Protecting sensitive data in modern multi-component systems

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
September 12, 2018

Protecting sensitive data in modern multi-component systems

💫 modern apps are multi-components, most data leaks are caused by poor architectural decisions,
💫 what is sensitive data life-cycle,
💫 how to build trust model for your app,
💫 what are typical trust patterns,
💫 how to select proper security controls based on real-world risks.

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

We will take a deep look into the data lifecycle, risk, trust and how they affect security architecture, encryption, and key management techniques. We will illustrate typical SDL patterns: narrowing trust, monitoring intrusions, zero knowledge architectures, distributing trust. The goal of the talk is to give a general thinking framework and enough ideas about tools for senior engineers to plan their solutions securely, regarding sensitive data contained within.

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

September 12, 2018
Tweet

Transcript

  1. Protecting Sensitive Data in Modern Multi-Component Systems @vixentael

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security consulting, training
  3. Data protection tools to prevent leakage and comply with regulations.

  4. @vixentael Cryptography and data protection

  5. 1. Architectures and data leaks. 2. Sensitive data lifecycle. 3.

    SSDLC – defining trust, threats and risks to data. 4. Typical trust patterns. 5. Security controls: tips, tricks, tools @vixentael Plan
  6. speakerdeck.com/vixentael/ protecting-sensitive-data-in- modern-multi-component-systems @vixentael

  7. @vixentael Modern Applications are Multi-Component

  8. @vixentael https://medium.com/airbnb-engineering/data-infrastructure-at-airbnb-8adfb34f169c AirBNB data infra

  9. @vixentael LinkedIn 2011-2015 https://engineering.linkedin.com/architecture/brief-history-scaling-linkedin

  10. @vixentael Netflix https://medium.com/refraction-tech-everything/how-netflix-works-the-hugely- simplified-complex-stuff-that-happens-every-time-you-hit-play-3a40c9be254b

  11. @vixentael Modern Applications are Multi-Component Different. Complex. Use-case oriented.

  12. – Operate sensitive data. @vixentael Modern Applications are Multi-Component Different.

    Complex. Use-case oriented.
  13. @vixentael So what?

  14. @vixentael https://en.wikipedia.org/wiki/2012_LinkedIn_hack

  15. @vixentael https://blog.linkedin.com/2016/05/18/protecting-our-members

  16. @vixentael

  17. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

  18. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

  19. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

  20. https://www.itgovernance.co.uk/blog/quora-data-breach-affects-100-million-accounts @vixentael

  21. @vixentael mln records 0 360 720 1,080 1,440 1,800 February

    April June August October December February https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month 2018/2019
  22. @vixentael mln records 0 360 720 1,080 1,440 1,800 February

    April June August October December February https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month 2018/2019
  23. @vixentael https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/

  24. @vixentael https://www.wired.com/story/2018-worst-hacks-so-far/ credentials geo-locations health data financial data kids locations

    cars remote control sex toys remote control
  25. @vixentael Most large leaks are caused by poor architectural decisions.

  26. @vixentael wrong assumptions and trust models no tests / penetration

    tests lack of understanding the data life cycle GTD / speed Why?
  27. @vixentael Sensitive Data Life Cycle

  28. @vixentael is any kind of data, that will break business

    objectives or prosperity of those who use data, if leaked. Sensitive data –
  29. @vixentael Sensitive data depends on business personally identifiable information (PII)

    device logs and application data medical & finance data likes & preferences … https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html
  30. @vixentael Secure development lifecycle methodology MS SDL OWASP S-SDLC www.microsoft.com/en-us/sdl

    www.owasp.org/index.php/ OWASP_Secure_Software_Development_ Lifecycle_Project Risk evaluation Risk assessment Threat model Security plan Secure coding Security verification Secure operations Incident response
  31. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics layout
  32. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics flow
  33. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics actions i i o o p i p s s input processing storage output p
  34. @vixentael Data classification more sensitive / less sensitive valued for

    users / for business regulated / non-regulated at rest / in motion available for users / admins / support
  35. @vixentael data leakage, tampering, unauthorized access reputation risks legal responsibility

    financial damage Risks to data
  36. @vixentael Data classification users PII users payments items description sales

    schedule financial reports users preferences orders history conversion analytics TLS certs AWS access staff accounts login history db access company accounts
  37. @vixentael Data classification users PII users payments items description sales

    schedule financial reports users preferences orders history conversion analytics TLS certs AWS access staff accounts login history db access company accounts u p $ t u’ i
  38. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics kinds of data i i o o p i p s s u u p $ $ $ p u t $ u u’ i u p
  39. @vixentael Can we protect everything everywhere?

  40. @vixentael – No. Can we protect everything everywhere?

  41. @vixentael Can we protect everything everywhere? – No. – Risks

    impact – Trust and threats – Attack vectors prioritization
  42. @vixentael Trust model (per node) 1. What kind of data

    it operates?
  43. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node?
  44. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node? 3. If needs sensitive plaintext, who stores the keys?
  45. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node? 3. If needs sensitive plaintext, who stores the keys? 4. What are security controls?
  46. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics trust model ☠ ☠ ☠ ⚠ ❇ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠
  47. @vixentael Trust model helps to understand where to implement proper

    security controls that prevent risks.
  48. @vixentael Security control – a practical implementation of risk prevention

    technique in your code and infrastructure. Reactive: 
 - detect incident
 - correct / limit damage Proactive: 
 - prevent risk
  49. @vixentael Proactive controls Data security encryption Access security authentication, firewalls,

    OS Node security firewalls, compartmentalization, OS
  50. @vixentael Reactive controls: detect Data security integrity checks, authenticated crypto

    Access security honeypots, access logging Node security IDS, monitoring
  51. @vixentael Reactive controls: limit damage Data security Access security Node

    security key management, backups credential management, jailbans infrastructural management
  52. @vixentael 1. Identify sensitive data, understand sensitive data lifecycle, classify

    data. 2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Infrastructural data protection 101
  53. @vixentael Principle of least privilege (secure by default)

  54. None
  55. @vixentael Patterns

  56. @vixentael “Everyone Knows Everything”

  57. @vixentael “Everyone Knows Everything” 1. Many components, everyone has access

    to database via same API. 2. API without auth (brute-force ID to get info about objects). 3. Storing plaintext data. 4. Transferring back and forth all data (aka large JSON). 5. Transfer data in plaintext inside infrastructure. 6. Storing all data in the same place. 7. Logging everything (including secrets). 8. No monitoring for non-legit access.
  58. @vixentael

  59. @vixentael “Narrowing and controlling trust”

  60. @vixentael “Narrowing and controlling trust” 1. Echelonization. 2. Compartmentalization. 3.

    Verify trust (PKI). $ Limit trust:
  61. @vixentael 1. Pseudonymization. 2. Anonymization. 3. Minimize lifecycle and scope.

    “Narrowing and controlling trust” % Limit data:
  62. @vixentael 4. Don’t store all data in one place. 5.

    Don’t send all data if only some piece needed. “Narrowing and controlling trust” % Limit data:
  63. @vixentael 1. Encrypt data for exact use-case (to be accessible

    by specific users/systems). 2. Store keys in trusted zone (KMS, Vault). 3. Proper key management: rotate, revoke, backup. “Narrowing and controlling trust” & Encrypt data:
  64. @vixentael 1. Separate API for each app. 2. Session handling,

    session expiration. 3. Encrypt transport inside network. “Narrowing and controlling trust” ' Protect transport: https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
  65. @vixentael 1. Access to critical data. 2. Access to keys.

    3. Unusual behavior. 4. Honey pots / honey tokens. “Narrowing and controlling trust” ( Monitor everything:
  66. @vixentael “Narrowing and controlling trust” $ Limit trust. ( Monitor

    everything. ' Protect transport. % Limit data. & Encrypt data.
  67. @vixentael “Zero Knowledge / No Knowledge”

  68. @vixentael ZKA is a design principle that enables software to

    provide services over protected client data without having an unencrypted access to it. “Zero Knowledge Architecture”
  69. @vixentael $ E2EE clients “Zero Knowledge Architecture”

  70. @vixentael % all operations on encrypted data: – CRUD –

    control access to data from different users – search (in encrypted data) “Zero Knowledge Architecture” $ E2EE clients
  71. @vixentael authentication “Zero Knowledge Architecture” data collaboration messaging https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html

  72. @vixentael Zero Knowledge Architecture Narrowing and Controlling Trust Everyone Knows

    Everything
  73. @vixentael Tips, tricks, tools

  74. @vixentael Cover maximum risks using minimum tools and processes. Add

    details when system evolves.
  75. @vixentael Control and monitor perimeter. Control and monitor intranet: between

    networks, between hosts. IDS & HIDS. Firewalls / IDS
  76. @vixentael WAF database firewalls SQL firewalls Data firewalls

  77. @vixentael Acra https://github.com/cossacklabs/acra Green SQL https://github.com/larskanis/greensql-fw Hexatier http://www.hexatier.com/ Oracle database

    firewall / TDE http://www.oracle.com/ Data firewalls
  78. @vixentael Acra – Oracle for Postgres/MySQL cossacklabs.com/acra/ github.com/cossacklabs/acra/ marketplace.digitalocean.com/apps/acra

  79. @vixentael SIEM Aggregate logs into single point for further analysis:

    Triggers on leaking assets. Triggers on typical attacks. Correlation analysis.
  80. @vixentael Audit logs On every access to sensitive data. Non-falsiable.

    Easy-to-analyze. https://cloud.google.com/logging/docs/audit/
  81. @vixentael At rest encryption. Separated encryption and decryption. Use different

    keys for different clients. Data encryption
  82. @vixentael Encryption libraries should ★ use strong & audited crypto

    ★ work everywhere ★ hide cryptographic details ★ be hard to mis-use ★ have integration with key storage
  83. @vixentael Encryption libraries libsodium themis keyczar tink github.com/cossacklabs/themis github.com/jedisct1/libsodium github.com/google/tink

    github.com/google/keyczar
  84. @vixentael Data in motion protection Well-configured TLS and suitable per-usecase

    protocols.
  85. @vixentael Data in motion protection / TLS private keys RSA-2048,

    ECDSA-256 obtain certificate from reliable CA TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_2 56_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices Rotate certificates often
  86. @vixentael Data in motion protection / protocols axolotl themis noise

    github.com/cossacklabs/themis noiseprotocol.org github.com/whispersystems/libsignal-protocol-c
  87. @vixentael Hermes https://github.com/cossacklabs/hermes-core ZeroKit https://tresorit.com/zerokit E2EE for data collaboration

  88. @vixentael Honey pots fake sensitive data records fake accounts vulnerable

    nodes with open ports fake API calls / API tokens / keys + triggers } https://hackernoon.com/poison-records-acra-eli5-d78250ef94f
  89. @vixentael https://www.owasp.org/index.php/Web_Application_Security_Guidance Web Application Security Guidance https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet Secure Coding Cheat

    Sheet https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices OWASP guidelines https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Password Storage Cheat Sheet
  90. @vixentael Summary

  91. @vixentael 1. Identify sensitive data, understand sensitive data lifecycle, classify

    data. 2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Infrastructural data protection 101
  92. @vixentael It is secure. It’s not broken yet.

  93. Home reading :) https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as a Product https://samnewman.io/talks/insecure-transit-microservice-security/ Insecure

    Transit - Microservice Security https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-security-4b8ceb5ccb88 12 and 1 ideas how to enhance backend data security https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-be3743af7614 How to prevent database leaks and injections
  94. My other security slides github.com/vixentael/ my-talks

  95. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security consulting, training
  96. Image credits www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond,

    dinosoftlabs Authors: