"Defense in depth": trench warfare principles for building secure distributed applications

Transcript

1. "Defense in Depth"
   @vixentael
   trench warfare principles for building
   secure distributed applications
   

   View Slide

2. @vixentael
   product engineer in security
   and cryptography
   OSS maintainer: Themis, Acra
   cryptographic tools, security
   engineering, datasec training
   

   View Slide

3. Bespoke data security solutions
   and security engineering.
   

   View Slide

4. speakerdeck.com/vixentael/
   defense-in-depth-trench-warfare-
   principles-for-building-secure-
   distributed-applications
   @vixentael
   

   View Slide

5. Plan for next 40 mins:
   1. Intro (OWASP, GDPR, US department of defense)
   @vixentael
   2. Threats in common distributed architectures
   3. Defense in Depth for data: why, when, how
   4. Acra as example of DiD approach
   5. Existing tools and solutions
   6. Outro and links
   

   View Slide

6. @vixentael
   

   View Slide

7. users (upset, angry)
   regulations (fines, GDPR, HIPAA, PCI DSS, DPB)
   @vixentael
   Why care anyway?
   business continuity (fines, competitors, legal)
   service providers are pushing (Google, Apple)
   

   View Slide

8. GDPR
   @vixentael
   Article 32/35: responsibly store and process
   data according to risks

   

   Article 33/34: detecting data leakage and
   alert users & controller
   https://gdpr-info.eu/
   

   View Slide

9. @vixentael
   https://gdpr-info.eu/
   Article 32
   

   View Slide

10. @vixentael
    US Department of Defense
    

    View Slide

11. @vixentael
    US Department of Defense
    https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/
    DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT
    WARE_2018.04.20.PDF
    

    View Slide

12. @vixentael
    Google
    https://support.google.com/cloud/answer/9110914
    

    View Slide

13. OWASP Top-10 web risks
    https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @vixentael
    • Injection
    • Broken Authentication and
    Session Management
    • Sensitive Data Exposure
    • XML External Entity
    • Broken Access Control
    • Security Misconfiguration
    • Cross-Site Scripting
    • Insecure deserialization
    • Using Components With
    Known Vulnerabilities
    • Insufficient Logging and
    Monitoring
    

    View Slide

14. @vixentael
    Data & risks
    PII
    User data Service data
    likes, preferences
    purchase history
    logs
    keys, accesses, API tokens
    backups
    configurations
    locations
    

    View Slide

15. @vixentael
    Data & risks
    compliance risks
    legal risks
    reputational risks
    continuity risks
    User data Service data
    reputational risks
    https://medium.com/@cossacklabs/trick-or-threat-
    security-losses-for-business-f5b44243d89c
    

    View Slide

16. Most users trust sensitive data
    to your app regardless of
    how well you protect it.
    

    View Slide

17. @vixentael
    Typical web architecture
    

    View Slide

18. @vixentael
    

    View Slide

19. @vixentael
    Potential attacks
    

    View Slide

20. @vixentael
    

    View Slide

21. @vixentael
    
    But we know many
    security controls!
    

    View Slide

22. @vixentael
    encryption &
    key mngmt
    AAA
    WAF
    honey pots
    IDS
    infra mngmt
    compartmentalization
    authenticated crypto &

    integrity checks
    access logging
    jailbans
    monitoring
    data firewall
    SIEM
    HIDS
    DAST
    SAST
    KMS
    HSM
    PKI
    TPM
    honey tokens
    RTFM
    dep mngmt
    UEBA
    IAM
    TLS
    TDE
    

    View Slide

23. @vixentael
    Band-aid security model
    

    View Slide

24. Band-aid security model == Perimeter security
    
    @vixentael
    

    View Slide

25. Band-aid security model == Perimeter security
    
    @vixentael
    

    View Slide

26. @vixentael
    

    View Slide

27. @vixentael
    Band-aid security model
    

    View Slide

28. @vixentael
    Band-aid security model: risks
    

    View Slide

29. Defense in Depth –
    independent, yet interconnected,
    set of security controls
    aimed at mitigating multiple risks
    during the whole application flow
    

    View Slide

30. @vixentael
    1. Security controls do protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Align security controls
    

    View Slide

31. use cryptography
    as global
    protection layer
    

    View Slide

32. @vixentael
    Decryption proxy — web, mobile
    E2EE – mobile, IoT
    

    View Slide

33. @vixentael
    Decryption proxy
    

    View Slide

34. @vixentael
    Predictable data flow
    2. Write encrypted data to the database.
    3. Read data from the database via decryption
    proxy.
    1. Separated encryption and decryption.
    

    View Slide

35. @vixentael
    Show me real things!
    
    

    View Slide

36. @vixentael
    Writing data flow
    

    View Slide

37. @vixentael
    Reading data flow
    

    View Slide

38. @vixentael
    Key model
    unique per user/app
    public key
    

    View Slide

39. @vixentael
    Key model
    unique per user/app
    public key
    private keys 

    (KMS, HSM)
    

    View Slide

40. @vixentael
    Key model
    unique per user/app
    public key
    private keys 

    (KMS, HSM)
    can’t decrypt
    can’t decrypt
    

    View Slide

41. @vixentael
    Key model IRL
    

    View Slide

42. @vixentael
    1. DB doesn’t know the nature of data.
    
    2. App doesn’t have a way to decrypt data.
    System compromise
    

    View Slide

43. @vixentael
    Encryption itself is not enough
    

    View Slide

44. @vixentael
    encryption &
    key mngmt
    AAA
    WAF
    honey pots
    IDS
    infra mngmt
    compartmentalization
    authenticated crypto &

    integrity checks
    access logging
    jailbans
    monitoring
    data firewall
    SIEM
    HIDS
    DAST
    SAST
    KMS
    HSM
    PKI
    TPM
    honey tokens
    RTFM
    dep mngmt
    UEBA
    IAM
    TLS
    TDE
    

    View Slide

45. @vixentael
    Encryption itself is not enough
    github.com/cossacklabs/acra/
    

    View Slide

46. @vixentael
    1. DB doesn’t know the nature of data.
    
    2. App doesn’t have a way to decrypt data.
    
    3. Data is being watched: key management, SQL
    firewall, monitoring, access control, audit logs.
    System compromise
    

    View Slide

47. @vixentael
    System compromise
    The only way to attain plaintext from DB – 

    to request it through decryption proxy.
    

    View Slide

48. @vixentael
    System compromise
    Or:
    
    compromise the backend app 

    & compromise SQL firewall
    
    & compromise proxy and key store
    
    & get around logs, SIEM, honey pots
    The only way to attain plaintext from DB – 

    to request it through decryption proxy.
    

    View Slide

49. @vixentael
    Lines of defense
    

    View Slide

50. @vixentael
    

    View Slide

51. Defense in Depth =
    global security controls 

    + band aid security tools.
    

    View Slide

52. @vixentael
    

    View Slide

53. @vixentael
    How to build?
    1. Build on your own (start from design).
    

    View Slide

54. @vixentael
    How to build?
    1. Build on your own (start from design).
    2. Use boxed solutions (Oracle).
    

    View Slide

55. @vixentael
    How to build?
    1. Build on your own (start from design).
    2. Use boxed solutions (Oracle).
    3. Build using existing tools:

    DB + Acra + SIEM + WAF

    DB + GreenSQL + libsodium + own decryption proxy + IDS +
    SIEM + WAF

    DB + Acra + AWS + SIEM
    

    View Slide

56. @vixentael
    Acra Community Edition
    cossacklabs.com/acra/
    github.com/cossacklabs/acra/
    marketplace.digitalocean.com/apps/acra
    

    View Slide

57. Covered Top-10 web risks
    https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @vixentael
    • Injection
    • Broken Authentication and
    Session Management
    • Sensitive Data Exposure
    • XML External Entity
    • Broken Access Control
    • Security Misconfiguration
    • Cross-Site Scripting
    • Insecure deserialization
    • Using Components With
    Known Vulnerabilities
    • Insufficient Logging and
    Monitoring
    

    View Slide

58. Key points
    

    View Slide

59. @vixentael
    1. Security ==
    
    
    2. Defense in Depth == independent, yet
    interconnected controls.
    
    3. Cryptography == good core level for DiD.
    
    4. Ready-to-use tools exist. Use them.
    

    View Slide

60. Reading, watching
    

    View Slide

61. https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-
    security-4b8ceb5ccb88
    12 and 1 ideas how to enhance backend data security
    https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-
    be3743af7614
    How to prevent database leaks and injections
    https://www.cossacklabs.com/blog/defense-in-depth-with-acra.html
    Building Defence in Depth for your data using Acra
    https://samnewman.io/talks/insecure-transit-microservice-security/
    Insecure Transit - Microservice Security
    

    View Slide

62. @vixentael
    cryptographic tools, security
    consulting, training
    github.com/vixentael/
    my-talks
    

    View Slide