Slide 1

Slide 1 text

Copyright © 2020 HashiCorp March 2022 Security vs. Delivery Win with dependency inversion

Slide 2

Slide 2 text

Security “We must secure!” Delivery “We must innovate!” DATACENTERS ACCESS CONTROL VULNERABILITY MANAGEMENT AUDIT LOGGING CLOUDS SECRETS NETWORK POLICY MANAGED SERVICES 😰

Slide 3

Slide 3 text

Author, Patterns & Practices for IaC Developer Advocate, HashiCorp 
 she/her 
 @joatmon08 Rosemary Wang

Slide 4

Slide 4 text

Dependency Inversion In software development 01 Round 1 / Security vs. Delivery

Slide 5

Slide 5 text

High-Level Object Low-Level Object Application Depends On Database

Slide 6

Slide 6 text

APPLICATION CODE Database Type 1 Implement access to 
 MySQL Database Type 2 Implement access to PostgreSQL public class CustomerService { private CustomerDao customer ; public Optional findById(int id) { return customer.findById(id) ; } public List findAll() { return customer.findAll() ; } } Example from https://www.baeldung.com/java-dependency-inversion-principle DATA ACCESS OBJECT public interface CustomerDao { Optional findById(int id) ; List findAll() ; } High-Level Object Low-Level Object Abstraction

Slide 7

Slide 7 text

…both high-level and low-level objects must depend on same abstraction. This loosely couples software modules.

Slide 8

Slide 8 text

Loose coupling supports evolution. Change low-level object while minimizing impact to high-level object.

Slide 9

Slide 9 text

02 Infrastructure as code Round 2 / Security vs. Delivery

Slide 10

Slide 10 text

…both high-level and low-level objects must depend on same abstraction. This loosely couples infrastructure dependencies. infrastructure resources

Slide 11

Slide 11 text

High-Level Object Low-Level Object Depends On Server Network

Slide 12

Slide 12 text

SERVER CONFIG resource "aws_instance" “machine" { ## omitted for clarit y subnet_id = data.aws_subnet.selected.id tags = { Name = local.nam e } } DATA ACCESS OBJECT data "aws_subnet" "selected" { filter { name = "tag:Team " values = [var.team ] } filter { name = "tag:Environment " values = [var.environment ] } } High-Level Object Low-Level Object Abstraction NETWORK CONFIG resource "aws_subnet" "main" { vpc_id = aws_vpc.main.i d cidr_block = cidrsubnet ( var.cidr_block, 4, 1 ) tags = { Name = local.nam e } } Infrastructure API

Slide 13

Slide 13 text

DATA ACCESS OBJECT output "ip" { value = aws_instance.machine.private_i p } High-Level Object Low-Level Object Abstraction DNS CONFIG resource "cloudflare_record" "machine" { ## omitted for clarit y zone_id = var.cloudflare_zone_i d name = "vm " value = module.vm.ip } SERVER CONFIG resource "aws_instance" "machine" { ## omitted for clarit y subnet_id = data.aws_subnet.selected.i d tags = { Name = local.nam e } } Infrastructure Module Output

Slide 14

Slide 14 text

DNS CONFIG resource "cloudflare_record" "machine" { ## omitted for clarit y zone_id = var.cloudflare_zone_i d name = "vm " value = module.vm.ip } DATA ACCESS OBJECT output "ip" { value = azurerm_linux_virtual_machine.machin e .private_ip_addres s } High-Level Object Low-Level Object Abstraction SERVER CONFIG resource "azurerm_linux_virtual_machine" "machine" { ## omitted for clarit y subnet_id = data.aws_subnet.selected.i d tags = { Name = local.nam e } } Multiple Clouds / Platforms

Slide 15

Slide 15 text

03 Security Round 3 / Security vs. Delivery

Slide 16

Slide 16 text

Infrastructure / applications depend on security. Benefits from dependency inversion principle.

Slide 17

Slide 17 text

Secrets

Slide 18

Slide 18 text

High-Level Object Low-Level Object Application Depends On Database Secret

Slide 19

Slide 19 text

1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace 6. Restart Can you imagine contacting multiple teams to fix their passwords? 😞 😞 😞 Invert application’s dependency on secret.

Slide 20

Slide 20 text

APPLICATION CODE public class CustomerService { private CustomerDao customer ; public Optional findById(int id) { return customer.findById(id) ; } public List findAll() { return customer.findAll() ; } } https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.backends.database-backends High-Level Object Low-Level Object Abstraction CODE LIBRARY ## install spring-cloud-vault- config-databases dependenc y ## application.propertie s spring.cloud.vault : database : enabled: tru e role: readonl y backend: database Application does not change! Change these if necessary. Secrets Manager + Code Library Database Secret Database Password /database/creds/customer

Slide 21

Slide 21 text

APPLICATION CODE public class CustomerService { private CustomerDao customer ; public Optional findById(int id) { return customer.findById(id) ; } public List findAll() { return customer.findAll() ; } } https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.backends.database-backends High-Level Object Low-Level Object Abstraction SIDECAR PROCESS ## run Vault agent as a separate proces s vault agent -config /vault-agent/agent.hc l ## Vault agent generates application.propertie s {{ with secret “database/creds/customer“ -} } spring.datasource.username={{ .Data.username }} spring.datasource.password={{ .Data.password } } {{- end }} Application reads configuration from file. 
 No changes to code. Secrets Manager + Sidecar Process Database Secret Database Password /database/creds/customer APPLICATION.PROPERTIES spring.datasource.username=custome r spring.datasource.password=Depend3ncy!nversio n

Slide 22

Slide 22 text

Network Policy

Slide 23

Slide 23 text

High-Level Object Low-Level Object Web Depends On App Database SHOULD NOT DEPEND ON

Slide 24

Slide 24 text

1. API Authorization 2. Certificates 3. Traffic Management 4. Telemetry 5. Firewalls 6. Network Routing 7. Security Groups Can you imagine contacting multiple teams to manage these configurations? 😞 😞 😞

Slide 25

Slide 25 text

1. API Authorization 2. Certificates 3. Traffic Management 4. Telemetry 5. Firewalls 6. Network Routing 7. Security Groups Inverts application’s dependencies on these.

Slide 26

Slide 26 text

High-Level Object Low-Level Object Web App Database Service Mesh + Sidecar Proxy Abstraction NETWORK POLICY Kind = "service-intentions " Name = "db " Sources = [ { Name = "web " Action = "deny " } , { Name = “app " Action = "allow " } ] Offers abstraction for certificates, traffic management, API authorization, and telemetry.

Slide 27

Slide 27 text

1. API Authorization 2. Certificates 3. Traffic Management 4. Telemetry 5. Firewalls 6. Network Routing 7. Security Groups Service catalog + automation can help invert infrastructure’s dependency on these.

Slide 28

Slide 28 text

Access Control

Slide 29

Slide 29 text

High-Level Object Low-Level Object Depends On Identity SSH Access to Server

Slide 30

Slide 30 text

High-Level Object Low-Level Object Depends On Many Identity Providers Across platforms, clouds, and services. …and more SSH Access to Server

Slide 31

Slide 31 text

High-Level Object Low-Level Object Many Identity Providers Many platforms, clouds, etc. …and more Secure Access Management Abstraction SSH Access to Server TERRAFORM ## Azure AD operator group should have SSH acces s resource "boundary_role" "core_infra" { ## omitted for clarit y scope_id = boundary_scope.org.i d grant_scope_id = boundary_scope.core_infra.i d grant_strings = [ "id=*;type=*;actions=* " ] principal_ids = [ boundary_managed_group.operators.id ] }

Slide 32

Slide 32 text

Is it a win? 04 Final Round / Security vs. Delivery

Slide 33

Slide 33 text

Units of Effort over Time Effort Time No Dependency Inversion You spend several months changing your security architecture and refactoring high-level applications and infrastructure.

Slide 34

Slide 34 text

Can I change my security tool or policy tomorrow without affecting delivery?

Slide 35

Slide 35 text

1. Dependency inversion 2. Choose an abstraction between low-level and high-level objects 3. Share security practices and knowledge

Slide 36

Slide 36 text

Units of Effort over Time Effort Time No Dependency Inversion Dependency Inversion Initially, you spend a month or two adding abstraction. Initially, you spend a month or two adding abstraction. Future changes to security architecture minimizes refactor for high-level applications and infrastructure. Benefit of “Shifting Security Left”!

Slide 37

Slide 37 text

Rosemary Wang joatmon08.github.io 
 she/her 
 @joatmon08 Thank you!