Plan for next 40 mins:
1. Intro (OWASP, GDPR, US department of defense)
@vixentael
2. Threats in common distributed architectures
3. Defense in Depth for data: why, when, how
4. Acra as example of DiD approach
5. Existing tools and solutions
6. Outro and links
Slide 6
Slide 6 text
@vixentael
Slide 7
Slide 7 text
users (upset, angry)
regulations (fines, GDPR, HIPAA, PCI DSS, DPB)
@vixentael
Why care anyway?
business continuity (fines, competitors, legal)
service providers are pushing (Google, Apple)
Slide 8
Slide 8 text
GDPR
@vixentael
Article 32/35: responsibly store and process
data according to risks
Article 33/34: detecting data leakage and
alert users & controller
https://gdpr-info.eu/
Slide 9
Slide 9 text
@vixentael
https://gdpr-info.eu/
Article 32
Slide 10
Slide 10 text
@vixentael
US Department of Defense
Slide 11
Slide 11 text
@vixentael
US Department of Defense
https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/
DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT
WARE_2018.04.20.PDF
Slide 12
Slide 12 text
@vixentael
Google
https://support.google.com/cloud/answer/9110914
Slide 13
Slide 13 text
OWASP Top-10 web risks
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @vixentael
• Injection
• Broken Authentication and
Session Management
• Sensitive Data Exposure
• XML External Entity
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting
• Insecure deserialization
• Using Components With
Known Vulnerabilities
• Insufficient Logging and
Monitoring
Slide 14
Slide 14 text
@vixentael
Data & risks
PII
User data Service data
likes, preferences
purchase history
logs
keys, accesses, API tokens
backups
configurations
locations
Slide 15
Slide 15 text
@vixentael
Data & risks
compliance risks
legal risks
reputational risks
continuity risks
User data Service data
reputational risks
https://medium.com/@cossacklabs/trick-or-threat-
security-losses-for-business-f5b44243d89c
Slide 16
Slide 16 text
Most users trust sensitive data
to your app regardless of
how well you protect it.
Band-aid security model == Perimeter security
@vixentael
Slide 25
Slide 25 text
Band-aid security model == Perimeter security
@vixentael
Slide 26
Slide 26 text
@vixentael
Slide 27
Slide 27 text
@vixentael
Band-aid security model
Slide 28
Slide 28 text
@vixentael
Band-aid security model: risks
Slide 29
Slide 29 text
Defense in Depth –
independent, yet interconnected,
set of security controls
aimed at mitigating multiple risks
during the whole application flow
Slide 30
Slide 30 text
@vixentael
1. Security controls do protect data globally
(during the whole data flow / app lifecycle).
2. Whatever is the attack vector, there is a defense layer.
3. For most popular attack vectors, we want as many
independent defenses as possible.
Align security controls
Slide 31
Slide 31 text
use cryptography
as global
protection layer
Slide 32
Slide 32 text
@vixentael
Decryption proxy — web, mobile
E2EE – mobile, IoT
Slide 33
Slide 33 text
@vixentael
Decryption proxy
Slide 34
Slide 34 text
@vixentael
Predictable data flow
2. Write encrypted data to the database.
3. Read data from the database via decryption
proxy.
1. Separated encryption and decryption.
Slide 35
Slide 35 text
@vixentael
Show me real things!
Slide 36
Slide 36 text
@vixentael
Writing data flow
Slide 37
Slide 37 text
@vixentael
Reading data flow
Slide 38
Slide 38 text
@vixentael
Key model
unique per user/app
public key
Slide 39
Slide 39 text
@vixentael
Key model
unique per user/app
public key
private keys
(KMS, HSM)
Slide 40
Slide 40 text
@vixentael
Key model
unique per user/app
public key
private keys
(KMS, HSM)
can’t decrypt
can’t decrypt
Slide 41
Slide 41 text
@vixentael
Key model IRL
Slide 42
Slide 42 text
@vixentael
1. DB doesn’t know the nature of data.
2. App doesn’t have a way to decrypt data.
System compromise
@vixentael
Encryption itself is not enough
github.com/cossacklabs/acra/
Slide 46
Slide 46 text
@vixentael
1. DB doesn’t know the nature of data.
2. App doesn’t have a way to decrypt data.
3. Data is being watched: key management, SQL
firewall, monitoring, access control, audit logs.
System compromise
Slide 47
Slide 47 text
@vixentael
System compromise
The only way to attain plaintext from DB –
to request it through decryption proxy.
Slide 48
Slide 48 text
@vixentael
System compromise
Or:
compromise the backend app
& compromise SQL firewall
& compromise proxy and key store
& get around logs, SIEM, honey pots
The only way to attain plaintext from DB –
to request it through decryption proxy.
Slide 49
Slide 49 text
@vixentael
Lines of defense
Slide 50
Slide 50 text
@vixentael
Slide 51
Slide 51 text
Defense in Depth =
global security controls
+ band aid security tools.
Slide 52
Slide 52 text
@vixentael
Slide 53
Slide 53 text
@vixentael
How to build?
1. Build on your own (start from design).
Slide 54
Slide 54 text
@vixentael
How to build?
1. Build on your own (start from design).
2. Use boxed solutions (Oracle).
Slide 55
Slide 55 text
@vixentael
How to build?
1. Build on your own (start from design).
2. Use boxed solutions (Oracle).
3. Build using existing tools:
DB + Acra + SIEM + WAF
DB + GreenSQL + libsodium + own decryption proxy + IDS +
SIEM + WAF
DB + Acra + AWS + SIEM
Slide 56
Slide 56 text
@vixentael
Acra Community Edition
cossacklabs.com/acra/
github.com/cossacklabs/acra/
marketplace.digitalocean.com/apps/acra
Slide 57
Slide 57 text
Covered Top-10 web risks
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @vixentael
• Injection
• Broken Authentication and
Session Management
• Sensitive Data Exposure
• XML External Entity
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting
• Insecure deserialization
• Using Components With
Known Vulnerabilities
• Insufficient Logging and
Monitoring
Slide 58
Slide 58 text
Key points
Slide 59
Slide 59 text
@vixentael
1. Security ==
2. Defense in Depth == independent, yet
interconnected controls.
3. Cryptography == good core level for DiD.
4. Ready-to-use tools exist. Use them.
Slide 60
Slide 60 text
Reading, watching
Slide 61
Slide 61 text
https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-
security-4b8ceb5ccb88
12 and 1 ideas how to enhance backend data security
https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-
be3743af7614
How to prevent database leaks and injections
https://www.cossacklabs.com/blog/defense-in-depth-with-acra.html
Building Defence in Depth for your data using Acra
https://samnewman.io/talks/insecure-transit-microservice-security/
Insecure Transit - Microservice Security
Slide 62
Slide 62 text
@vixentael
cryptographic tools, security
consulting, training
github.com/vixentael/
my-talks