Towards Client-Side Field-Level Cryptography for Streaming Data Pipelines @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022

Why should we care? @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 2

61 % of breaches involved credential data1 1 Verizon DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 3

85 % of breaches involved the human element1 1 Verizon DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 4

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 5

compromised external cloud assets more common than on-premises assets1 1 Verizon DBIR 2021 - https://www.verizon.com/dbir @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 6

Let's don't forget about the price tag of data breaches. @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 7

Let's don't forget about the price tag of data breaches. @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 8

$4.24M average cost of data breach2 2 IBM Cost of Data Breach Report - https://www.ibm.com/security/data-breach @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 9

$180 per record cost of customer PII2 2 IBM Cost of Data Breach Report - https://www.ibm.com/security/data-breach @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 10

It's me ... Hans-Peter • Developer ! Advocate @ Red Hat • Open-Source Enthusiast • Confluent Community Catalyst since 2019 • MongoDB Champion since 2020 • based in Graz, Austria " @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 11

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 12

! But Kafka related? Yes! 3 3 https://spectralops.io/blog/misconfigured-kafdrop-puts-companies-apache-kafka-completely-exposed/ @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 13

unhappy @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 14

Core Kafka Security Mechanisms @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 15

over-the-wire encryption @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 16

authentication @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 17

authorization @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 18

table stakes @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 19

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 20

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 21

disturbing @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 22

core security necessary ! @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 23

core security sufficient ? @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 24

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 25

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 26

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 27

? data in use by BROKERS @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 28

BROKERS see everything ... and so does any legitimate Kafka client @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 29

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 30

human promise is NOT technical promise @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 31

? ? ? end-to-end encryption ? ? ? @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 32

Open-Source Community Project Kryptonite for Kafka @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 33

client-side field level cryptography @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 34

Client-Side Cryptography @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 35

Client-Side Cryptography @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 36

Field Level Cryptography @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 37

Field Level Cryptography @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 38

Kafka Connect Sources Single Message Transform @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 39

CSFLC with Source Connectors @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 40

Demo Part 1 @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 41

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 42

ksqlDB User-Defined Function @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 43

CSFLC with Streaming SQL @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 44

CSFLC with Streaming SQL @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 45

Demo Part 2 @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 46

Here be Dragons @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 47

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 48

Kafka Connect Sinks Single Message Transform @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 49

CSFLC with Sink Connectors @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 50

Demo Part 3 @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 51

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 52

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 53

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 54

Behind the Scenes? @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 55

Cryptography • Tink by Google • AEAD based on AES GCM • DAEAD based on AES SIV • key rotation support @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 56

Keyset Management • within SMT config (not recommended) • externalized to separate file (okayish) • remote / cloud KMS (recommended) • preliminary Azure Key Vault support @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 57

! Little Ideas ! • wildcard / regex matching for field names • dynamic keyset selection based on payload • additional KMS providers (GCP, AWS, ...) @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 58

! Bigger Ideas ! • add cryptography options (e.g. FPE) • extend scope beyond Kafka Connect and ksqlDB • make CSFLC language / runtime agnostic @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 59

@hpgrahsl Let's stay in touch ! on Twitter @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 60

! TRY IT " • Project Code https://bit.ly/current22-k4k • Demo Scenarios https://bit.ly/current22-demo @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 61

Data should continue to be a valuable asset, not become a costly liability. @hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022 62

@hpgrahsl | #Current22 - Austin, Texas | Oct 4-5, 2022

Photo Credits in order of appearance (c) John Salvino - https://unsplash.com/photos/bqGBbLq_yfc (c) Wolf Zimmermann - https://unsplash.com/photos/6sf5rf8QYFE (c) Jason Leung - https://unsplash.com/photos/SAYzxuS1O3M (c) Dev Asangbam - https://unsplash.com/photos/sh9vkVbVgo (c) Keenan Constance - https://unsplash.com/photos/VTLcvV6UVaI (c) Steve Johnson - https://unsplash.com/photos/hokONTrHIAQ (c) Pete Linforth - https://pixabay.com/illustrations/biometrics-access-identification-4503187/ (c) Miguel Á. Padriñán - https://www.pexels.com/photo/close-up-shot-of-keys-on-a-red-surface-2882687/ (c) Camila Quintero Franco - https://unsplash.com/photos/mC852jACK1g (c) Gerd Altmann - https://pixabay.com/illustrations/board-excuse-me-excuse-discharge-1848736/ (c) Vijaya narasimha - https://pixabay.com/photos/crevasse-sand-stone-hills-rock-399957/ (c) Gerd Altmann - https://pixabay.com/photos/trust-man-hood-map-prompt-4321822/ (c) Matheo JBT - https://unsplash.com/photos/HLhvZ9HRAwo (c) Rob Laughter - https://unsplash.com/photos/WW1jsInXgwM (c) Markus Spiske - https://unsplash.com/photos/iar-afB0QQw (c) Nerene Grobler - https://unsplash.com/photos/sLxcfdsqLQ (c) Wilhelm Gunkel - https://unsplash.com/photos/L04Kczg_Jvs (c) Matt Walsh - https://unsplash.com/photos/tVkdGtEe2C4