Slide 1

Slide 1 text

"Defense in Depth" @vixentael trench warfare principles for building secure distributed applications

Slide 2

Slide 2 text

@vixentael product engineer in security and cryptography OSS maintainer: Themis, Acra cryptographic tools, security engineering, datasec training

Slide 3

Slide 3 text

Bespoke data security solutions and security engineering.

Slide 4

Slide 4 text

speakerdeck.com/vixentael/ defense-in-depth-trench-warfare- principles-for-building-secure- distributed-applications @vixentael

Slide 5

Slide 5 text

Plan for next 40 mins: 1. Intro (OWASP, GDPR, US department of defense) @vixentael 2. Threats in common distributed architectures 3. Defense in Depth for data: why, when, how 4. Acra as example of DiD approach 5. Existing tools and solutions 6. Outro and links

Slide 6

Slide 6 text

@vixentael

Slide 7

Slide 7 text

users (upset, angry) regulations (fines, GDPR, HIPAA, PCI DSS, DPB) @vixentael Why care anyway? business continuity (fines, competitors, legal) service providers are pushing (Google, Apple)

Slide 8

Slide 8 text

GDPR @vixentael Article 32/35: responsibly store and process data according to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/

Slide 9

Slide 9 text

@vixentael https://gdpr-info.eu/ Article 32

Slide 10

Slide 10 text

@vixentael US Department of Defense

Slide 11

Slide 11 text

@vixentael US Department of Defense https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/ DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT WARE_2018.04.20.PDF

Slide 12

Slide 12 text

@vixentael Google https://support.google.com/cloud/answer/9110914

Slide 13

Slide 13 text

OWASP Top-10 web risks https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @vixentael • Injection • Broken Authentication and Session Management • Sensitive Data Exposure • XML External Entity • Broken Access Control • Security Misconfiguration • Cross-Site Scripting • Insecure deserialization • Using Components With Known Vulnerabilities • Insufficient Logging and Monitoring

Slide 14

Slide 14 text

@vixentael Data & risks PII User data Service data likes, preferences purchase history logs keys, accesses, API tokens backups configurations locations

Slide 15

Slide 15 text

@vixentael Data & risks compliance risks legal risks reputational risks continuity risks User data Service data reputational risks https://medium.com/@cossacklabs/trick-or-threat- security-losses-for-business-f5b44243d89c

Slide 16

Slide 16 text

Most users trust sensitive data to your app regardless of how well you protect it.

Slide 17

Slide 17 text

@vixentael Typical web architecture

Slide 18

Slide 18 text

@vixentael

Slide 19

Slide 19 text

@vixentael Potential attacks

Slide 20

Slide 20 text

@vixentael

Slide 21

Slide 21 text

@vixentael But we know many security controls!

Slide 22

Slide 22 text

@vixentael encryption & key mngmt AAA WAF honey pots IDS infra mngmt compartmentalization authenticated crypto &
 integrity checks access logging jailbans monitoring data firewall SIEM HIDS DAST SAST KMS HSM PKI TPM honey tokens RTFM dep mngmt UEBA IAM TLS TDE

Slide 23

Slide 23 text

@vixentael Band-aid security model

Slide 24

Slide 24 text

Band-aid security model == Perimeter security @vixentael

Slide 25

Slide 25 text

Band-aid security model == Perimeter security @vixentael

Slide 26

Slide 26 text

@vixentael

Slide 27

Slide 27 text

@vixentael Band-aid security model

Slide 28

Slide 28 text

@vixentael Band-aid security model: risks

Slide 29

Slide 29 text

Defense in Depth – independent, yet interconnected, set of security controls aimed at mitigating multiple risks during the whole application flow

Slide 30

Slide 30 text

@vixentael 1. Security controls do protect data globally 
 (during the whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Align security controls

Slide 31

Slide 31 text

use cryptography as global protection layer

Slide 32

Slide 32 text

@vixentael Decryption proxy — web, mobile E2EE – mobile, IoT

Slide 33

Slide 33 text

@vixentael Decryption proxy

Slide 34

Slide 34 text

@vixentael Predictable data flow 2. Write encrypted data to the database. 3. Read data from the database via decryption proxy. 1. Separated encryption and decryption.

Slide 35

Slide 35 text

@vixentael Show me real things!

Slide 36

Slide 36 text

@vixentael Writing data flow

Slide 37

Slide 37 text

@vixentael Reading data flow

Slide 38

Slide 38 text

@vixentael Key model unique per user/app public key

Slide 39

Slide 39 text

@vixentael Key model unique per user/app public key private keys 
 (KMS, HSM)

Slide 40

Slide 40 text

@vixentael Key model unique per user/app public key private keys 
 (KMS, HSM) can’t decrypt can’t decrypt

Slide 41

Slide 41 text

@vixentael Key model IRL

Slide 42

Slide 42 text

@vixentael 1. DB doesn’t know the nature of data. 2. App doesn’t have a way to decrypt data. System compromise

Slide 43

Slide 43 text

@vixentael Encryption itself is not enough

Slide 44

Slide 44 text

@vixentael encryption & key mngmt AAA WAF honey pots IDS infra mngmt compartmentalization authenticated crypto &
 integrity checks access logging jailbans monitoring data firewall SIEM HIDS DAST SAST KMS HSM PKI TPM honey tokens RTFM dep mngmt UEBA IAM TLS TDE

Slide 45

Slide 45 text

@vixentael Encryption itself is not enough github.com/cossacklabs/acra/

Slide 46

Slide 46 text

@vixentael 1. DB doesn’t know the nature of data. 2. App doesn’t have a way to decrypt data. 3. Data is being watched: key management, SQL firewall, monitoring, access control, audit logs. System compromise

Slide 47

Slide 47 text

@vixentael System compromise The only way to attain plaintext from DB – 
 to request it through decryption proxy.

Slide 48

Slide 48 text

@vixentael System compromise Or: compromise the backend app 
 & compromise SQL firewall & compromise proxy and key store & get around logs, SIEM, honey pots The only way to attain plaintext from DB – 
 to request it through decryption proxy.

Slide 49

Slide 49 text

@vixentael Lines of defense

Slide 50

Slide 50 text

@vixentael

Slide 51

Slide 51 text

Defense in Depth = global security controls 
 + band aid security tools.

Slide 52

Slide 52 text

@vixentael

Slide 53

Slide 53 text

@vixentael How to build? 1. Build on your own (start from design).

Slide 54

Slide 54 text

@vixentael How to build? 1. Build on your own (start from design). 2. Use boxed solutions (Oracle).

Slide 55

Slide 55 text

@vixentael How to build? 1. Build on your own (start from design). 2. Use boxed solutions (Oracle). 3. Build using existing tools:
 DB + Acra + SIEM + WAF
 DB + GreenSQL + libsodium + own decryption proxy + IDS + SIEM + WAF
 DB + Acra + AWS + SIEM

Slide 56

Slide 56 text

@vixentael Acra Community Edition cossacklabs.com/acra/ github.com/cossacklabs/acra/ marketplace.digitalocean.com/apps/acra

Slide 57

Slide 57 text

Covered Top-10 web risks https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @vixentael • Injection • Broken Authentication and Session Management • Sensitive Data Exposure • XML External Entity • Broken Access Control • Security Misconfiguration • Cross-Site Scripting • Insecure deserialization • Using Components With Known Vulnerabilities • Insufficient Logging and Monitoring

Slide 58

Slide 58 text

Key points

Slide 59

Slide 59 text

@vixentael 1. Security == 2. Defense in Depth == independent, yet interconnected controls. 3. Cryptography == good core level for DiD. 4. Ready-to-use tools exist. Use them.

Slide 60

Slide 60 text

Reading, watching

Slide 61

Slide 61 text

https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data- security-4b8ceb5ccb88 12 and 1 ideas how to enhance backend data security https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database- be3743af7614 How to prevent database leaks and injections https://www.cossacklabs.com/blog/defense-in-depth-with-acra.html Building Defence in Depth for your data using Acra https://samnewman.io/talks/insecure-transit-microservice-security/ Insecure Transit - Microservice Security

Slide 62

Slide 62 text

@vixentael cryptographic tools, security consulting, training github.com/vixentael/ my-talks