"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
21. Building secure
Cloud architecture
Moshe Ferber
CCSK, CCSP, CCAK
When the winds of change blow, some people
build walls and others build windmills.
- Chinese Proverb
22. About myself
Information security professional for over 20 years
Founder, partner and investor at various cyber initiatives and startups
Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)
Co-hosting the Silverlining podcast – security engineering
Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification
Member of the board at Macshava Tova – Narrowing societal gaps
Chairman of the Board, Cloud Security Alliance, Israeli Chapter
Cloud Security Course Schedule can be found at:
http://www.onlinecloudsec.com/course-schedule
23. About the Cloud Security Alliance
Global, not-for-profit organization
Building security best practices for next generation IT
Research and Educational Programs
Cloud providers & security professionals Certifications
Awareness and Marketing
The globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing”
CSA Israel:
Community of
security
professional
promoting
responsible
cloud
adoption.
24. Architecting for availability
US WEST
AZ1 AZ2
AZ3 AZ4
Singapore
AZ1 AZ2
AZ3 AZ4
Mumbai
AZ1 AZ2
AZ3 AZ4
Regions vs. Availability Zones
27. Architecting for availability
• External CDN providers can add resiliency,
flexibility & redundancy
• Look for vendors who can add functionality:
DDOS protection
Web application firewall
Load Balancing
DNS management
28. Web Application Firewall options
Architecting for application protection
3rd party as a
service
3rd Party as
Proxy
Provider
service
WAF client on
web instances
30. Limiting blast Radius
Limiting blast Radius
Organizations / Subscriptions
Root Account
IAM
Admi
n
Secur
ity
Audit
or
Billing
Admin
Super
Admin
Servic
e 1
Admin
Servic
e 2
Admin
Root Account
IAM
Admi
n
Secur
ity
Audit
or
Billing
Admin
Super
Admin
Servic
e 1
Admin
Servic
e 2
Admin
Root Account
IAM
Admi
n
Secur
ity
Audit
or
Billing
Admin
Super
Admin
Servic
e 1
Admin
Servic
e 2
Admin
OU A OU B OU C
31. Understanding storage options
Architecting for data security
Volume Storage
• Attached to a single
instance
• Not shared, accessible
only from the instance
• Useful in storing instance
OS environment ,
application binaries , DB
files and anything
instances need to
operate
Object Storage
• Provider managed
• Files are placed in
buckets
• Versioning & meta data
kept for all objects
• Files are accessible by
API or HTTP
• Independent from AZ or
instances dependencies
• Useful for storing static
applications data,
backups, source code
and config files
Database service
• Provider managed
• Files are accessible by DB
API
• Vary between different
services: (structured,
unstructured and more)
• Usually, customer has no
access to underlying DB
infrastructure
CDN
• Cloud provider
proprietary service or
external 3rd party
services
• Provide flexibility and
resiliency
• Useful in serving static
content at late latency
• Usually accompanied by
additional services: WAF,
DDOS protection, Load
balancer…
32. Encryption
Architecting for data security
OS
Storage
DB
Application
Encryption Layer
TDE
Storage Encryption
Volume Encryption
Shared KMS
Dedicated
HSM
Virtual
instance
KEYS
33. A r c h i t e c t i n g f o r C I / C D
Source: Cloud Security Alliance
Guidelines
34. M o n i t o r i n g To o l s e t
CWPP - Cloud
Workload Protection
Platform
•Protect Workloads
(VM’s, Containers,
serverless
•Traditional end-point
security (AV, VA )
•Additional features
for containers and
serverless
CSPM Cloud Security
Posture Management
•Protect management
dashboard
•Monitor for
Compliance breaks,
misconfiguration,
Identity permissions
CASB - Cloud Access
Security Broker
•Design for SaaS
•Detect threats
•eDiscovery + DLP
•Shadow IT detection
Cloud native application protection
platform (CNAPP)
36. A r c h i t e c t i n g f o r L o g M a n a g e m e n t
Portal Logs
• Cover API &
GUI access
Traffic Logs
• Network
traffic inside
VPC
Instances Logs
• Extracted
just like
traditional
OS
Unique logs
• K8's logs
• ELB logs
• Object
storage logs
37. OS Logs
A r c h i t e c t i n g f o r l o g m a n a g e m e n t
Cloud
Trail
S3
SIEM
Agent
Cloud WATCH
(Rules & Alerts)
SNS
(notifications)
VPC Flow
Logs
38. KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule
40. Event Tracking In Microservices
Observability, security, and anything in between
Naor Penso
Sr. Director – Product Security @ FICO
41. Naor Penso
Sr. Director – Product Security @ FICO
Previous Positions:
Cybersecurity
CTO
Chief information
security officer
• ~20 years in cybersecurity
• Today, leading product security and security services development @FICO
• Investing, mentoring and advising to multiple start-ups in the cyber domain
42. Observability?
Observability is the process of understanding the internal application states
from external outputs, tracking software behaviours across different
datapoints and different services, to provide an holistic view of the
application ecosystem.
To reach Observability you need to Monitor different application outputs including Metrics, Traces, Logs
44. 04
Observability Challenges in modern applications
• A business transaction is now built from event snippets spanning across 1-10,000 services
• Stateless services can server any number of customers without “understanding” who they are serving
• There is no one pattern of work;The same service can be used for n use cases
• In some cases, services are ephemeral, servicing one request and disappearing (e.g., Serverless Functions)
Process Invoice File Transfer
(Microservice)
OCR
(Microservice)
ETL
(Microservice)
Currency Conversion
(Microservice)
Data Enrichment
(Microservice)
ETL
(Microservice)
Database
Modern Use case:
Highly Abstract Process
45. Process Invoice
04
Observability Solution / Glossary
• Metric: Records a data point, either raw measurements or predefined aggregation, as timeseries with Metadata
• Span:A single operation that is logged (usually the output of one microservice)
• Trace: A agroup of spans (usually representing a transaction)
• Log / Log Record:Typically, the record includes a timestamp indicating when the Event happened as well as other
data that describes what happened, where it happened,
File Transfer
(Microservice)
OCR
(Microservice)
ETL
(Microservice)
Currency Conversion
(Microservice)
Data Enrichment
(Microservice)
ETL
(Microservice)
Database
Based on OpenTelemetry
Span
Span Span Span
Span
Span
trace
46. 04
Security & Observability
Due to the highly distributed nature of modern applications
understanding the business context of events and generating the basics
of an audit becomes significantly harder than monoliths.
Examples:
• A currency conversion service may convert currency, not knowing who the conversion is for
• A business transaction can be the encapsulation of interaction between 15 different services
• Some services may fail, some may succeed in a single transaction
• Time of event is broken into many small timestamps representing different services
Who is not known to all, What is 15 different “what’s”,
When &Where are a single points and Success / Fail is ambiguous
47.
48. What is
Cornerstone?
02
Cornerstone is a unified and expendable specification of
events, supporting the need for tracking of activities and
changes in a complex technological environment.
01
150+ Fields
02
19 Contexts
03
Expandable & logic Driven
04
Unlimited Use cases
49. 04
02
Context Driven Structure
03
Usage Logic
Fundamentals
01
Ground Rules
• Cornerstone does not define what events the product teams should log.The what is a subject
of the business of the application which cannot be anticipated, hence cornerstone provides an
extendible framework to cover and solve for new business needs.
• Cornerstone does not define the how events will be logged. Events will continue being logged
exactly as they have been in the past.
• Cornerstone does define the structure of the event, from basic fields (who, what, when, where)
to extended fields needed for context (who initiated, what was impacted)
50. 04
02
The Structure
03
Usage Logic
Fundamentals
01
Ground Rules
Event Specification
Core Event
User
Context
Permission Context
Role Context
Runtime
Context
Cloud Context
Host Context
K8s Context
Container Context
Process Context
Serverless Context
Data
Context
Data Classification
Data Security Context
File Context
Database Context
Data Import / Export Context
Information Context
Network
Context
Web Context
Network Traffic
API Context
58. 04
Monoliths vs. ModernApplications
Monoliths Microservices
Business logic Confined to a single place for all the business logic Spread across multiple services
Interaction Model Internal by design (e.g., calling internal functions) External by design (e.g., Using REST API)
Runtime Model Must have all pieces together to run Every piece can run on its own
Usability Reuse is done in the code level Reuse is done on the service level
State Management
(Generally)
Stateful Stateless
62. What are secrets and why are they important?
● Tokens, API keys, Encryption Keys, Passwords, etc.
● Needed for most types of applications and services to authenticate to various
resources
● Main concern: Protection
○ Hacking
● Secondary concern: Management and Traceability
○ Revocation
○ Audit logs
64. How does K8s store secrets?
● K8s is one of the most popular container
orchestration tool
● It’s becoming the backbone of modern
infrastructure
● Many application still store secrets as plain text
● Built-in secret store, not much better
65. So, how can I make my production env. safer?
● Strong encryption algorithm
● Encryption key storage may lead to Secret-Zero
problem
● What about Application-rich clusters?
67. Secret secured, almost
● Need to ensure different applications within a
cluster can’t access secrets of other applications
● Segregate to apply Least Privilege Access
● But who can access my cluster?
69. Just-in-Time K8s access
● Short-lived PKI certificates or short-lived
temporary Service Account tokens
● You will also get: Traceability, Governance and
management
● Access Revocation to quickly respond to
security incidents
70. The Solution
● A Secret Management Platform that protects
your secrets (decryption at application level)
and allowing controlled access to your cluster
● Trusted Machine Identity (Cloud IAM, Akeyless
Universal Identity, Service Accounts) - to
address the Secret Zero Problem
● Using either:
○ Self Deployed Solutions
○ SaaS Platforms