Slides of my talk to the conference RENCONTRES DE LA SECURITE at Luxemburg in 2023.
https://rencontres-securite.lu/
CYBERSECURITY YOU CAN TRUSTCYBERSECURITY YOU CAN TRUSTDiscovery of the Cloud Nativeapplications from an applicationsecurity perspective.Dominique RighettoIntrusion & Application Security teamExcellium Luxembourg entity
View Slide
Copyright © 2023 - Excellium Services SA. All rights reserved.📝 Convention:Cloud Native Application will be called CNA.
Copyright © 2023 - Excellium Services SA. All rights reserved.🤔 Question:Which aspects of the security of anapplication will change, when an applicationwill be intended to be a Cloud Native one?
Copyright © 2023 - Excellium Services SA. All rights reserved.• Leverage a maximum of servicesprovided by a Cloud provider to focuson the added value aspect of theapplication.• It is a distributed system by design.• It is stateless to facilitate easyhorizontal scaling in and out.📋Properties ofa CNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.• It is composed of several dedicatedparts:• Each one leveraging the more effectiveCloud feature according to hisbusiness/technical objective.• A part can be a serverless function or acollection of microservices hosted in acontainer managed by a containerorchestrator.📋Properties ofa CNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.• Its design and implementationanticipated a kind of issues that canoccur in Cloud-based environment.💡Example:Short network disruption, so they havebuilt-in “retry” mechanisms.📋Properties ofa CNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.📋Properties ofa CNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.📋Properties ofa CNA?Part 1 Part 2 Part 3 Part 4
Copyright © 2023 - Excellium Services SA. All rights reserved.• Global security posture of the CNA isdefined by the sum of the securityposture of each part.• Each part must has the same securitylevel.• Security cannot be handled anymoreby a single app layer (ex: servicelayer).📍Challengesbrought by aCNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.• Logging must be unified across allparts in terms of information used andformat.• User triggered events need to becorrelated across all parts.📍Challengesbrought by aCNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.• Each part will be developed andoperated by a separated DevOpsteam.• Each DevOps team has its own:• Maturity and knowledge in terms ofapplication security.• Development velocity and timeline.• Development methodology and process.• Technology stack.📍Challengesbrought by aCNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.• Each part will evolve in a differenttimeline or velocity.• It requires to manage differentversions of a part to ensure a correctrunning of the whole CNA.🧭Cartographyin a CNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.🧭Cartographyin a CNA?
Copyright © 2023 - Excellium Services SA. All rights reserved.• A common property of all parts of aCNA is the following:• Almost all microservices will run in acontainer managed by a containerorchestrator.• Almost all serverless functions will run ina context in which processing can beapplied to in/out flow.🏡CNA & thecommon layer
Copyright © 2023 - Excellium Services SA. All rights reserved.• 💡 Idea n°1: Leverage the executionenvironment, when it is possible.• 💡 Idea n°2: Add security aspects atexecution environment level insteadto ask to a DevOps team to add themat part level itself.• 💡 Idea n°3: Leverage a maximum ofbuilt-in security features provided bythe web framework used.🏡CNA & thecommon layer
Copyright © 2023 - Excellium Services SA. All rights reserved.• DevOps team can continue to focuson the business purpose of its part ofthe CNA.• DevOps team is not (or the mostminimally possible) disturbed withsecurity-related additional works andtasks.🏡CNA & thecommon layer
Copyright © 2023 - Excellium Services SA. All rights reserved.🏡CNA & thecommon layer
Copyright © 2023 - Excellium Services SA. All rights reserved.🏡CNA & thecommon layerLegend:🏭 Container orchestrator level.📦 Service mesh level.💻 Application level (code or CI/CD pipeline).📍 Source for the area: OWASP Top 10 Proactive Controls💭 Case of the containerizedmicroservices managed by anorchestrator was taken herebecause it is available as “on-prem” or “cloud-service” mode.🏭📦 For serverless case:The security related processingcan be added via the“extensions” and “configuration”features.
Copyright © 2023 - Excellium Services SA. All rights reserved.
Copyright © 2023 - Excellium Services SA. All rights reserved.• 🎯 Achieve the following securityaspects, only using the Kubernetes orIstio security features:• Authentication via a JWT (JSON WebToken).• Authorization via the claims of the JWT.• 🚨 Nothing implemented atapplication level!👩💻POC tovalidate myproposal
Copyright © 2023 - Excellium Services SA. All rights reserved.👩💻POC tovalidate myproposal
Copyright © 2023 - Excellium Services SA. All rights reserved.Authentication rules• For both apps, the JWT tokenprovided must:✓Been issued by “excellium-ias” issuer.✓Been signed with the RSA private keyassociated with this public key.👩💻POC tovalidate myproposal
Copyright © 2023 - Excellium Services SA. All rights reserved.Authorization rules• For App1:✓A valid JWT token must be provided.✓The audience claim of the token must beintended for app1.• For App2:✓A valid JWT token must be provided.✓The audience claim of the token must beintended for app2.✓The custom claim named ispartner mustbe set to Yes.👩💻POC tovalidate myproposal
Copyright © 2023 - Excellium Services SA. All rights reserved.👩💻POC tovalidate myproposal❌ At this stage, both instances of the apps are deployed butwithout any authentication and authorization rules…
Copyright © 2023 - Excellium Services SA. All rights reserved.👩💻POC tovalidate myproposal🤔 At this stage, authentication and authorization rules wereapplied and seem effective…🔬 I need to validate that they are really effective!
Copyright © 2023 - Excellium Services SA. All rights reserved.👩💻POC tovalidate myproposal✅ Authentication and authorization rules are effective for theapp1.
Copyright © 2023 - Excellium Services SA. All rights reserved.👩💻POC tovalidate myproposal✅ Authentication and authorization rules are effective for theapp2 too.
Copyright © 2023 - Excellium Services SA. All rights reserved.• Cloud Native Applications change thecore structure of what is an“application” by exploding it in severalparts.• Each of them having its own lifecycle,technology stack, team, and securitymaturity.👀 Conclusion
Copyright © 2023 - Excellium Services SA. All rights reserved.• It is important to leverage the newsecurity features provided by thecommon layer.• Make the security level consistentacross all parts, and do it in the mosttransparent way for Dev and Opsteams.👀 Conclusion
Questions &answersCopyright © 2023 - Excellium Services SA. All rights reserved.We are opento any suggestions.Don’t hesitate if you havesome questions🌎 All sources used arementioned on additional slides.
Copyright © 2023 - Excellium Services SA. All rights reserved.https://www.amazon.fr/Cloud-Native-Containers-Next-generation-Applications/dp/1492053821/ref=sr_1_1📚Sources &references
Copyright © 2023 - Excellium Services SA. All rights reserved.https://www.amazon.fr/Understanding-Kubernetes-visual-way-sketchnotes/dp/B0BB619188/https://twitter.com/aurelievache📚Sources &references
Copyright © 2023 - Excellium Services SA. All rights reserved.https://twitter.com/abhaybhargav💡 https://twitter.com/abhaybhargav/status/1662146295962673153📚Sources &references
Copyright © 2023 - Excellium Services SA. All rights reserved.https://www.we45.com/ - https://www.appsecengineer.com/📚Sources &references
Copyright © 2023 - Excellium Services SA. All rights reserved.• Why Kubernetes native instead of cloudnative?• Serverless Containers in Kubernetesenvironments📖Extra
www.excellium-services.comhttps://ccp.excellium-services.comExcellium Services S.A.5 rue GoellL-5326 ConternExcellium Services Belgium N.V.Orion Bldg, Belgicastraat 13B-1930 Zaventem, BelgiumCopyright © 2023 - Excellium Services SA. All rights reserved