85%
of breaches involved
the human element1
1 Verzion DBIR 2021 - https://www.verizon.com/dbir
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
4
Slide 5
Slide 5 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
5
Slide 6
Slide 6 text
compromised external
cloud assets
more common than
on-premises assets1
1 Verzion DBIR 2021 - https://www.verizon.com/dbir
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
6
Slide 7
Slide 7 text
Don't
forget about the price tag
of data breaches.
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
7
Slide 8
Slide 8 text
Don't
forget about the price tag
of data breaches.
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
8
Slide 9
Slide 9 text
$4.24M
average cost of data
breach2
2 IBM Cost of Data Breach Report - https://www.ibm.com/security/data-breach
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
9
Slide 10
Slide 10 text
$180
per record cost of
customer pii2
2 IBM Cost of Data Breach Report - https://www.ibm.com/security/data-breach
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
10
Slide 11
Slide 11 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
11
Slide 12
Slide 12 text
It's me ...
!
• technical trainer at NETCONOMY
• independent engineer & consultant
• Confluent Community Catalyst
• MongoDB Champion
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
12
Slide 13
Slide 13 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
13
Slide 14
Slide 14 text
!
But Kafka related? Yes!
3
3 https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
14
Slide 15
Slide 15 text
!
They found it "all" ...
3
3 https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
15
Slide 16
Slide 16 text
unhappy
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
16
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
62
Slide 63
Slide 63 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
63
Slide 64
Slide 64 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
64
Slide 65
Slide 65 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
65
Slide 66
Slide 66 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
66
Slide 67
Slide 67 text
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
67
Slide 68
Slide 68 text
Behind the Curtain ?
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
68
Slide 69
Slide 69 text
Cryptography
• Tink by Google
• AEAD based on AES GCM
• DAEAD based on AES SIV
• key rotation support
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
69
Slide 70
Slide 70 text
Keyset
Management
• within SMT config (not recommended)
• externalized to separate file (okayish)
• remote / cloud KMS (recommended)
• currently Azure Key Vault
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
70
Slide 71
Slide 71 text
!
Little Ideas
!
• wildcard / regex matching for field names
• dynamic keyset selection based on payload
• additional KMS providers (GCP, AWS, ...)
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
71
Slide 72
Slide 72 text
!
Bigger Ideas
!
• add further cryptography options (e.g. FPE)
• language / runtime agnostic data serialization
• extend scope beyond Kafka Connect
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
72
Slide 73
Slide 73 text
data should continue
to be a valuable
asset not become
a costly liability
@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022
73