Slide 1

Slide 1 text

An Introduction to Zero Trust Security Rosemary Wang GIDS Live | April 29, 2021 1

Slide 2

Slide 2 text

@JOATMON08 2 ALLOW ALL INBOUND TCP ALLOW OUTBOUND TCP TO 10.0.0.0/16

Slide 3

Slide 3 text

“…no person, device, or network enjoys inherent trust. ” cloud.google.com/blog/topics/developers-practitioners/what-zero-trust- identity-security @JOATMON08 3

Slide 4

Slide 4 text

“Never trust, always verify.” @JOATMON08 4

Slide 5

Slide 5 text

Rosemary Wang (She/Her) Developer Advocate at HashiCorp @joatmon08 joatmon08.github.io 5

Slide 6

Slide 6 text

“A system needs to know who you are…before it can determine what you should have access to. ” cloud.google.com/blog/topics/developers-practitioners/what-zero-trust- identity-security @JOATMON08 6

Slide 7

Slide 7 text

Zero Trust Security Three goals Authorization Can you access this? Authentication Are you who say you are? Audit Who did what? @JOATMON08 7

Slide 8

Slide 8 text

Zero Trust Security Three challenges Ephemerality No consistent way to account for system changes. Identity No unified model across software, platform, and tools. Productivity No easy implementation to support or innovate. @JOATMON08 8

Slide 9

Slide 9 text

@JOATMON08 9 Zero trust is asymptotic. It can approach zero but never reach it.

Slide 10

Slide 10 text

Address these challenges across… Person Human to machine access Device Machine authentication & authorization Network Service to service access @JOATMON08 10

Slide 11

Slide 11 text

Possible Solutions ▪ Identity & Access Management (IAM) Tools – Tool-specific – Cloud-specific ▪ Add abstraction (with tools or build your own) ▪ Manage it “as code” @JOATMON08 11

Slide 12

Slide 12 text

EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING CONNECTION VAULT SERVER CONSUL SERVER PUBLIC SUBNETS BOUNDARY CONTROLLER PRIVATE SUBNETS EKS (KUBERNETES) BOUNDARY WORKER VAULT AGENT PRODUCTS DATABASE (POSTGRESQL) CONSUL AGENT CONSUL AGENT CONSUL AGENT BOUNDARY DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API CONSUL TERMINATING GATEWAY ENGINEER PSQL SSH AUTHENTICATE TO BOUNDARY TCP :80 12 Devices Person Network CONFIGURATION AS CODE

Slide 13

Slide 13 text

PRODUCTS DATABASE (POSTGRESQL) PRODUCT API PUBLIC API FRONTEND API Our Application DEVICE: ONLY PRODUCT API CAN ACCESS THE DATABASE PERSON: ONLY PRODUCT DEVELOPER CAN ACCESS FRONTEND. 13 NETWORK: ONLY FRONTEND CAN ACCESS PUBLIC API.

Slide 14

Slide 14 text

Person 14

Slide 15

Slide 15 text

Should this person be able to access that? Relevant for remote work @JOATMON08 15

Slide 16

Slide 16 text

Development Access includes: ▪ Applications ▪ Business data ▪ Development environments ▪ Monitoring systems Business Access includes: ▪ Applications ▪ Business data ▪ Software as a service Operations Access includes: ▪ All environments ▪ Most systems and infrastructure Person(as) 16

Slide 17

Slide 17 text

17 Identity Access Management ORGANIZATION CORE_INFRA PROJECT PRODUCTS_INFRA PROJECT OPERATIONS TEAM GROUP PRODUCTS TEAM GROUP ROSEMARY ROB EKS NODES (EC2 INSTANCES) PRODUCTS DATABASE (POSTGRESQL) FRONTEND TARGET TCP :80 TARGET TCP:5432 BUSINESS TEAM GROUP MELISSA READ-ONLY FOR ORGANIZATION boundaryproject.io/docs/concepts/domain-model TARGET TCP:22 SAAS ENDPOINTS TARGET TCP:8200 TCP:8500

Slide 18

Slide 18 text

In this system… Never trust. ▪ Configure IAM as code – Uses Terraform to configure AWS & Boundary ▪ One ingress point to access endpoints – Uses AWS IAM to restrict roles – Uses Boundary to restrict access to infrastructure endpoints @JOATMON08 18

Slide 19

Slide 19 text

To improve… Always verify. ▪ Least-privilege? – Policy as code – Remediate and identify unused endpoints ▪ Auditing? – Identify who logged in and did what @JOATMON08 19

Slide 20

Slide 20 text

Device 20

Slide 21

Slide 21 text

Should this device be able to access that? Relevant for systems @JOATMON08 21

Slide 22

Slide 22 text

Containers Access includes: ▪ Applications ▪ Business data ▪ Development environments ▪ Monitoring systems Machines Access includes: ▪ Other machines ▪ Software Other Access includes: ▪ Personal computing ▪ Edge devices Devices 22

Slide 23

Slide 23 text

EKS (KUBERNETES) MY VPC 10.0.0.0/16 HASHICORP VIRTUAL NETWORK 172.25.16.0/20 PEERING CONNECTION VAULT SERVER PRIVATE SUBNETS EKS (KUBERNETES) VAULT AGENT PRODUCT API PUBLIC API FRONTEND API 4. CREATE FILE WITH DATABASE USERNAME AND PASSWORD 1. AUTHENTICATE TO VAULT 3. RETURN DATABASE USERNAME AND PASSWORD 5. REVOKE DATABASE USERNAME AND PASSWORD WHEN TTL EXPIRES. 2. CREATE DATABASE USERNAME AND PASSWORD 23 PRODUCTS DATABASE (POSTGRESQL)

Slide 24

Slide 24 text

In this system… Never trust. ▪ Authenticate everything – Uses Vault to get access to other machines (like databases) ▪ Ephemeral access – Uses Vault to revoke tokens and access to other machines regularly @JOATMON08 24

Slide 25

Slide 25 text

To improve… Always verify. ▪ Productivity? – Ephemerality may break applications ▪ Least-privilege? – The right time to live for device access – Lock down CI framework ▪ Vulnerabilities? – Scanning code for 3rd party libraries ▪ Auditing? – Identify devices and what they accessed @JOATMON08 25

Slide 26

Slide 26 text

Network 26

Slide 27

Slide 27 text

Should the network allow traffic between services? Relevant for network policies @JOATMON08 27

Slide 28

Slide 28 text

API Authorization Access includes: ▪ API Gateways ▪ Authorization servers Firewalls / Policy Groups Access includes: ▪ IP Addresses ▪ Virtual machines Service Mesh Access includes: ▪ API Authorization ▪ Services Network 28

Slide 29

Slide 29 text

Service Mesh mTLS BETWEEN PROXIES NETWORK POLICY THROUGH L4 & L7 (INTENTIONS) consul.io/docs/connect 29

Slide 30

Slide 30 text

In this system… Never trust. ▪ Network policy across layers – Uses Terraform to configure firewalls and policy groups – Uses Consul to control service-to-service communication. ▪ Secure communication – Encryption without adding to application code – Telemetry @JOATMON08 30

Slide 31

Slide 31 text

To improve… Always verify. ▪ Productivity? – Debug with proxy – Yet another agent (performance?) ▪ Least-privilege? – Remediate and identify unused network policy ▪ Auditing? – Track service-to-service communication @JOATMON08 31

Slide 32

Slide 32 text

Almost Zero Trust Security 32

Slide 33

Slide 33 text

Never trust. Easier to implement in newer systems. ▪ Manage it “as code” ▪ Add abstractions for identity of person, device, or network – Identity & access management tool – Secrets management – Service mesh @JOATMON08 33

Slide 34

Slide 34 text

Always verify. Mostly implemented in older systems. ▪ Dynamic analysis – Remediation – Vulnerability management – Security information and events management ▪ Static analysis – Application code – *Infrastructure configuration @JOATMON08 34

Slide 35

Slide 35 text

@JOATMON08 35 Always Verify Never Trust Always Trust Never Verify “Brownfield” Datacenter Environments “Greenfield” Multi-* Environments It works on my local machine. ???

Slide 36

Slide 36 text

@JOATMON08 36 Always Verify Never Trust Always Trust Never Verify All Environments “Brownfield” Datacenter Environments It works on my local machine.

Slide 37

Slide 37 text

References ▪ https://github.com/joatmon08/hashicorp-stack- demoapp ▪ https://techfieldday.com/appearance/hashicorp- presents-at-security-field-day-5/ ▪ https://www.hashicorp.com/solutions/zero-trust- security ▪ https://cloud.google.com/blog/topics/ developers-practitioners/what-zero-trust- identity-security @JOATMON08 37

Slide 38

Slide 38 text

Thank you! Rosemary Wang @joatmon08 joatmon08.github.io 38