS DEAD

2. © 2018 floragunn GmbH - All Rights Reserved ABOUT ME

   Jochen Kressin, Co-Founder & CTO of floragunn GmbH Makers of Search Guard Enterprise Security Suite for Elasticsearch Founded 2012 Main office: Berlin, Germany Partner offices: Seattle, New York, Miami, Bordeaux Meet us at booth #15 01.

3. © 2018 floragunn GmbH - All Rights Reserved WHY THIS

   TOPIC? I talk a lot to customers that are using Elasticsearch Most of them store sensitive data inside Elasticsearch Personally identifiable information: User- or customer data Financial information: Transaction data Healthcare information: Patient data Elasticsearch does not offer security out-of-the-box Natural question: How do you secure Elasticsearch? Answers are scary … 02.

4. © 2018 floragunn GmbH - All Rights Reserved ANSWERS 03.

   Evil Internet Sensitive Data Elasticsearch “It’s unprotected” Elasticsearch “Firewall” Elasticsearch “VPN and Firewall”

5. © 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY

   04. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”

6. © 2018 floragunn GmbH - All Rights Reserved ASSUMPTIONS Traffic

   from the outside cannot be trusted Traffic inside the perimeter can be trusted Access to the perimeter can be controlled Consequences VPNs, firewalls and loadbalancers are sufficient At any point in time, we know who has access to the data Traffic inside the VPN does not need to be encrypted end-to-end Performance is more important than encryption Security breaches will be detected 05.

7. © 2018 floragunn GmbH - All Rights Reserved REALITY CHECK

   Does perimeter security work? If it works, why do we still suffer from security breaches and data loss? Data breach @ Exactis Close to 340 million personal records leaked Phone number, home address Number, age and gender of children Elasticsearch cluster publicly accessible I don’t think this was on purpose, but a human mistake 06.

8. © 2018 floragunn GmbH - All Rights Reserved WHAT HAS

   CHANGED? Access control Partners, freelancers, part-time contractors etc. These are all potential inside threats Locations Remote offices Remote workers Devices Laptops, smartphone, tablets Bring your own device 07.

9. © 2018 floragunn GmbH - All Rights Reserved WHAT HAS

   CHANGED? Cloud computing Cloud storage Microservices SaaS / PaaS / IaaS Containerization Docker, Kubernetes etc. How to apply IP-based security? Decentralized systems / clusters Internet of things 08.

10. © 2018 floragunn GmbH - All Rights Reserved WHERE IS

    THE PERIMETER NOW? 09. Office Internet Aynwhere Cloud Storage SaaS Cloud Storage Elasticsearch Datacenter

11. © 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY

    REVISITED 10. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”

12. © 2018 floragunn GmbH - All Rights Reserved ZERO TRUSTED

    NETWORK 11. Office Internet Elasticsearch Aynwhere Datacenter Cloud Storage SaaS Cloud Storage “Untrusted”

13. © 2018 floragunn GmbH - All Rights Reserved FACT CHECK

    Companies do not have full control anymore Explosion of devices and locations Data and services are moving to the cloud Internet of Things Inside attacks are ever increasing 60% of attacks originated from the inside (IBM study 2016) Attacks via social engineering Lines between inside and outside are blurry at best 12.

14. © 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT

    No traffic can be trusted Regardless where it originates Regardless from which device No IP / port / application can be trusted Cloud, containers, IoT Traditional firewall approach flawed No user can be trusted Beware of inside attacks Outside personell 13.

15. © 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT

    Move security to where the data lives No unsecured services Not even in a VPN No unencrypted traffic, anywhere Not even in a VPN Assume attackers are already in your network Never trust, always verify Apply least privilege strategies Inspect and log all traffic 14.

16. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ELASTICSEARCH

    15. Search Guard Search Guard Search Guard Search Guard Node Node TLS Secured TLS Secured REST TRANSPORT TLS Secured https://example.com:

17. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ELASTICSEARCH

    16. Any location Any device HTTPS Validate certificates Hostname verification DNS Lookups Authentication Certificate revocation TLS Role-based access control Least privilege approach No defaults RBAC Document-level Field-level Filtering Anonymization Data Audit Logs Track access Monitor anomalies Alerting Data Lake Elasticsearch

18. © 2018 floragunn GmbH - All Rights Reserved OPEN SOURCE

    / OPEN CODE Complete Search Guard code has always been publicly accessible Code has been audited several times By the community By security experts and auditors of customers Verified by Veracode Download, inspect, audit, compile https://github.com/floragunncom/search-guard https://github.com/floragunncom/search-guard-enterprise-modules 17.

19. © 2018 floragunn GmbH - All Rights Reserved RESOURCES Search

    Guard website https://search-guard.com/ Documentation https://docs.search-guard.com Community Forum https://groups.google.com/d/forum/search-guard GitHub https://github.com/floragunncom 18.

20. SEARCH GUARD [email protected] © 2018 floragunn GmbH - All Rights

    Reserved send us a message: 20

21. © 2018 floragunn GmbH - All Rights Reserved floragunn GmbH

    Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: [email protected] Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: [email protected] Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.