Slide 1
Slide 1 text
Protecting Sensitive Data
in Modern Multi-Component Systems
@vixentael
Slide 2
Slide 2 text
@vixentael
product engineer in security
and cryptography
OSS maintainer: Themis, Acra
cryptographic tools, security
consulting, training
Slide 3
Slide 3 text
Data protection tools to prevent leakage
and comply with regulations.
Slide 4
Slide 4 text
@vixentael
Cryptography
and data protection
Slide 5
Slide 5 text
1. Architectures and data leaks.
2. Sensitive data lifecycle.
3. SSDLC – defining trust, threats and risks to
data.
4. Typical trust patterns.
5. Security controls: tips, tricks, tools
@vixentael
Plan
Slide 6
Slide 6 text
speakerdeck.com/vixentael/
protecting-sensitive-data-in-
modern-multi-component-systems
@vixentael
Slide 7
Slide 7 text
@vixentael
Modern Applications are
Multi-Component
Slide 8
Slide 8 text
@vixentael
https://medium.com/airbnb-engineering/data-infrastructure-at-airbnb-8adfb34f169c
AirBNB data infra
Slide 9
Slide 9 text
@vixentael
LinkedIn 2011-2015
https://engineering.linkedin.com/architecture/brief-history-scaling-linkedin
Slide 10
Slide 10 text
@vixentael
Netflix
https://medium.com/refraction-tech-everything/how-netflix-works-the-hugely-
simplified-complex-stuff-that-happens-every-time-you-hit-play-3a40c9be254b
Slide 11
Slide 11 text
@vixentael
Modern Applications are
Multi-Component
Different. Complex. Use-case oriented.
Slide 12
Slide 12 text
– Operate sensitive data.
@vixentael
Modern Applications are
Multi-Component
Different. Complex. Use-case oriented.
Slide 13
Slide 13 text
@vixentael
So what?
Slide 14
Slide 14 text
@vixentael
https://en.wikipedia.org/wiki/2012_LinkedIn_hack
Slide 15
Slide 15 text
@vixentael
https://blog.linkedin.com/2016/05/18/protecting-our-members
Slide 16
Slide 16 text
@vixentael
Slide 17
Slide 17 text
twitter.com/c_pellegrino/status/981409466242486272 @vixentael
Slide 18
Slide 18 text
twitter.com/c_pellegrino/status/981409466242486272 @vixentael
Slide 19
Slide 19 text
twitter.com/c_pellegrino/status/981409466242486272 @vixentael
Slide 20
Slide 20 text
https://www.itgovernance.co.uk/blog/quora-data-breach-affects-100-million-accounts @vixentael
Slide 21
Slide 21 text
@vixentael
mln records
0
360
720
1,080
1,440
1,800
February April June August October December February
https://www.itgovernance.co.uk/blog/category/cyber-security/
Million of records leaked per month
2018/2019
Slide 22
Slide 22 text
@vixentael
mln records
0
360
720
1,080
1,440
1,800
February April June August October December February
https://www.itgovernance.co.uk/blog/category/cyber-security/
Million of records leaked per month
2018/2019
Slide 23
Slide 23 text
@vixentael
https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/
Slide 24
Slide 24 text
@vixentael
https://www.wired.com/story/2018-worst-hacks-so-far/
credentials
geo-locations
health data
financial data
kids locations
cars remote control
sex toys remote control
Slide 25
Slide 25 text
@vixentael
Most large leaks are caused
by poor architectural decisions.
Slide 26
Slide 26 text
@vixentael
wrong assumptions and trust models
no tests / penetration tests
lack of understanding the data life cycle
GTD / speed
Why?
Slide 27
Slide 27 text
@vixentael
Sensitive Data
Life Cycle
Slide 28
Slide 28 text
@vixentael
is any kind of data, that will break
business objectives or prosperity of those
who use data, if leaked.
Sensitive data –
Slide 29
Slide 29 text
@vixentael
Sensitive data depends on business
personally identifiable information (PII)
device logs and application data
medical & finance data
likes & preferences
…
https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html
Slide 30
Slide 30 text
@vixentael
Secure development
lifecycle methodology
MS SDL
OWASP S-SDLC
www.microsoft.com/en-us/sdl
www.owasp.org/index.php/
OWASP_Secure_Software_Development_
Lifecycle_Project
Risk evaluation
Risk assessment
Threat model
Security plan
Secure coding
Security verification
Secure operations
Incident response
Slide 31
Slide 31 text
@vixentael
web
frontend
users &
orders
mobile
frontend
web
admin
prediction
service
3rd party
analytics
items
payment
service
orders
processing
logistics API
user actions
analytics
layout
Slide 32
Slide 32 text
@vixentael
web
frontend
users &
orders
mobile
frontend
web
admin
prediction
service
3rd party
analytics
items
payment
service
orders
processing
logistics API
user actions
analytics
flow
Slide 33
Slide 33 text
@vixentael
web
frontend
users &
orders
mobile
frontend
web
admin
prediction
service
3rd party
analytics
items
payment
service
orders
processing
logistics API
user actions
analytics
actions
i
i
o o
p
i
p s
s
input processing
storage
output
p
Slide 34
Slide 34 text
@vixentael
Data classification
more sensitive / less sensitive
valued for users / for business
regulated / non-regulated
at rest / in motion
available for users / admins / support
Slide 35
Slide 35 text
@vixentael
data leakage,
tampering,
unauthorized
access
reputation risks
legal responsibility
financial damage
Risks to data
Slide 36
Slide 36 text
@vixentael
Data classification
users PII users payments
items description
sales schedule
financial reports
users preferences orders history
conversion analytics
TLS certs AWS access
staff accounts
login history
db access
company accounts
Slide 37
Slide 37 text
@vixentael
Data classification
users PII
users payments
items description
sales schedule
financial reports
users preferences
orders history
conversion analytics
TLS certs
AWS access
staff accounts
login history
db access
company accounts
u
p
$
t
u’
i
Slide 38
Slide 38 text
@vixentael
web
frontend
users &
orders
mobile
frontend
web
admin
prediction
service
3rd party
analytics
items
payment
service
orders
processing
logistics API
user actions
analytics
kinds of data
i
i
o o
p
i
p s
s
u
u
p
$
$
$
p
u
t $
u u’
i
u
p
Slide 39
Slide 39 text
@vixentael
Can we protect
everything everywhere?
Slide 40
Slide 40 text
@vixentael
– No.
Can we protect
everything everywhere?
Slide 41
Slide 41 text
@vixentael
Can we protect
everything everywhere?
– No.
– Risks impact
– Trust and threats
– Attack vectors
prioritization
Slide 42
Slide 42 text
@vixentael
Trust model (per node)
1. What kind of data it operates?
Slide 43
Slide 43 text
@vixentael
Trust model (per node)
1. What kind of data it operates?
2. Do we trust/control this node?
Slide 44
Slide 44 text
@vixentael
Trust model (per node)
1. What kind of data it operates?
2. Do we trust/control this node?
3. If needs sensitive plaintext, who stores the keys?
Slide 45
Slide 45 text
@vixentael
Trust model (per node)
1. What kind of data it operates?
2. Do we trust/control this node?
3. If needs sensitive plaintext, who stores the keys?
4. What are security controls?
Slide 46
Slide 46 text
@vixentael
web
frontend
users &
orders
mobile
frontend
web
admin
prediction
service
3rd party
analytics
items
payment
service
orders
processing
logistics API
user actions
analytics
trust model
☠
☠
☠
⚠
❇
⚠
⚠
⚠
⚠
⚠ ⚠
Slide 47
Slide 47 text
@vixentael
Trust model helps to understand
where to implement proper
security controls that prevent risks.
Slide 48
Slide 48 text
@vixentael
Security control –
a practical implementation of risk prevention
technique in your code and infrastructure.
Reactive:
- detect incident
- correct / limit damage
Proactive:
- prevent risk
Slide 49
Slide 49 text
@vixentael
Proactive controls
Data security encryption
Access security authentication, firewalls, OS
Node security
firewalls,
compartmentalization, OS
Slide 50
Slide 50 text
@vixentael
Reactive controls: detect
Data security
integrity checks,
authenticated crypto
Access security honeypots, access logging
Node security IDS, monitoring
Slide 51
Slide 51 text
@vixentael
Reactive controls: limit damage
Data security
Access security
Node security
key management, backups
credential management, jailbans
infrastructural management
Slide 52
Slide 52 text
@vixentael
1. Identify sensitive data, understand sensitive data
lifecycle, classify data.
2. Identify risks to data.
3. Build trust model, understand risk impact.
4. Prioritize risk vectors.
5. Select and implement proper security controls for
exploitable high risk vectors (to prevent risks and to
identify leaks).
Infrastructural data protection 101
Slide 53
Slide 53 text
@vixentael
Principle of least privilege
(secure by default)
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
@vixentael
Patterns
Slide 56
Slide 56 text
@vixentael
“Everyone Knows
Everything”
Slide 57
Slide 57 text
@vixentael
“Everyone Knows Everything”
1. Many components, everyone has access to database via
same API.
2. API without auth (brute-force ID to get info about objects).
3. Storing plaintext data.
4. Transferring back and forth all data (aka large JSON).
5. Transfer data in plaintext inside infrastructure.
6. Storing all data in the same place.
7. Logging everything (including secrets).
8. No monitoring for non-legit access.
Slide 58
Slide 58 text
@vixentael
Slide 59
Slide 59 text
@vixentael
“Narrowing and
controlling trust”
Slide 60
Slide 60 text
@vixentael
“Narrowing and controlling trust”
1. Echelonization.
2. Compartmentalization.
3. Verify trust (PKI).
$ Limit trust:
Slide 61
Slide 61 text
@vixentael
1. Pseudonymization.
2. Anonymization.
3. Minimize lifecycle and scope.
“Narrowing and controlling trust”
% Limit data:
Slide 62
Slide 62 text
@vixentael
4. Don’t store all data in one place.
5. Don’t send all data if only some piece
needed.
“Narrowing and controlling trust”
% Limit data:
Slide 63
Slide 63 text
@vixentael
1. Encrypt data for exact use-case (to be
accessible by specific users/systems).
2. Store keys in trusted zone (KMS, Vault).
3. Proper key management: rotate, revoke,
backup.
“Narrowing and controlling trust”
& Encrypt data:
Slide 64
Slide 64 text
@vixentael
1. Separate API for each app.
2. Session handling, session expiration.
3. Encrypt transport inside network.
“Narrowing and controlling trust”
' Protect transport:
https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
Slide 65
Slide 65 text
@vixentael
1. Access to critical data.
2. Access to keys.
3. Unusual behavior.
4. Honey pots / honey tokens.
“Narrowing and controlling trust”
( Monitor everything:
Slide 66
Slide 66 text
@vixentael
“Narrowing and controlling trust”
$ Limit trust.
( Monitor everything.
' Protect transport.
% Limit data.
& Encrypt data.
Slide 67
Slide 67 text
@vixentael
“Zero Knowledge /
No Knowledge”
Slide 68
Slide 68 text
@vixentael
ZKA is a design principle that enables
software to provide services over
protected client data without having an
unencrypted access to it.
“Zero Knowledge Architecture”
Slide 69
Slide 69 text
@vixentael
$ E2EE clients
“Zero Knowledge Architecture”
Slide 70
Slide 70 text
@vixentael
% all operations on encrypted data:
– CRUD
– control access to data from different users
– search (in encrypted data)
“Zero Knowledge Architecture”
$ E2EE clients
Slide 71
Slide 71 text
@vixentael
authentication
“Zero Knowledge Architecture”
data collaboration
messaging
https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html
Slide 72
Slide 72 text
@vixentael
Zero Knowledge
Architecture
Narrowing and
Controlling Trust
Everyone Knows
Everything
Slide 73
Slide 73 text
@vixentael
Tips, tricks, tools
Slide 74
Slide 74 text
@vixentael
Cover maximum risks using
minimum tools and processes.
Add details when system evolves.
Slide 75
Slide 75 text
@vixentael
Control and monitor perimeter.
Control and monitor intranet: between
networks, between hosts.
IDS & HIDS.
Firewalls / IDS
Slide 76
Slide 76 text
@vixentael
WAF
database firewalls
SQL firewalls
Data firewalls
Slide 77
Slide 77 text
@vixentael
Acra
https://github.com/cossacklabs/acra
Green SQL
https://github.com/larskanis/greensql-fw
Hexatier
http://www.hexatier.com/
Oracle database
firewall / TDE
http://www.oracle.com/
Data firewalls
Slide 78
Slide 78 text
@vixentael
Acra – Oracle for Postgres/MySQL
cossacklabs.com/acra/
github.com/cossacklabs/acra/
marketplace.digitalocean.com/apps/acra
Slide 79
Slide 79 text
@vixentael
SIEM
Aggregate logs into single point for
further analysis:
Triggers on leaking assets.
Triggers on typical attacks.
Correlation analysis.
Slide 80
Slide 80 text
@vixentael
Audit logs
On every access to sensitive data.
Non-falsiable.
Easy-to-analyze.
https://cloud.google.com/logging/docs/audit/
Slide 81
Slide 81 text
@vixentael
At rest encryption.
Separated encryption and decryption.
Use different keys for different clients.
Data encryption
Slide 82
Slide 82 text
@vixentael
Encryption libraries should
★ use strong & audited crypto
★ work everywhere
★ hide cryptographic details
★ be hard to mis-use
★ have integration with key storage
Slide 83
Slide 83 text
@vixentael
Encryption libraries
libsodium
themis
keyczar
tink
github.com/cossacklabs/themis
github.com/jedisct1/libsodium
github.com/google/tink
github.com/google/keyczar
Slide 84
Slide 84 text
@vixentael
Data in motion protection
Well-configured TLS and
suitable per-usecase protocols.
Slide 85
Slide 85 text
@vixentael
Data in motion protection / TLS
private keys RSA-2048, ECDSA-256
obtain certificate from reliable CA
TLS v1.3-v1.2
use secure cipher suites
TLS_ECDHE_ECDSA_WITH_AES_2
56_GCM_SHA384
✅ enable Forward Secrecy
✅ enable HSTS (web)
github.com/ssllabs/research/wiki/SSL-and-TLS-
Deployment-Best-Practices
Rotate certificates often
Slide 86
Slide 86 text
@vixentael
Data in motion protection / protocols
axolotl
themis
noise
github.com/cossacklabs/themis
noiseprotocol.org
github.com/whispersystems/libsignal-protocol-c
Slide 87
Slide 87 text
@vixentael
Hermes
https://github.com/cossacklabs/hermes-core
ZeroKit
https://tresorit.com/zerokit
E2EE for data collaboration
Slide 88
Slide 88 text
@vixentael
Honey pots
fake sensitive data records
fake accounts
vulnerable nodes with open ports
fake API calls / API tokens / keys
+ triggers
}
https://hackernoon.com/poison-records-acra-eli5-d78250ef94f
Slide 89
Slide 89 text
@vixentael
https://www.owasp.org/index.php/Web_Application_Security_Guidance
Web Application Security Guidance
https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
Secure Coding Cheat Sheet
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
Secure Coding Practices
OWASP guidelines
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
Password Storage Cheat Sheet
Slide 90
Slide 90 text
@vixentael
Summary
Slide 91
Slide 91 text
@vixentael
1. Identify sensitive data, understand sensitive data
lifecycle, classify data.
2. Identify risks to data.
3. Build trust model, understand risk impact.
4. Prioritize risk vectors.
5. Select and implement proper security controls for
exploitable high risk vectors (to prevent risks and to
identify leaks).
Infrastructural data protection 101
Slide 92
Slide 92 text
@vixentael
It is secure.
It’s not broken yet.
Slide 93
Slide 93 text
Home reading :)
https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27
Security as a Product
https://samnewman.io/talks/insecure-transit-microservice-security/
Insecure Transit - Microservice Security
https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-security-4b8ceb5ccb88
12 and 1 ideas how to enhance backend data security
https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-be3743af7614
How to prevent database leaks and injections
Slide 94
Slide 94 text
My other security slides
github.com/vixentael/
my-talks
Slide 95
Slide 95 text
@vixentael
product engineer in security
and cryptography
OSS maintainer: Themis, Acra
cryptographic tools, security
consulting, training
Slide 96
Slide 96 text
Image credits
www.flaticon.com
freepik, linector, switficons, pixelperfect, smashicons, icon pond,
dinosoftlabs
Authors: