Slide 1

Slide 1 text

Client-Side Field-Level Encryption for Apache Kafka Connect @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022

Slide 2

Slide 2 text

Why should we care? @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 2

Slide 3

Slide 3 text

61% of breaches involved credential data1 1 Verzion DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 3

Slide 4

Slide 4 text

85% of breaches involved the human element1 1 Verzion DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 4

Slide 5

Slide 5 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 5

Slide 6

Slide 6 text

compromised external cloud assets more common than on-premises assets1 1 Verzion DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 6

Slide 7

Slide 7 text

Don't forget about the price tag of data breaches. @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 7

Slide 8

Slide 8 text

Don't forget about the price tag of data breaches. @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 8

Slide 9

Slide 9 text

$4.24M average cost of data breach2 2 IBM Cost of Data Breach Report - https://www.ibm.com/security/data-breach @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 9

Slide 10

Slide 10 text

$180 per record cost of customer pii2 2 IBM Cost of Data Breach Report - https://www.ibm.com/security/data-breach @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 10

Slide 11

Slide 11 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 11

Slide 12

Slide 12 text

It's me ... ! • technical trainer at NETCONOMY • independent engineer & consultant • Confluent Community Catalyst • MongoDB Champion @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 12

Slide 13

Slide 13 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 13

Slide 14

Slide 14 text

! But Kafka related? Yes! 3 3 https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/ @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 14

Slide 15

Slide 15 text

! They found it "all" ... 3 3 https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/ @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 15

Slide 16

Slide 16 text

unhappy @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 16

Slide 17

Slide 17 text

Core Kafka Security Mechanisms @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 17

Slide 18

Slide 18 text

Table Stakes ? @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 18

Slide 19

Slide 19 text

over-the-wire encryption @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 19

Slide 20

Slide 20 text

authentication @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 20

Slide 21

Slide 21 text

authorization @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 21

Slide 22

Slide 22 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 22

Slide 23

Slide 23 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 23

Slide 24

Slide 24 text

disturbing @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 24

Slide 25

Slide 25 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 25

Slide 26

Slide 26 text

Core Security Necessary ! @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 26

Slide 27

Slide 27 text

Core Security Sufficient ? @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 27

Slide 28

Slide 28 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 28

Slide 29

Slide 29 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 29

Slide 30

Slide 30 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 30

Slide 31

Slide 31 text

? in use by brokers @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 31

Slide 32

Slide 32 text

brokers see everything ... and so does any legitimate Kafka client @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 32

Slide 33

Slide 33 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 33

Slide 34

Slide 34 text

human promise is NOT technical promise @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 34

Slide 35

Slide 35 text

end-to-end encryption ? ? ? @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 35

Slide 36

Slide 36 text

Community Project Kryptonite for Kafka @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 36

Slide 37

Slide 37 text

client-side field level cryptography @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 37

Slide 38

Slide 38 text

Client-Side Cryptography @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 38

Slide 39

Slide 39 text

Client-Side Cryptography @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 39

Slide 40

Slide 40 text

Field Level Encryption @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 40

Slide 41

Slide 41 text

Field Level Encryption @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 41

Slide 42

Slide 42 text

Field Level Decryption @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 42

Slide 43

Slide 43 text

Field Level Decryption @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 43

Slide 44

Slide 44 text

Kafka Connect Single Message Transform @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 44

Slide 45

Slide 45 text

CSFLC with Source Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 45

Slide 46

Slide 46 text

CSFLC with Source Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 46

Slide 47

Slide 47 text

CSFLC with Source Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 47

Slide 48

Slide 48 text

CSFLC with Source Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 48

Slide 49

Slide 49 text

CSFLC with Sink Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 49

Slide 50

Slide 50 text

CSFLC with Sink Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 50

Slide 51

Slide 51 text

CSFLC with Sink Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 51

Slide 52

Slide 52 text

CSFLC with Sink Connectors @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 52

Slide 53

Slide 53 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 53

Slide 54

Slide 54 text

Demo Scenario 1 @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 54

Slide 55

Slide 55 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 55

Slide 56

Slide 56 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 56

Slide 57

Slide 57 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 57

Slide 58

Slide 58 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 58

Slide 59

Slide 59 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 59

Slide 60

Slide 60 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 60

Slide 61

Slide 61 text

Demo Scenario 2 @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 61

Slide 62

Slide 62 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 62

Slide 63

Slide 63 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 63

Slide 64

Slide 64 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 64

Slide 65

Slide 65 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 65

Slide 66

Slide 66 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 66

Slide 67

Slide 67 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 67

Slide 68

Slide 68 text

Behind the Curtain ? @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 68

Slide 69

Slide 69 text

Cryptography • Tink by Google • AEAD based on AES GCM • DAEAD based on AES SIV • key rotation support @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 69

Slide 70

Slide 70 text

Keyset Management • within SMT config (not recommended) • externalized to separate file (okayish) • remote / cloud KMS (recommended) • currently Azure Key Vault @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 70

Slide 71

Slide 71 text

! Little Ideas ! • wildcard / regex matching for field names • dynamic keyset selection based on payload • additional KMS providers (GCP, AWS, ...) @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 71

Slide 72

Slide 72 text

! Bigger Ideas ! • add further cryptography options (e.g. FPE) • language / runtime agnostic data serialization • extend scope beyond Kafka Connect @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 72

Slide 73

Slide 73 text

data should continue to be a valuable asset not become a costly liability @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 73

Slide 74

Slide 74 text

twitter @hpgrahsl @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 74

Slide 75

Slide 75 text

Go check it out ! • Project Code https://bit.ly/vdlux22-k4k • Demo Scenarios https://bit.ly/vdlux22-demo @hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022 75

Slide 76

Slide 76 text

@hpgrahsl | #VoxxedDays Luxembourg | June 21-22, 2022

Slide 77

Slide 77 text

Photo Credits in order of appearance (c) Chunli Ju - https://unsplash.com/photos/8fs1X0JFgFE (c) Wolf Zimmermann - https://unsplash.com/photos/6sf5rf8QYFE (c) Jason Leung - https://unsplash.com/photos/SAYzxuS1O3M (c) Dev Asangbam - https://unsplash.com/photos/sh9vkVbVgo (c) Keenan Constance - https://unsplash.com/photos/VTLcvV6UVaI (c) Steve Johnson - https://unsplash.com/photos/hokONTrHIAQ (c) Pete Linforth - https://pixabay.com/illustrations/biometrics-access-identification-4503187/ (c) Miguel Á. Padriñán - https://www.pexels.com/photo/close-up-shot-of-keys-on-a-red-surface-2882687/ (c) Camila Quintero Franco - https://unsplash.com/photos/mC852jACK1g (c) Gerd Altmann - https://pixabay.com/illustrations/board-excuse-me-excuse-discharge-1848736/ (c) Vijaya narasimha - https://pixabay.com/photos/crevasse-sand-stone-hills-rock-399957/ (c) Gerd Altmann - https://pixabay.com/photos/trust-man-hood-map-prompt-4321822/ (c) Matheo JBT - https://unsplash.com/photos/HLhvZ9HRAwo (c) Rob Laughter - https://unsplash.com/photos/WW1jsInXgwM (c) Markus Spiske - https://unsplash.com/photos/iar-afB0QQw (c) Nerene Grobler - https://unsplash.com/photos/sLxcfdsqLQ (c) Wilhelm Gunkel - https://unsplash.com/photos/L04Kczg_Jvs (c) Matt Walsh - https://unsplash.com/photos/tVkdGtEe2C4