Security in Microservices Umgebungen @WJAX2016

Transcript

1. Security in Microservice Umgebungen Donnerstag, 9. November 2016 Simon Kölsch

2. ToC > Zoning > Authentication > Authorization > Secret Storage

   > TLS

3. DMZ “In computer security, a DMZ or demilitarized zone [..]

   is a physical or logical subnetwork that contains and exposes an organization's external- facing services to a usually larger and untrusted network, usually the Internet.”
4. None

5. Better “DMZ” “In computer security, a DMZ or demilitarized zone

   [..] is a physical or logical subnetwork that contains and exposes an organization's external- facing services to a usually larger and untrusted network, usually the Internet.” X the Network

6. Security Groups / Zones Intranet System Service A Service B

   Service C Service D Some Client

7. Security Groups / Zones Intranet System Service A Service B

   Service C Service D Some Client

8. AWS Security Groups > Security groups — Act as a

   firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level > Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level > Flow logs — Capture information about the IP traffic going to and from network interfaces in your VPC

9. Authentication > Identity Types > Enduser? -> Active Login needed?

   > Functional Accounts / Services? -> Certificate may be sufficient, usually no Session required > It’s about trust > Who uses my Service/API ? API-Tokens?

10. Single Sign On Identity Provider Client Service A Service B

11. Single Sign On > Existing Infrastructure > SAML > CAS

    > OpenID Connect > System specific Identity Provider? > Single Sign Out / Switch User?

12. Session or no session? > We are talking about sessions,

    not state! > Can the user logout? > Disable an user immediately?

13. Session Handling > Session identifier stored at the client 


    (Server state) > Session data completely serialised at the client (Server stateless) > Custom > Plain JWT

14. JWT Example { “typ”:”JWT”, “alg”:”HS256” }{ "iss": "http://server.example.com", "sub": "248289761001",

    "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "nonce": "n-0S6_WzA2Mj", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": “[email protected]”, "email_verified": {"essential": true} } Claim Header Body

15. JWT Example Encoded eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJodHRwczovL2p3dC1pZHAuZXhhbXBsZS5jb20i LCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmNvbSIsIm5i ZiI6MTQyOTY5MzY3MSwiZXhwIjoxNDI5Njk3MjcxLCJpYXQi OjE0Mjk2OTM2NzEsImp0aSI6ImlkMTIzNDU2IiwidHlwIjoi aHR0cHM6Ly9leGFtcGxlLmNvbS9yZWdpc3RlciJ9. A3DVPjcIeQPGOkMcABwAe_8lWHvPG9dFhNyskwVfsxILt6SK

    tYGxYz0m7V- DjzjYLXqzSwycwlRJBuYr_vdLRA9aoGsGQpP5- SAiA5SdLMMk3MMZTIoSHgZrC8TeZx8bJBlPzkSu91dJIuzKI 8PRPp3DH8Tum-XDsCmqu3_uIl2633Mb1Bg4HKEz- q2L2Y6k2Z1bqFxRn2GfV3ziQ8uqGOp3V_UlwvPccX8F3m- qe3MrF5aPSFGoU9bZDcQcBQ2ypGTluBNYnPzuMx9EdETPJ0I xA1awgP74tFS27rt8KLUDnBvWVATNfYDFrqAcFCjzk49znd4 JLvNObbDebka3_g Header Payload Signature

16. Points to consider > Token Storage > Cookie vs Local

    Store > Token Size > Token expiration > Key Management > Token Scope

17. OAuth 2 > RFC 6749:
 “The OAuth 2.0 Authorization Framework”

    > “[..]enables a third-party application to obtain limited access to an HTTP service[..]” > “Authentication”? 
 Did you mean OpenID Connect?

18. Authorization Terms Group Edit Create View Permission Permission Permission Role

    Role Role

19. No Authorization > Really? > What about Housekeeping, Stats, etc.?

    > Maybe use different Endpoints

20. Centralized vs Local Centralized Local Role Group Permission

21. Managing Secrets > Store secrets (HSM?) > Log access to

    secrets > Automated key rotation, etc. > Use a product > Keywhiz > Vault

22. Vault Setup Storage Backend Storage Backend Vault Service HTTP API

    Clients CLI Vault Service HTTP API Standby Storage Backend Active

23. Vault Backends > Generic Secrets > Database Backends > SSH

    > Transit > PKI (X.509 Certificates) > Others

24. Your Platforms Features > Kubernetes (“Secret” Object) > AWS (Amazon

    Key Management Service) > (Ansible Provision) > Ansible Vault (Preshared Key) > Mesos, etc.

25. Should I use TLS? Clear answer:

26. If you are using TLS… > Check your entropy

27. If you are using TLS… https://twitter.com/jgrahamc/status/710848290053595136

28. If you are using TLS… > Check your entropy >

    Do regular Load Tests > Check Cypher Support for components

29. If you are using TLS… http://security.stackexchange.com/a/77018 Beware of the expiration

    date!

30. If you are using TLS… > Check your entropy >

    Do regular Load Tests > Check cypher support for all components > Don’t turn it off on your test environment > Maintain certificates

31. Example Netflix Lemur

32. Example Netflix Lemur http://techblog.netflix.com/2015/09/introducing-lemur.html

33. Simon Kölsch | @simkoelsch [email protected] innoQ Deutschland GmbH Krischerstr. 100

    40789 Monheim am Rhein Germany Phone: +49 2173 3366-0 innoQ Schweiz GmbH Gewerbestr. 11 CH-6330 Cham Switzerland Phone: +41 41 743 0116 www.innoq.com Ohlauer Straße 43 10999 Berlin Germany Phone: +49 2173 3366-0 Robert-Bosch-Straße 7 64293 Darmstadt Germany Phone: +49 2173 3366-0 Radlkoferstraße 2 D-81373 München Germany Telefon +49 (0) 89 741185-270 Thank you! Questions?
    Comments?