SlideShare une entreprise Scribd logo

Application security meetup - cloud security best practices 24062021

lior mazor
lior mazor

"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.

Technologie
1  sur  73
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Oded Hareven, CEO & Co-founder @ Akeyless Oded@akeyless.io {Ret. Captain, Israel Defence Forces, CyberSecurity Identity Management, PAM, Information Security Infrastructure Dev, Product, Ops} The Key Component of Strong Cloud Security
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Unique Zero- Knowledge KMS Technology Akeyless DFC™ Secrets Management SaaS Platform Akeyless Vault Platform Secrets Management as-a-Service Serving market leaders enterprises Pharma, Insurance, Adtech, Online, E- commerce, Gaming
4 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Data encryption Step #1: Protecting Data • Access Control • Control who can access the data? • How to validate his identity? • Data Encryption • Control who can access the key? • How to validate her identity? Data Access Control
5 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #2: Identity Validation • Requires Authentication • Human • Machine • Using something that only the human/machine has • Secret = {password, credentials, api-key, certificate, ssh-key} • If you can’t keep a Secret - you can’t protect your Data... Password DB password DB User Application
6 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #3: Privileged Access • Beyond application access • Who’s controlling my workloads? • Internal/external personnel • Can they impersonate? • Admin can do everything... • PAM • Control human admin access - session recording • Regulation and compliance • Secrets Repository • Default admin passwords rotation Password DB password DB User Application Admin OS Admin OS Admin Password Password
7 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #4: Root-of-Trust • Using an Encryption key to encrypt secrets & data +Using signing key to sign TLS/SSH Certificates = identities • Where to place the key? • Configuration - bad practice • Local store - not secured enough • KMS - good start • HSM - considered to be most secure • Secret-zero: accessing the key requires a secret? The chicken and the egg... Hardware Security Module
8 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #5: Interconnectivity & overlapping HSM Root of trust KMS PAM SSH Mng. Certificate Mng.
9 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Trends that encourage the massive use of secrets 1. Containerization 2. Hybrid & multi-cloud 3. DevOps, CI/CD, Automation 4. Zero-Trust Passwords Certificate API-Keys SQL Credentials AES Encryption RSA Signing Key SSH Key And then came the cloud. Proprietary and Confidential
10 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 IAM have never been easier • Ephemeral resources + Automation + IaC • Perimeter-less world = data is everywhere • Root-of-trust in a non-trusted distributed architecture • Privileged Access (Remote, WFH, COVID-19)
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Sprawl: Clear-text, unprotected Source Code DevOps Scripts Configuration Files x myScript { // App.Config DB password = “T0pSecr3t” API_Key_AWS = “Cl3aRt3xt$!” } x //myconfig < // App.Config Access_Token = “T0pSecr3t” API_Key_GCP = “Cl3aRt3xt$!” /> x Void myCode( ) { // App.Config Encryption_Key = “aKey43!t” API_Key_Azure = “Cl3a3xt$!” } Secrets are used also within workload management platforms
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 12 Report:"Managing Machine Identities, Secrets, Keys and Certificates" Published: 24 August 2020 Analyst: Erik Wahlstrom Source: Akeyless is mentioned in this Gartner’s report, p16. under “secrets management solutions”
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Management Fetch Secrets from any platform, script or application ***** ***** ***** API / SDK / CLI / Plugins Customer Application Customer Database 3rd-party Service API Password = “Pass12#” Applications Encrypted Secrets Store Human DevOps, IT, Developers Secrets Management
14 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 First: Integrate with everything Authentication via LDAP SAML OpenID Direct channels Platforms Plugins (examples) Machine authentication Human authentication
15 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 World-wide availability • Scalability • Multi-region / multi cloud • Disaster Recovery: Replication, Backup • Highly Available Consider: Self-deployment vs. SaaS
16 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
17 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
18 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
19 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. Unified Secrets Management Platform
Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Thank you. Questions? Further questions & thoughts you’d like to share? Mostly invited to drop an email to Oded@akeyless.io
Building secure Cloud architecture Moshe Ferber CCSK, CCSP, CCAK When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)  Co-hosting the Silverlining podcast – security engineering  Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
About the Cloud Security Alliance  Global, not-for-profit organization  Building security best practices for next generation IT  Research and Educational Programs  Cloud providers & security professionals Certifications  Awareness and Marketing  The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing” CSA Israel: Community of security professional promoting responsible cloud adoption.
Architecting for availability US WEST AZ1 AZ2 AZ3 AZ4 Singapore AZ1 AZ2 AZ3 AZ4 Mumbai AZ1 AZ2 AZ3 AZ4 Regions vs. Availability Zones
Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WW W WW W WW W Mumbai AZ-3
Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WW W WW W WW W
Architecting for availability • External CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
Web Application Firewall options Architecting for application protection 3rd party as a service 3rd Party as Proxy Provider service WAF client on web instances
Architecting for application separation Source: Cloud Security Alliance CCSK certification
Limiting blast Radius Limiting blast Radius Organizations / Subscriptions Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin OU A OU B OU C
Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually, customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Volume Encryption Shared KMS Dedicated HSM Virtual instance KEYS
A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
M o n i t o r i n g To o l s e t CWPP - Cloud Workload Protection Platform •Protect Workloads (VM’s, Containers, serverless •Traditional end-point security (AV, VA ) •Additional features for containers and serverless CSPM Cloud Security Posture Management •Protect management dashboard •Monitor for Compliance breaks, misconfiguration, Identity permissions CASB - Cloud Access Security Broker •Design for SaaS •Detect threats •eDiscovery + DLP •Shadow IT detection Cloud native application protection platform (CNAPP)
Security Center Logs Posture & configuration Workloads vulnerabilities Threat intelligence Identity data Monitoring Tool set
A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS Unique logs • K8's logs • ELB logs • Object storage logs
OS Logs A r c h i t e c t i n g f o r l o g m a n a g e m e n t Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs
KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule
Questions?
Event Tracking In Microservices Observability, security, and anything in between Naor Penso Sr. Director – Product Security @ FICO
Naor Penso Sr. Director – Product Security @ FICO Previous Positions: Cybersecurity CTO Chief information security officer • ~20 years in cybersecurity • Today, leading product security and security services development @FICO • Investing, mentoring and advising to multiple start-ups in the cyber domain
Observability? Observability is the process of understanding the internal application states from external outputs, tracking software behaviours across different datapoints and different services, to provide an holistic view of the application ecosystem. To reach Observability you need to Monitor different application outputs including Metrics, Traces, Logs
04 Monoliths vs. ModernApplications https://medium.com/hengky-sanjaya-blog/monolith-vs-microservices-b3953650dfd
04 Observability Challenges in modern applications • A business transaction is now built from event snippets spanning across 1-10,000 services • Stateless services can server any number of customers without “understanding” who they are serving • There is no one pattern of work;The same service can be used for n use cases • In some cases, services are ephemeral, servicing one request and disappearing (e.g., Serverless Functions) Process Invoice File Transfer (Microservice) OCR (Microservice) ETL (Microservice) Currency Conversion (Microservice) Data Enrichment (Microservice) ETL (Microservice) Database Modern Use case: Highly Abstract Process
Process Invoice 04 Observability Solution / Glossary • Metric: Records a data point, either raw measurements or predefined aggregation, as timeseries with Metadata • Span:A single operation that is logged (usually the output of one microservice) • Trace: A agroup of spans (usually representing a transaction) • Log / Log Record:Typically, the record includes a timestamp indicating when the Event happened as well as other data that describes what happened, where it happened, File Transfer (Microservice) OCR (Microservice) ETL (Microservice) Currency Conversion (Microservice) Data Enrichment (Microservice) ETL (Microservice) Database Based on OpenTelemetry Span Span Span Span Span Span trace
04 Security & Observability Due to the highly distributed nature of modern applications understanding the business context of events and generating the basics of an audit becomes significantly harder than monoliths. Examples: • A currency conversion service may convert currency, not knowing who the conversion is for • A business transaction can be the encapsulation of interaction between 15 different services • Some services may fail, some may succeed in a single transaction • Time of event is broken into many small timestamps representing different services Who is not known to all, What is 15 different “what’s”, When &Where are a single points and Success / Fail is ambiguous
What is Cornerstone? 02 Cornerstone is a unified and expendable specification of events, supporting the need for tracking of activities and changes in a complex technological environment. 01 150+ Fields 02 19 Contexts 03 Expandable & logic Driven 04 Unlimited Use cases
04 02 Context Driven Structure 03 Usage Logic Fundamentals 01 Ground Rules • Cornerstone does not define what events the product teams should log.The what is a subject of the business of the application which cannot be anticipated, hence cornerstone provides an extendible framework to cover and solve for new business needs. • Cornerstone does not define the how events will be logged. Events will continue being logged exactly as they have been in the past. • Cornerstone does define the structure of the event, from basic fields (who, what, when, where) to extended fields needed for context (who initiated, what was impacted)
04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Event Specification Core Event User Context Permission Context Role Context Runtime Context Cloud Context Host Context K8s Context Container Context Process Context Serverless Context Data Context Data Classification Data Security Context File Context Database Context Data Import / Export Context Information Context Network Context Web Context Network Traffic API Context
04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules
04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules • Event Core – example Mandatory Optional Optional Conditional Conditional Conditional Optional Optional Mandatory Mandatory Mandatory Optional Mandatory Mandatory Mandatory Conditional Optional Optional Optional Optional
04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules • User Context / example Mandatory in context Optional Optional Optional Optional • Data Import / Example:
04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Field Types String String (Options) Integer Boolean Array Field Requirements Mandatory Conditional Optional Mandatory (If Applicable) Multitenant Boolean Customer UUID Environment UUID String Mandatory Conditional Optional String True
04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Microservice Microservice Microservice Microservice Microservice Microservice Unified Logic Microservice Microservice Microservice Microservice Microservice Better RCA Detection Uniformity Metering Product Support Unified Framework
04 Cornerstone Outlook
04 Monoliths vs. ModernApplications Monoliths Microservices Business logic Confined to a single place for all the business logic Spread across multiple services Interaction Model Internal by design (e.g., calling internal functions) External by design (e.g., Using REST API) Runtime Model Must have all pieces together to run Every piece can run on its own Usability Reuse is done in the code level Reuse is done on the service level State Management (Generally) Stateful Stateless
Questions?
Kubernetes Secrets Securing Your Production Environment Ori Mankali, VP R&D, Akeyless
Unique Zero- Knowledge KMS Technology Akeyless DFC™ Secrets Management SaaS Platform Akeyless Vault Platform Secrets Management as-a-Service Serving market leaders enterprises Pharma, Insurance, Adtech, Online, E- commerce, Gaming
What are secrets and why are they important? ● Tokens, API keys, Encryption Keys, Passwords, etc. ● Needed for most types of applications and services to authenticate to various resources ● Main concern: Protection ○ Hacking ● Secondary concern: Management and Traceability ○ Revocation ○ Audit logs
Problem #1 Kubernetes Secrets
How does K8s store secrets? ● K8s is one of the most popular container orchestration tool ● It’s becoming the backbone of modern infrastructure ● Many application still store secrets as plain text ● Built-in secret store, not much better
So, how can I make my production env. safer? ● Strong encryption algorithm ● Encryption key storage may lead to Secret-Zero problem ● What about Application-rich clusters?
Problem #2 Segregation of pods & namespaces
Secret secured, almost ● Need to ensure different applications within a cluster can’t access secrets of other applications ● Segregate to apply Least Privilege Access ● But who can access my cluster?
Problem #3 Cluster Access Management
Just-in-Time K8s access ● Short-lived PKI certificates or short-lived temporary Service Account tokens ● You will also get: Traceability, Governance and management ● Access Revocation to quickly respond to security incidents
The Solution ● A Secret Management Platform that protects your secrets (decryption at application level) and allowing controlled access to your cluster ● Trusted Machine Identity (Cloud IAM, Akeyless Universal Identity, Service Accounts) - to address the Secret Zero Problem ● Using either: ○ Self Deployed Solutions ○ SaaS Platforms
Demo Time
Thanks everyone Q&A
Thank You! Questions? To be continued…

Recommandé

Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
Check Point Software Technologies
 

Recommandé

Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
Check Point Software Technologies
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
Veritis Group, Inc
 
Check Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure Webinar
Check Point Software Technologies
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
Check Point and Accenture Webinar
Check Point and Accenture Webinar Check Point and Accenture Webinar
Check Point and Accenture Webinar
Check Point Software Technologies
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
Akeyless
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
Akeyless
 

Contenu connexe

Tendances

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 

Tendances (20)

AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
 
Check Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure Webinar
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Check Point and Accenture Webinar
Check Point and Accenture Webinar Check Point and Accenture Webinar
Check Point and Accenture Webinar
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 

Similaire à Application security meetup - cloud security best practices 24062021

The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
Akeyless
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2
Ashnikbiz
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
Amazon Web Services
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
Amazon Web Services
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
Amazon Web Services
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
Amazon Web Services
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
Niel Dunnage
 

Similaire à Application security meetup - cloud security best practices 24062021 (20)

The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloud
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Gitex journey to the cloud
Gitex journey to the cloudGitex journey to the cloud
Gitex journey to the cloud
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Vault 1.4 launch webinar
Vault 1.4 launch webinar Vault 1.4 launch webinar
Vault 1.4 launch webinar
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCP
 

Plus de lior mazor

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 

Plus de lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Application security meetup - cloud security best practices 24062021

  • 1.
  • 2. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Oded Hareven, CEO & Co-founder @ Akeyless Oded@akeyless.io {Ret. Captain, Israel Defence Forces, CyberSecurity Identity Management, PAM, Information Security Infrastructure Dev, Product, Ops} The Key Component of Strong Cloud Security
  • 3. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Unique Zero- Knowledge KMS Technology Akeyless DFC™ Secrets Management SaaS Platform Akeyless Vault Platform Secrets Management as-a-Service Serving market leaders enterprises Pharma, Insurance, Adtech, Online, E- commerce, Gaming
  • 4. 4 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Data encryption Step #1: Protecting Data • Access Control • Control who can access the data? • How to validate his identity? • Data Encryption • Control who can access the key? • How to validate her identity? Data Access Control
  • 5. 5 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #2: Identity Validation • Requires Authentication • Human • Machine • Using something that only the human/machine has • Secret = {password, credentials, api-key, certificate, ssh-key} • If you can’t keep a Secret - you can’t protect your Data... Password DB password DB User Application
  • 6. 6 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #3: Privileged Access • Beyond application access • Who’s controlling my workloads? • Internal/external personnel • Can they impersonate? • Admin can do everything... • PAM • Control human admin access - session recording • Regulation and compliance • Secrets Repository • Default admin passwords rotation Password DB password DB User Application Admin OS Admin OS Admin Password Password
  • 7. 7 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #4: Root-of-Trust • Using an Encryption key to encrypt secrets & data +Using signing key to sign TLS/SSH Certificates = identities • Where to place the key? • Configuration - bad practice • Local store - not secured enough • KMS - good start • HSM - considered to be most secure • Secret-zero: accessing the key requires a secret? The chicken and the egg... Hardware Security Module
  • 8. 8 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Step #5: Interconnectivity & overlapping HSM Root of trust KMS PAM SSH Mng. Certificate Mng.
  • 9. 9 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Trends that encourage the massive use of secrets 1. Containerization 2. Hybrid & multi-cloud 3. DevOps, CI/CD, Automation 4. Zero-Trust Passwords Certificate API-Keys SQL Credentials AES Encryption RSA Signing Key SSH Key And then came the cloud. Proprietary and Confidential
  • 10. 10 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 IAM have never been easier • Ephemeral resources + Automation + IaC • Perimeter-less world = data is everywhere • Root-of-trust in a non-trusted distributed architecture • Privileged Access (Remote, WFH, COVID-19)
  • 11. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Sprawl: Clear-text, unprotected Source Code DevOps Scripts Configuration Files x myScript { // App.Config DB password = “T0pSecr3t” API_Key_AWS = “Cl3aRt3xt$!” } x //myconfig < // App.Config Access_Token = “T0pSecr3t” API_Key_GCP = “Cl3aRt3xt$!” /> x Void myCode( ) { // App.Config Encryption_Key = “aKey43!t” API_Key_Azure = “Cl3a3xt$!” } Secrets are used also within workload management platforms
  • 12. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 12 Report:"Managing Machine Identities, Secrets, Keys and Certificates" Published: 24 August 2020 Analyst: Erik Wahlstrom Source: Akeyless is mentioned in this Gartner’s report, p16. under “secrets management solutions”
  • 13. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Secrets Management Fetch Secrets from any platform, script or application ***** ***** ***** API / SDK / CLI / Plugins Customer Application Customer Database 3rd-party Service API Password = “Pass12#” Applications Encrypted Secrets Store Human DevOps, IT, Developers Secrets Management
  • 14. 14 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 First: Integrate with everything Authentication via LDAP SAML OpenID Direct channels Platforms Plugins (examples) Machine authentication Human authentication
  • 15. 15 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 World-wide availability • Scalability • Multi-region / multi cloud • Disaster Recovery: Replication, Backup • Highly Available Consider: Self-deployment vs. SaaS
  • 16. 16 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
  • 17. 17 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
  • 18. 18 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. SM
  • 19. 19 Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Existing solutions varies HSM Root of trust KMS PAM SSH Mng. Certificate Mng. Unified Secrets Management Platform
  • 20. Proprietary and Confidential, Akeyless Security Ltd ©️ 2021 Thank you. Questions? Further questions & thoughts you’d like to share? Mostly invited to drop an email to Oded@akeyless.io
  • 21. Building secure Cloud architecture Moshe Ferber CCSK, CCSP, CCAK When the winds of change blow, some people build walls and others build windmills. - Chinese Proverb
  • 22. About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)  Co-hosting the Silverlining podcast – security engineering  Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter Cloud Security Course Schedule can be found at: http://www.onlinecloudsec.com/course-schedule
  • 23. About the Cloud Security Alliance  Global, not-for-profit organization  Building security best practices for next generation IT  Research and Educational Programs  Cloud providers & security professionals Certifications  Awareness and Marketing  The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing” CSA Israel: Community of security professional promoting responsible cloud adoption.
  • 24. Architecting for availability US WEST AZ1 AZ2 AZ3 AZ4 Singapore AZ1 AZ2 AZ3 AZ4 Mumbai AZ1 AZ2 AZ3 AZ4 Regions vs. Availability Zones
  • 25. Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WW W WW W WW W Mumbai AZ-3
  • 26. Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WW W WW W WW W
  • 27. Architecting for availability • External CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
  • 28. Web Application Firewall options Architecting for application protection 3rd party as a service 3rd Party as Proxy Provider service WAF client on web instances
  • 29. Architecting for application separation Source: Cloud Security Alliance CCSK certification
  • 30. Limiting blast Radius Limiting blast Radius Organizations / Subscriptions Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin Root Account IAM Admi n Secur ity Audit or Billing Admin Super Admin Servic e 1 Admin Servic e 2 Admin OU A OU B OU C
  • 31. Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually, customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
  • 32. Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Volume Encryption Shared KMS Dedicated HSM Virtual instance KEYS
  • 33. A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
  • 34. M o n i t o r i n g To o l s e t CWPP - Cloud Workload Protection Platform •Protect Workloads (VM’s, Containers, serverless •Traditional end-point security (AV, VA ) •Additional features for containers and serverless CSPM Cloud Security Posture Management •Protect management dashboard •Monitor for Compliance breaks, misconfiguration, Identity permissions CASB - Cloud Access Security Broker •Design for SaaS •Detect threats •eDiscovery + DLP •Shadow IT detection Cloud native application protection platform (CNAPP)
  • 36. A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS Unique logs • K8's logs • ELB logs • Object storage logs
  • 37. OS Logs A r c h i t e c t i n g f o r l o g m a n a g e m e n t Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs
  • 38. KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule
  • 40. Event Tracking In Microservices Observability, security, and anything in between Naor Penso Sr. Director – Product Security @ FICO
  • 41. Naor Penso Sr. Director – Product Security @ FICO Previous Positions: Cybersecurity CTO Chief information security officer • ~20 years in cybersecurity • Today, leading product security and security services development @FICO • Investing, mentoring and advising to multiple start-ups in the cyber domain
  • 42. Observability? Observability is the process of understanding the internal application states from external outputs, tracking software behaviours across different datapoints and different services, to provide an holistic view of the application ecosystem. To reach Observability you need to Monitor different application outputs including Metrics, Traces, Logs
  • 44. 04 Observability Challenges in modern applications • A business transaction is now built from event snippets spanning across 1-10,000 services • Stateless services can server any number of customers without “understanding” who they are serving • There is no one pattern of work;The same service can be used for n use cases • In some cases, services are ephemeral, servicing one request and disappearing (e.g., Serverless Functions) Process Invoice File Transfer (Microservice) OCR (Microservice) ETL (Microservice) Currency Conversion (Microservice) Data Enrichment (Microservice) ETL (Microservice) Database Modern Use case: Highly Abstract Process
  • 45. Process Invoice 04 Observability Solution / Glossary • Metric: Records a data point, either raw measurements or predefined aggregation, as timeseries with Metadata • Span:A single operation that is logged (usually the output of one microservice) • Trace: A agroup of spans (usually representing a transaction) • Log / Log Record:Typically, the record includes a timestamp indicating when the Event happened as well as other data that describes what happened, where it happened, File Transfer (Microservice) OCR (Microservice) ETL (Microservice) Currency Conversion (Microservice) Data Enrichment (Microservice) ETL (Microservice) Database Based on OpenTelemetry Span Span Span Span Span Span trace
  • 46. 04 Security & Observability Due to the highly distributed nature of modern applications understanding the business context of events and generating the basics of an audit becomes significantly harder than monoliths. Examples: • A currency conversion service may convert currency, not knowing who the conversion is for • A business transaction can be the encapsulation of interaction between 15 different services • Some services may fail, some may succeed in a single transaction • Time of event is broken into many small timestamps representing different services Who is not known to all, What is 15 different “what’s”, When &Where are a single points and Success / Fail is ambiguous
  • 47.
  • 48. What is Cornerstone? 02 Cornerstone is a unified and expendable specification of events, supporting the need for tracking of activities and changes in a complex technological environment. 01 150+ Fields 02 19 Contexts 03 Expandable & logic Driven 04 Unlimited Use cases
  • 49. 04 02 Context Driven Structure 03 Usage Logic Fundamentals 01 Ground Rules • Cornerstone does not define what events the product teams should log.The what is a subject of the business of the application which cannot be anticipated, hence cornerstone provides an extendible framework to cover and solve for new business needs. • Cornerstone does not define the how events will be logged. Events will continue being logged exactly as they have been in the past. • Cornerstone does define the structure of the event, from basic fields (who, what, when, where) to extended fields needed for context (who initiated, what was impacted)
  • 50. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Event Specification Core Event User Context Permission Context Role Context Runtime Context Cloud Context Host Context K8s Context Container Context Process Context Serverless Context Data Context Data Classification Data Security Context File Context Database Context Data Import / Export Context Information Context Network Context Web Context Network Traffic API Context
  • 52. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules • Event Core – example Mandatory Optional Optional Conditional Conditional Conditional Optional Optional Mandatory Mandatory Mandatory Optional Mandatory Mandatory Mandatory Conditional Optional Optional Optional Optional
  • 53. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules • User Context / example Mandatory in context Optional Optional Optional Optional • Data Import / Example:
  • 54. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Field Types String String (Options) Integer Boolean Array Field Requirements Mandatory Conditional Optional Mandatory (If Applicable) Multitenant Boolean Customer UUID Environment UUID String Mandatory Conditional Optional String True
  • 55. 04 02 The Structure 03 Usage Logic Fundamentals 01 Ground Rules Microservice Microservice Microservice Microservice Microservice Microservice Unified Logic Microservice Microservice Microservice Microservice Microservice Better RCA Detection Uniformity Metering Product Support Unified Framework
  • 57.
  • 58. 04 Monoliths vs. ModernApplications Monoliths Microservices Business logic Confined to a single place for all the business logic Spread across multiple services Interaction Model Internal by design (e.g., calling internal functions) External by design (e.g., Using REST API) Runtime Model Must have all pieces together to run Every piece can run on its own Usability Reuse is done in the code level Reuse is done on the service level State Management (Generally) Stateful Stateless
  • 60. Kubernetes Secrets Securing Your Production Environment Ori Mankali, VP R&D, Akeyless
  • 61. Unique Zero- Knowledge KMS Technology Akeyless DFC™ Secrets Management SaaS Platform Akeyless Vault Platform Secrets Management as-a-Service Serving market leaders enterprises Pharma, Insurance, Adtech, Online, E- commerce, Gaming
  • 62. What are secrets and why are they important? ● Tokens, API keys, Encryption Keys, Passwords, etc. ● Needed for most types of applications and services to authenticate to various resources ● Main concern: Protection ○ Hacking ● Secondary concern: Management and Traceability ○ Revocation ○ Audit logs
  • 64. How does K8s store secrets? ● K8s is one of the most popular container orchestration tool ● It’s becoming the backbone of modern infrastructure ● Many application still store secrets as plain text ● Built-in secret store, not much better
  • 65. So, how can I make my production env. safer? ● Strong encryption algorithm ● Encryption key storage may lead to Secret-Zero problem ● What about Application-rich clusters?
  • 67. Secret secured, almost ● Need to ensure different applications within a cluster can’t access secrets of other applications ● Segregate to apply Least Privilege Access ● But who can access my cluster?
  • 69. Just-in-Time K8s access ● Short-lived PKI certificates or short-lived temporary Service Account tokens ● You will also get: Traceability, Governance and management ● Access Revocation to quickly respond to security incidents
  • 70. The Solution ● A Secret Management Platform that protects your secrets (decryption at application level) and allowing controlled access to your cluster ● Trusted Machine Identity (Cloud IAM, Akeyless Universal Identity, Service Accounts) - to address the Secret Zero Problem ● Using either: ○ Self Deployed Solutions ○ SaaS Platforms