Protecting sensitive data in modern multi-component systems

Transcript

1. Protecting Sensitive Data
   in Modern Multi-Component Systems
   @vixentael
   

   View Slide

2. @vixentael
   product engineer in security
   and cryptography
   OSS maintainer: Themis, Acra
   cryptographic tools, security
   consulting, training
   

   View Slide

3. Data protection tools to prevent leakage
   and comply with regulations.
   

   View Slide

4. @vixentael
   Cryptography
   and data protection
   

   View Slide

5. 1. Architectures and data leaks.
   2. Sensitive data lifecycle.
   3. SSDLC – defining trust, threats and risks to
   data.
   4. Typical trust patterns.
   5. Security controls: tips, tricks, tools
   @vixentael
   Plan
   

   View Slide

6. speakerdeck.com/vixentael/
   protecting-sensitive-data-in-
   modern-multi-component-systems
   @vixentael
   

   View Slide

7. @vixentael
   Modern Applications are
   Multi-Component
   

   View Slide

8. @vixentael
   https://medium.com/airbnb-engineering/data-infrastructure-at-airbnb-8adfb34f169c
   AirBNB data infra
   

   View Slide

9. @vixentael
   LinkedIn 2011-2015
   https://engineering.linkedin.com/architecture/brief-history-scaling-linkedin
   

   View Slide

10. @vixentael
    Netflix
    https://medium.com/refraction-tech-everything/how-netflix-works-the-hugely-
    simplified-complex-stuff-that-happens-every-time-you-hit-play-3a40c9be254b
    

    View Slide

11. @vixentael
    Modern Applications are
    Multi-Component
    Different. Complex. Use-case oriented.
    

    View Slide

12. – Operate sensitive data.
    @vixentael
    Modern Applications are
    Multi-Component
    Different. Complex. Use-case oriented.
    

    View Slide

13. @vixentael
    So what?
    

    View Slide

14. @vixentael
    https://en.wikipedia.org/wiki/2012_LinkedIn_hack
    

    View Slide

15. @vixentael
    https://blog.linkedin.com/2016/05/18/protecting-our-members
    

    View Slide

16. @vixentael
    

    View Slide

17. twitter.com/c_pellegrino/status/981409466242486272 @vixentael
    

    View Slide

18. twitter.com/c_pellegrino/status/981409466242486272 @vixentael
    

    View Slide

19. twitter.com/c_pellegrino/status/981409466242486272 @vixentael
    

    View Slide

20. https://www.itgovernance.co.uk/blog/quora-data-breach-affects-100-million-accounts @vixentael
    

    View Slide

21. @vixentael
    mln records
    0
    360
    720
    1,080
    1,440
    1,800
    February April June August October December February
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    Million of records leaked per month
    2018/2019
    

    View Slide

22. @vixentael
    mln records
    0
    360
    720
    1,080
    1,440
    1,800
    February April June August October December February
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    Million of records leaked per month
    2018/2019
    

    View Slide

23. @vixentael
    https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/
    

    View Slide

24. @vixentael
    https://www.wired.com/story/2018-worst-hacks-so-far/
    credentials
    geo-locations
    health data
    financial data
    kids locations
    cars remote control
    sex toys remote control
    

    View Slide

25. @vixentael
    Most large leaks are caused
    by poor architectural decisions.
    

    View Slide

26. @vixentael
    wrong assumptions and trust models
    no tests / penetration tests
    lack of understanding the data life cycle
    GTD / speed
    Why?
    

    View Slide

27. @vixentael
    Sensitive Data
    Life Cycle
    

    View Slide

28. @vixentael
    is any kind of data, that will break
    business objectives or prosperity of those
    who use data, if leaked.
    Sensitive data –
    

    View Slide

29. @vixentael
    Sensitive data depends on business
    personally identifiable information (PII)
    device logs and application data
    medical & finance data
    likes & preferences
    …
    https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html
    

    View Slide

30. @vixentael
    Secure development
    lifecycle methodology
    MS SDL
    OWASP S-SDLC
    www.microsoft.com/en-us/sdl
    www.owasp.org/index.php/
    OWASP_Secure_Software_Development_
    Lifecycle_Project
    Risk evaluation
    Risk assessment
    Threat model
    Security plan
    Secure coding
    Security verification
    Secure operations
    Incident response
    

    View Slide

31. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    layout
    

    View Slide

32. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    flow
    

    View Slide

33. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    actions
    i
    i
    o o
    p
    i
    p s
    s
    input processing
    storage
    output
    p
    

    View Slide

34. @vixentael
    Data classification
    more sensitive / less sensitive
    valued for users / for business
    regulated / non-regulated
    at rest / in motion
    available for users / admins / support
    

    View Slide

35. @vixentael
    data leakage,
    tampering,
    unauthorized
    access
    reputation risks
    legal responsibility
    financial damage
    Risks to data
    

    View Slide

36. @vixentael
    Data classification
    users PII users payments
    items description
    sales schedule
    financial reports
    users preferences orders history
    conversion analytics
    TLS certs AWS access
    staff accounts
    login history
    db access
    company accounts
    

    View Slide

37. @vixentael
    Data classification
    users PII
    users payments
    items description
    sales schedule
    financial reports
    users preferences
    orders history
    conversion analytics
    TLS certs
    AWS access
    staff accounts
    login history
    db access
    company accounts
    u
    p
    $
    t
    u’
    i
    

    View Slide

38. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    kinds of data
    i
    i
    o o
    p
    i
    p s
    s
    u
    u
    p
    $
    $
    $
    p
    u
    t $
    u u’
    i
    u
    p
    

    View Slide

39. @vixentael
    Can we protect
    everything everywhere?
    

    View Slide

40. @vixentael
    – No.
    Can we protect
    everything everywhere?
    

    View Slide

41. @vixentael
    Can we protect
    everything everywhere?
    – No.
    – Risks impact
    – Trust and threats
    – Attack vectors
    prioritization
    

    View Slide

42. @vixentael
    Trust model (per node)
    1. What kind of data it operates?
    

    View Slide

43. @vixentael
    Trust model (per node)
    1. What kind of data it operates?
    2. Do we trust/control this node?
    

    View Slide

44. @vixentael
    Trust model (per node)
    1. What kind of data it operates?
    2. Do we trust/control this node?
    3. If needs sensitive plaintext, who stores the keys?
    

    View Slide

45. @vixentael
    Trust model (per node)
    1. What kind of data it operates?
    2. Do we trust/control this node?
    3. If needs sensitive plaintext, who stores the keys?
    4. What are security controls?
    

    View Slide

46. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    trust model
    ☠
    ☠
    ☠
    ⚠
    ❇
    ⚠
    ⚠
    ⚠
    ⚠
    ⚠ ⚠
    

    View Slide

47. @vixentael
    Trust model helps to understand
    where to implement proper
    security controls that prevent risks.
    

    View Slide

48. @vixentael
    Security control –
    a practical implementation of risk prevention
    technique in your code and infrastructure.
    Reactive: 

    - detect incident

    - correct / limit damage
    Proactive: 

    - prevent risk
    

    View Slide

49. @vixentael
    Proactive controls
    Data security encryption
    Access security authentication, firewalls, OS
    Node security
    firewalls,
    compartmentalization, OS
    

    View Slide

50. @vixentael
    Reactive controls: detect
    Data security
    integrity checks,
    authenticated crypto
    Access security honeypots, access logging
    Node security IDS, monitoring
    

    View Slide

51. @vixentael
    Reactive controls: limit damage
    Data security
    Access security
    Node security
    key management, backups
    credential management, jailbans
    infrastructural management
    

    View Slide

52. @vixentael
    1. Identify sensitive data, understand sensitive data
    lifecycle, classify data.
    2. Identify risks to data.
    3. Build trust model, understand risk impact.
    4. Prioritize risk vectors.
    5. Select and implement proper security controls for
    exploitable high risk vectors (to prevent risks and to
    identify leaks).
    Infrastructural data protection 101
    

    View Slide

53. @vixentael
    Principle of least privilege
    (secure by default)
    

    View Slide

54. View Slide

55. @vixentael
    Patterns
    

    View Slide

56. @vixentael
    “Everyone Knows
    Everything”
    

    View Slide

57. @vixentael
    “Everyone Knows Everything”
    1. Many components, everyone has access to database via
    same API.
    2. API without auth (brute-force ID to get info about objects).
    3. Storing plaintext data.
    4. Transferring back and forth all data (aka large JSON).
    5. Transfer data in plaintext inside infrastructure.
    6. Storing all data in the same place.
    7. Logging everything (including secrets).
    8. No monitoring for non-legit access.
    

    View Slide

58. @vixentael
    

    View Slide

59. @vixentael
    “Narrowing and
    controlling trust”
    

    View Slide

60. @vixentael
    “Narrowing and controlling trust”
    1. Echelonization.
    2. Compartmentalization.
    3. Verify trust (PKI).
    $ Limit trust:
    

    View Slide

61. @vixentael
    1. Pseudonymization.
    2. Anonymization.
    3. Minimize lifecycle and scope.
    “Narrowing and controlling trust”
    % Limit data:
    

    View Slide

62. @vixentael
    4. Don’t store all data in one place.
    5. Don’t send all data if only some piece
    needed.
    “Narrowing and controlling trust”
    % Limit data:
    

    View Slide

63. @vixentael
    1. Encrypt data for exact use-case (to be
    accessible by specific users/systems).
    2. Store keys in trusted zone (KMS, Vault).
    3. Proper key management: rotate, revoke,
    backup.
    “Narrowing and controlling trust”
    & Encrypt data:
    

    View Slide

64. @vixentael
    1. Separate API for each app.
    2. Session handling, session expiration.
    3. Encrypt transport inside network.
    “Narrowing and controlling trust”
    ' Protect transport:
    https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
    

    View Slide

65. @vixentael
    1. Access to critical data.
    2. Access to keys.
    3. Unusual behavior.
    4. Honey pots / honey tokens.
    “Narrowing and controlling trust”
    ( Monitor everything:
    

    View Slide

66. @vixentael
    “Narrowing and controlling trust”
    $ Limit trust.
    ( Monitor everything.
    ' Protect transport.
    % Limit data.
    & Encrypt data.
    

    View Slide

67. @vixentael
    “Zero Knowledge /
    No Knowledge”
    

    View Slide

68. @vixentael
    ZKA is a design principle that enables
    software to provide services over
    protected client data without having an
    unencrypted access to it.
    “Zero Knowledge Architecture”
    

    View Slide

69. @vixentael
    $ E2EE clients
    “Zero Knowledge Architecture”
    

    View Slide

70. @vixentael
    % all operations on encrypted data:
    – CRUD
    – control access to data from different users
    – search (in encrypted data)
    “Zero Knowledge Architecture”
    $ E2EE clients
    

    View Slide

71. @vixentael
    authentication
    “Zero Knowledge Architecture”
    data collaboration
    messaging
    https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html
    

    View Slide

72. @vixentael
    Zero Knowledge
    Architecture
    Narrowing and
    Controlling Trust
    Everyone Knows
    Everything
    

    View Slide

73. @vixentael
    Tips, tricks, tools
    

    View Slide

74. @vixentael
    Cover maximum risks using
    minimum tools and processes.
    Add details when system evolves.
    

    View Slide

75. @vixentael
    Control and monitor perimeter.
    Control and monitor intranet: between
    networks, between hosts.
    IDS & HIDS.
    Firewalls / IDS
    

    View Slide

76. @vixentael
    WAF
    database firewalls
    SQL firewalls
    Data firewalls
    

    View Slide

77. @vixentael
    Acra
    https://github.com/cossacklabs/acra
    Green SQL
    https://github.com/larskanis/greensql-fw
    Hexatier
    http://www.hexatier.com/
    Oracle database
    firewall / TDE
    http://www.oracle.com/
    Data firewalls
    

    View Slide

78. @vixentael
    Acra – Oracle for Postgres/MySQL
    cossacklabs.com/acra/
    github.com/cossacklabs/acra/
    marketplace.digitalocean.com/apps/acra
    

    View Slide

79. @vixentael
    SIEM
    Aggregate logs into single point for
    further analysis:
    Triggers on leaking assets.
    Triggers on typical attacks.
    Correlation analysis.
    

    View Slide

80. @vixentael
    Audit logs
    On every access to sensitive data.
    Non-falsiable.
    Easy-to-analyze.
    https://cloud.google.com/logging/docs/audit/
    

    View Slide

81. @vixentael
    At rest encryption.
    Separated encryption and decryption.
    Use different keys for different clients.
    Data encryption
    

    View Slide

82. @vixentael
    Encryption libraries should
    ★ use strong & audited crypto
    ★ work everywhere
    ★ hide cryptographic details
    ★ be hard to mis-use
    ★ have integration with key storage
    

    View Slide

83. @vixentael
    Encryption libraries
    libsodium
    themis
    keyczar
    tink
    github.com/cossacklabs/themis
    github.com/jedisct1/libsodium
    github.com/google/tink
    github.com/google/keyczar
    

    View Slide

84. @vixentael
    Data in motion protection
    Well-configured TLS and
    suitable per-usecase protocols.
    

    View Slide

85. @vixentael
    Data in motion protection / TLS
    private keys RSA-2048, ECDSA-256
    obtain certificate from reliable CA
    TLS v1.3-v1.2
    use secure cipher suites
    TLS_ECDHE_ECDSA_WITH_AES_2
    56_GCM_SHA384
    ✅ enable Forward Secrecy
    ✅ enable HSTS (web)
    github.com/ssllabs/research/wiki/SSL-and-TLS-
    Deployment-Best-Practices
    Rotate certificates often
    

    View Slide

86. @vixentael
    Data in motion protection / protocols
    axolotl
    themis
    noise
    github.com/cossacklabs/themis
    noiseprotocol.org
    github.com/whispersystems/libsignal-protocol-c
    

    View Slide

87. @vixentael
    Hermes
    https://github.com/cossacklabs/hermes-core
    ZeroKit
    https://tresorit.com/zerokit
    E2EE for data collaboration
    

    View Slide

88. @vixentael
    Honey pots
    fake sensitive data records
    fake accounts
    vulnerable nodes with open ports
    fake API calls / API tokens / keys
    + triggers
    }
    https://hackernoon.com/poison-records-acra-eli5-d78250ef94f
    

    View Slide

89. @vixentael
    https://www.owasp.org/index.php/Web_Application_Security_Guidance
    Web Application Security Guidance
    https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
    Secure Coding Cheat Sheet
    https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
    Secure Coding Practices
    OWASP guidelines
    https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
    Password Storage Cheat Sheet
    

    View Slide

90. @vixentael
    Summary
    

    View Slide

91. @vixentael
    1. Identify sensitive data, understand sensitive data
    lifecycle, classify data.
    2. Identify risks to data.
    3. Build trust model, understand risk impact.
    4. Prioritize risk vectors.
    5. Select and implement proper security controls for
    exploitable high risk vectors (to prevent risks and to
    identify leaks).
    Infrastructural data protection 101
    

    View Slide

92. @vixentael
    It is secure.
    It’s not broken yet.
    

    View Slide

93. Home reading :)
    https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27
    Security as a Product
    https://samnewman.io/talks/insecure-transit-microservice-security/
    Insecure Transit - Microservice Security
    https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-security-4b8ceb5ccb88
    12 and 1 ideas how to enhance backend data security
    https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-be3743af7614
    How to prevent database leaks and injections
    

    View Slide

94. My other security slides
    github.com/vixentael/
    my-talks
    

    View Slide

95. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    consulting, training
    

    View Slide

96. Image credits
    www.flaticon.com
    freepik, linector, switficons, pixelperfect, smashicons, icon pond,
    dinosoftlabs
    Authors:
    

    View Slide