$30 off During Our Annual Pro Sale. View Details »

Protecting sensitive data in modern multi-component systems

vixentael
September 12, 2018

Protecting sensitive data in modern multi-component systems

💫 modern apps are multi-components, most data leaks are caused by poor architectural decisions,
💫 what is sensitive data life-cycle,
💫 how to build trust model for your app,
💫 what are typical trust patterns,
💫 how to select proper security controls based on real-world risks.

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

We will take a deep look into the data lifecycle, risk, trust and how they affect security architecture, encryption, and key management techniques. We will illustrate typical SDL patterns: narrowing trust, monitoring intrusions, zero knowledge architectures, distributing trust. The goal of the talk is to give a general thinking framework and enough ideas about tools for senior engineers to plan their solutions securely, regarding sensitive data contained within.

vixentael

September 12, 2018
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Protecting Sensitive Data
    in Modern Multi-Component Systems
    @vixentael

    View Slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    consulting, training

    View Slide

  3. Data protection tools to prevent leakage
    and comply with regulations.

    View Slide

  4. @vixentael
    Cryptography
    and data protection

    View Slide

  5. 1. Architectures and data leaks.
    2. Sensitive data lifecycle.
    3. SSDLC – defining trust, threats and risks to
    data.
    4. Typical trust patterns.
    5. Security controls: tips, tricks, tools
    @vixentael
    Plan

    View Slide

  6. speakerdeck.com/vixentael/
    protecting-sensitive-data-in-
    modern-multi-component-systems
    @vixentael

    View Slide

  7. @vixentael
    Modern Applications are
    Multi-Component

    View Slide

  8. @vixentael
    https://medium.com/airbnb-engineering/data-infrastructure-at-airbnb-8adfb34f169c
    AirBNB data infra

    View Slide

  9. @vixentael
    LinkedIn 2011-2015
    https://engineering.linkedin.com/architecture/brief-history-scaling-linkedin

    View Slide

  10. @vixentael
    Netflix
    https://medium.com/refraction-tech-everything/how-netflix-works-the-hugely-
    simplified-complex-stuff-that-happens-every-time-you-hit-play-3a40c9be254b

    View Slide

  11. @vixentael
    Modern Applications are
    Multi-Component
    Different. Complex. Use-case oriented.

    View Slide

  12. – Operate sensitive data.
    @vixentael
    Modern Applications are
    Multi-Component
    Different. Complex. Use-case oriented.

    View Slide

  13. @vixentael
    So what?

    View Slide

  14. @vixentael
    https://en.wikipedia.org/wiki/2012_LinkedIn_hack

    View Slide

  15. @vixentael
    https://blog.linkedin.com/2016/05/18/protecting-our-members

    View Slide

  16. @vixentael

    View Slide

  17. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

    View Slide

  18. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

    View Slide

  19. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

    View Slide

  20. https://www.itgovernance.co.uk/blog/quora-data-breach-affects-100-million-accounts @vixentael

    View Slide

  21. @vixentael
    mln records
    0
    360
    720
    1,080
    1,440
    1,800
    February April June August October December February
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    Million of records leaked per month
    2018/2019

    View Slide

  22. @vixentael
    mln records
    0
    360
    720
    1,080
    1,440
    1,800
    February April June August October December February
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    Million of records leaked per month
    2018/2019

    View Slide

  23. @vixentael
    https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/

    View Slide

  24. @vixentael
    https://www.wired.com/story/2018-worst-hacks-so-far/
    credentials
    geo-locations
    health data
    financial data
    kids locations
    cars remote control
    sex toys remote control

    View Slide

  25. @vixentael
    Most large leaks are caused
    by poor architectural decisions.

    View Slide

  26. @vixentael
    wrong assumptions and trust models
    no tests / penetration tests
    lack of understanding the data life cycle
    GTD / speed
    Why?

    View Slide

  27. @vixentael
    Sensitive Data
    Life Cycle

    View Slide

  28. @vixentael
    is any kind of data, that will break
    business objectives or prosperity of those
    who use data, if leaked.
    Sensitive data –

    View Slide

  29. @vixentael
    Sensitive data depends on business
    personally identifiable information (PII)
    device logs and application data
    medical & finance data
    likes & preferences

    https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html

    View Slide

  30. @vixentael
    Secure development
    lifecycle methodology
    MS SDL
    OWASP S-SDLC
    www.microsoft.com/en-us/sdl
    www.owasp.org/index.php/
    OWASP_Secure_Software_Development_
    Lifecycle_Project
    Risk evaluation
    Risk assessment
    Threat model
    Security plan
    Secure coding
    Security verification
    Secure operations
    Incident response

    View Slide

  31. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    layout

    View Slide

  32. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    flow

    View Slide

  33. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    actions
    i
    i
    o o
    p
    i
    p s
    s
    input processing
    storage
    output
    p

    View Slide

  34. @vixentael
    Data classification
    more sensitive / less sensitive
    valued for users / for business
    regulated / non-regulated
    at rest / in motion
    available for users / admins / support

    View Slide

  35. @vixentael
    data leakage,
    tampering,
    unauthorized
    access
    reputation risks
    legal responsibility
    financial damage
    Risks to data

    View Slide

  36. @vixentael
    Data classification
    users PII users payments
    items description
    sales schedule
    financial reports
    users preferences orders history
    conversion analytics
    TLS certs AWS access
    staff accounts
    login history
    db access
    company accounts

    View Slide

  37. @vixentael
    Data classification
    users PII
    users payments
    items description
    sales schedule
    financial reports
    users preferences
    orders history
    conversion analytics
    TLS certs
    AWS access
    staff accounts
    login history
    db access
    company accounts
    u
    p
    $
    t
    u’
    i

    View Slide

  38. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    kinds of data
    i
    i
    o o
    p
    i
    p s
    s
    u
    u
    p
    $
    $
    $
    p
    u
    t $
    u u’
    i
    u
    p

    View Slide

  39. @vixentael
    Can we protect
    everything everywhere?

    View Slide

  40. @vixentael
    – No.
    Can we protect
    everything everywhere?

    View Slide

  41. @vixentael
    Can we protect
    everything everywhere?
    – No.
    – Risks impact
    – Trust and threats
    – Attack vectors
    prioritization

    View Slide

  42. @vixentael
    Trust model (per node)
    1. What kind of data it operates?

    View Slide

  43. @vixentael
    Trust model (per node)
    1. What kind of data it operates?
    2. Do we trust/control this node?

    View Slide

  44. @vixentael
    Trust model (per node)
    1. What kind of data it operates?
    2. Do we trust/control this node?
    3. If needs sensitive plaintext, who stores the keys?

    View Slide

  45. @vixentael
    Trust model (per node)
    1. What kind of data it operates?
    2. Do we trust/control this node?
    3. If needs sensitive plaintext, who stores the keys?
    4. What are security controls?

    View Slide

  46. @vixentael
    web
    frontend
    users &
    orders
    mobile
    frontend
    web
    admin
    prediction
    service
    3rd party
    analytics
    items
    payment
    service
    orders
    processing
    logistics API
    user actions
    analytics
    trust model









    ⚠ ⚠

    View Slide

  47. @vixentael
    Trust model helps to understand
    where to implement proper
    security controls that prevent risks.

    View Slide

  48. @vixentael
    Security control –
    a practical implementation of risk prevention
    technique in your code and infrastructure.
    Reactive: 

    - detect incident

    - correct / limit damage
    Proactive: 

    - prevent risk

    View Slide

  49. @vixentael
    Proactive controls
    Data security encryption
    Access security authentication, firewalls, OS
    Node security
    firewalls,
    compartmentalization, OS

    View Slide

  50. @vixentael
    Reactive controls: detect
    Data security
    integrity checks,
    authenticated crypto
    Access security honeypots, access logging
    Node security IDS, monitoring

    View Slide

  51. @vixentael
    Reactive controls: limit damage
    Data security
    Access security
    Node security
    key management, backups
    credential management, jailbans
    infrastructural management

    View Slide

  52. @vixentael
    1. Identify sensitive data, understand sensitive data
    lifecycle, classify data.
    2. Identify risks to data.
    3. Build trust model, understand risk impact.
    4. Prioritize risk vectors.
    5. Select and implement proper security controls for
    exploitable high risk vectors (to prevent risks and to
    identify leaks).
    Infrastructural data protection 101

    View Slide

  53. @vixentael
    Principle of least privilege
    (secure by default)

    View Slide

  54. View Slide

  55. @vixentael
    Patterns

    View Slide

  56. @vixentael
    “Everyone Knows
    Everything”

    View Slide

  57. @vixentael
    “Everyone Knows Everything”
    1. Many components, everyone has access to database via
    same API.
    2. API without auth (brute-force ID to get info about objects).
    3. Storing plaintext data.
    4. Transferring back and forth all data (aka large JSON).
    5. Transfer data in plaintext inside infrastructure.
    6. Storing all data in the same place.
    7. Logging everything (including secrets).
    8. No monitoring for non-legit access.

    View Slide

  58. @vixentael

    View Slide

  59. @vixentael
    “Narrowing and
    controlling trust”

    View Slide

  60. @vixentael
    “Narrowing and controlling trust”
    1. Echelonization.
    2. Compartmentalization.
    3. Verify trust (PKI).
    $ Limit trust:

    View Slide

  61. @vixentael
    1. Pseudonymization.
    2. Anonymization.
    3. Minimize lifecycle and scope.
    “Narrowing and controlling trust”
    % Limit data:

    View Slide

  62. @vixentael
    4. Don’t store all data in one place.
    5. Don’t send all data if only some piece
    needed.
    “Narrowing and controlling trust”
    % Limit data:

    View Slide

  63. @vixentael
    1. Encrypt data for exact use-case (to be
    accessible by specific users/systems).
    2. Store keys in trusted zone (KMS, Vault).
    3. Proper key management: rotate, revoke,
    backup.
    “Narrowing and controlling trust”
    & Encrypt data:

    View Slide

  64. @vixentael
    1. Separate API for each app.
    2. Session handling, session expiration.
    3. Encrypt transport inside network.
    “Narrowing and controlling trust”
    ' Protect transport:
    https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html

    View Slide

  65. @vixentael
    1. Access to critical data.
    2. Access to keys.
    3. Unusual behavior.
    4. Honey pots / honey tokens.
    “Narrowing and controlling trust”
    ( Monitor everything:

    View Slide

  66. @vixentael
    “Narrowing and controlling trust”
    $ Limit trust.
    ( Monitor everything.
    ' Protect transport.
    % Limit data.
    & Encrypt data.

    View Slide

  67. @vixentael
    “Zero Knowledge /
    No Knowledge”

    View Slide

  68. @vixentael
    ZKA is a design principle that enables
    software to provide services over
    protected client data without having an
    unencrypted access to it.
    “Zero Knowledge Architecture”

    View Slide

  69. @vixentael
    $ E2EE clients
    “Zero Knowledge Architecture”

    View Slide

  70. @vixentael
    % all operations on encrypted data:
    – CRUD
    – control access to data from different users
    – search (in encrypted data)
    “Zero Knowledge Architecture”
    $ E2EE clients

    View Slide

  71. @vixentael
    authentication
    “Zero Knowledge Architecture”
    data collaboration
    messaging
    https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html

    View Slide

  72. @vixentael
    Zero Knowledge
    Architecture
    Narrowing and
    Controlling Trust
    Everyone Knows
    Everything

    View Slide

  73. @vixentael
    Tips, tricks, tools

    View Slide

  74. @vixentael
    Cover maximum risks using
    minimum tools and processes.
    Add details when system evolves.

    View Slide

  75. @vixentael
    Control and monitor perimeter.
    Control and monitor intranet: between
    networks, between hosts.
    IDS & HIDS.
    Firewalls / IDS

    View Slide

  76. @vixentael
    WAF
    database firewalls
    SQL firewalls
    Data firewalls

    View Slide

  77. @vixentael
    Acra
    https://github.com/cossacklabs/acra
    Green SQL
    https://github.com/larskanis/greensql-fw
    Hexatier
    http://www.hexatier.com/
    Oracle database
    firewall / TDE
    http://www.oracle.com/
    Data firewalls

    View Slide

  78. @vixentael
    Acra – Oracle for Postgres/MySQL
    cossacklabs.com/acra/
    github.com/cossacklabs/acra/
    marketplace.digitalocean.com/apps/acra

    View Slide

  79. @vixentael
    SIEM
    Aggregate logs into single point for
    further analysis:
    Triggers on leaking assets.
    Triggers on typical attacks.
    Correlation analysis.

    View Slide

  80. @vixentael
    Audit logs
    On every access to sensitive data.
    Non-falsiable.
    Easy-to-analyze.
    https://cloud.google.com/logging/docs/audit/

    View Slide

  81. @vixentael
    At rest encryption.
    Separated encryption and decryption.
    Use different keys for different clients.
    Data encryption

    View Slide

  82. @vixentael
    Encryption libraries should
    ★ use strong & audited crypto
    ★ work everywhere
    ★ hide cryptographic details
    ★ be hard to mis-use
    ★ have integration with key storage

    View Slide

  83. @vixentael
    Encryption libraries
    libsodium
    themis
    keyczar
    tink
    github.com/cossacklabs/themis
    github.com/jedisct1/libsodium
    github.com/google/tink
    github.com/google/keyczar

    View Slide

  84. @vixentael
    Data in motion protection
    Well-configured TLS and
    suitable per-usecase protocols.

    View Slide

  85. @vixentael
    Data in motion protection / TLS
    private keys RSA-2048, ECDSA-256
    obtain certificate from reliable CA
    TLS v1.3-v1.2
    use secure cipher suites
    TLS_ECDHE_ECDSA_WITH_AES_2
    56_GCM_SHA384
    ✅ enable Forward Secrecy
    ✅ enable HSTS (web)
    github.com/ssllabs/research/wiki/SSL-and-TLS-
    Deployment-Best-Practices
    Rotate certificates often

    View Slide

  86. @vixentael
    Data in motion protection / protocols
    axolotl
    themis
    noise
    github.com/cossacklabs/themis
    noiseprotocol.org
    github.com/whispersystems/libsignal-protocol-c

    View Slide

  87. @vixentael
    Hermes
    https://github.com/cossacklabs/hermes-core
    ZeroKit
    https://tresorit.com/zerokit
    E2EE for data collaboration

    View Slide

  88. @vixentael
    Honey pots
    fake sensitive data records
    fake accounts
    vulnerable nodes with open ports
    fake API calls / API tokens / keys
    + triggers
    }
    https://hackernoon.com/poison-records-acra-eli5-d78250ef94f

    View Slide

  89. @vixentael
    https://www.owasp.org/index.php/Web_Application_Security_Guidance
    Web Application Security Guidance
    https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
    Secure Coding Cheat Sheet
    https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
    Secure Coding Practices
    OWASP guidelines
    https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
    Password Storage Cheat Sheet

    View Slide

  90. @vixentael
    Summary

    View Slide

  91. @vixentael
    1. Identify sensitive data, understand sensitive data
    lifecycle, classify data.
    2. Identify risks to data.
    3. Build trust model, understand risk impact.
    4. Prioritize risk vectors.
    5. Select and implement proper security controls for
    exploitable high risk vectors (to prevent risks and to
    identify leaks).
    Infrastructural data protection 101

    View Slide

  92. @vixentael
    It is secure.
    It’s not broken yet.

    View Slide

  93. Home reading :)
    https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27
    Security as a Product
    https://samnewman.io/talks/insecure-transit-microservice-security/
    Insecure Transit - Microservice Security
    https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-security-4b8ceb5ccb88
    12 and 1 ideas how to enhance backend data security
    https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-be3743af7614
    How to prevent database leaks and injections

    View Slide

  94. My other security slides
    github.com/vixentael/
    my-talks

    View Slide

  95. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    consulting, training

    View Slide

  96. Image credits
    www.flaticon.com
    freepik, linector, switficons, pixelperfect, smashicons, icon pond,
    dinosoftlabs
    Authors:

    View Slide