How We Harden Platform Security at Mercari

How We Harden Platform Security CloudNative Days Tokyo 2021

Taichi Nakashima @deeeet / @tcnksm Engineering head of Developer Productivity
Engineering

https://e34.fm

Table of Contents  • Microservices Platform Overview • 3 Cases
of Harden Platform Security ◦ Multi Tenant Security ◦ Production Operation Security ◦ Supply Chain Security • Lessons Learned

Microservices Platform Overview

Service C Service D Service B Service E Service A
Mercari and Merpay Microservices Google Kubernetes Engine 200+ Microservices 4000+Kubernetes Pods 2 main business

Service A Team Mercari SRE Merpay SRE Service A Service
B Team Service B Service C Team Service C Work closely or embedded Platform Platform Team

Harden Platform Security

Base Principle: Shared Responsibility 

Base Principle: Defense in Depth 

Harden Platform Security  • Multi-tenant Security • Production Operation Security
• Supply Chain Security

Multi-tenancy  Multi-tenancy is architecture pattern which, instead of building platforms
per business or services, prepares isolated tenant per services and hosts them together on single platform. While multi-tenancy increase complexity, you can avoid reinventing wheels in the organization, reduce the operational costs, and leverage improvements to all.

Principle: Least Privilege  Least privilege means human user or workload
must be able to access only resources that are necessary for its legitimate purpose. In multi-tenancy context, it’s important to make sure only tenant owners are able to access its tenant’s resources.

Multi-tenant Least Privileges on  • Kubernetes Cluster • Infrastructure as
Code (IaC) Monorepo and Build System

Service A Namespace Kubernetes Cluster Service B Namespace System Namespace
Container A Container A Resources Container A Container A Resources Container A Container A Resources Service A Team ✅ RBAC 🚫 🚫

Multi-tenant Least Privileges on  • Kubernetes Cluster • Infrastructure as
Code (IaC) Monorepo and Build System

CI System Build System Service A Tenant Container A Container
A Resources CI System Service B Tenant Container A Container A Resources CI System System Tenant Container A Container A Resources IaC Monorepo Service A Team Service B Team Platform Team PR Conﬁgure

Service A Team ✅ CODEOWNER 🚫 🚫 /service-a module.tf google_spanner_database.tf
google_storage_bucket.tf ... /service-b module.tf google_bigquery_dataset.tf google_pubsub_topic.tf ... /system module.tf google_container_cluster.tf google_compute_firewall.tf ... Infra as Code Monorepo

A Resources CI System Service B Tenant Container A Container A Resources CI System System Tenant Container A Container A Resources IaC Monorepo Service A Team Service B Team Platform Team PR Conﬁgure

A Resources Build Account IAM CI System Service B Tenant Container A Container A Resources CI System System Tenant Container A Container A Resources IAM IAM

A Resources Service A Account (Keyless) Build Account (keyless) CI System Service B Tenant Container A Container A Resources CI System System Tenant Container A Container A Resources Impersonate IAM Service B Account (Keyless) IAM Impersonate System Account (Keyless) IAM Impersonate

A Resources CI System Service B Tenant Container A Container A Resources CI System System Tenant Container A Container A Resources Short-lived token 🚫 🚫 ✅ Impersonate IAM Service A Account (Keyless) Build Account (keyless)

https://sre.google/books/building-secure-reliable-systems/

Goal: Zero Touch Production  The speciﬁc goal of these interfaces—like
Zero Touch Production (ZTP) ,..., is to make Google safer and reduce outages by removing direct human access to production roles. Instead, humans have indirect access to production through tooling and automation that make predictable and controlled changes to production infrastructure. - Building Secure and Reliable Systems, Chapter 5

Service A Team Service A Namespace Kubernetes Cluster Container A
Container A Resources View Edit IaC Repository +Build System Service B Namespace System Namespace

Container A Resources View Edit Edit IaC Repository +Build System Temporary Role Grant Service B Namespace System Namespace

Container A Resources View Edit Edit Edit IaC Repository +Build System Automated Workﬂows Temporary Role Grant Service B Namespace System Namespace

Source Build Deploy Registry Cluster Dependency

Source Build Deploy Registry Cluster Dependency Compromise build system Compromise
artifact registry Inject bad container image Bypass code review Inject bad/vulnerable dependency Compromise source control system Alter code Compromise deploy system Use bad image

Practice: Verify Artifacts, Not Just People The controls around the
source, build, and test infrastructure have limited effect if adversaries can bypass them by deploying directly to production. It is not sufﬁcient to verify who initiated a deployment, because that actor may make a mistake or may be intentionally deploying a malicious change. Instead, deployment environments should verify what is being deployed. - Building Secure and Reliable Systems, Chapter 14

Source Build Deploy Registry Metadata Cluster Kritis Dependency ✅ Sign
Check

Lessons Learned

Secure By Default  Security hardening = “migration” takes lots of
time and costs... Build the security policy by allowlist, instead of denylist!

Build Abstraction  Hide infrastructure and security complexity from the developers
and control them centrally in background by experts. Make the future migration easy!

Example abstraction built internally at Mercari with CUE

Thank you!

We are Hiring! https://careers.mercari.com/search-jobs/

How We Harden Platform Security at Mercari

How We Harden Platform Security at Mercari

More Decks by taichi nakashima

Other Decks in Technology

Featured

Transcript