Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting sensitive data in modern multi-compo...

vixentael
September 12, 2018

Protecting sensitive data in modern multi-component systems

💫 modern apps are multi-components, most data leaks are caused by poor architectural decisions,
💫 what is sensitive data life-cycle,
💫 how to build trust model for your app,
💫 what are typical trust patterns,
💫 how to select proper security controls based on real-world risks.

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

We will take a deep look into the data lifecycle, risk, trust and how they affect security architecture, encryption, and key management techniques. We will illustrate typical SDL patterns: narrowing trust, monitoring intrusions, zero knowledge architectures, distributing trust. The goal of the talk is to give a general thinking framework and enough ideas about tools for senior engineers to plan their solutions securely, regarding sensitive data contained within.

vixentael

September 12, 2018
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security consulting, training
  2. 1. Architectures and data leaks. 2. Sensitive data lifecycle. 3.

    SSDLC – defining trust, threats and risks to data. 4. Typical trust patterns. 5. Security controls: tips, tricks, tools @vixentael Plan
  3. @vixentael mln records 0 360 720 1,080 1,440 1,800 February

    April June August October December February https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month 2018/2019
  4. @vixentael mln records 0 360 720 1,080 1,440 1,800 February

    April June August October December February https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month 2018/2019
  5. @vixentael wrong assumptions and trust models no tests / penetration

    tests lack of understanding the data life cycle GTD / speed Why?
  6. @vixentael is any kind of data, that will break business

    objectives or prosperity of those who use data, if leaked. Sensitive data –
  7. @vixentael Sensitive data depends on business personally identifiable information (PII)

    device logs and application data medical & finance data likes & preferences … https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html
  8. @vixentael Secure development lifecycle methodology MS SDL OWASP S-SDLC www.microsoft.com/en-us/sdl

    www.owasp.org/index.php/ OWASP_Secure_Software_Development_ Lifecycle_Project Risk evaluation Risk assessment Threat model Security plan Secure coding Security verification Secure operations Incident response
  9. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics layout
  10. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics flow
  11. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics actions i i o o p i p s s input processing storage output p
  12. @vixentael Data classification more sensitive / less sensitive valued for

    users / for business regulated / non-regulated at rest / in motion available for users / admins / support
  13. @vixentael Data classification users PII users payments items description sales

    schedule financial reports users preferences orders history conversion analytics TLS certs AWS access staff accounts login history db access company accounts
  14. @vixentael Data classification users PII users payments items description sales

    schedule financial reports users preferences orders history conversion analytics TLS certs AWS access staff accounts login history db access company accounts u p $ t u’ i
  15. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics kinds of data i i o o p i p s s u u p $ $ $ p u t $ u u’ i u p
  16. @vixentael Can we protect everything everywhere? – No. – Risks

    impact – Trust and threats – Attack vectors prioritization
  17. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node?
  18. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node? 3. If needs sensitive plaintext, who stores the keys?
  19. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node? 3. If needs sensitive plaintext, who stores the keys? 4. What are security controls?
  20. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics trust model ☠ ☠ ☠ ⚠ ❇ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠
  21. @vixentael Security control – a practical implementation of risk prevention

    technique in your code and infrastructure. Reactive: 
 - detect incident
 - correct / limit damage Proactive: 
 - prevent risk
  22. @vixentael Reactive controls: detect Data security integrity checks, authenticated crypto

    Access security honeypots, access logging Node security IDS, monitoring
  23. @vixentael Reactive controls: limit damage Data security Access security Node

    security key management, backups credential management, jailbans infrastructural management
  24. @vixentael 1. Identify sensitive data, understand sensitive data lifecycle, classify

    data. 2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Infrastructural data protection 101
  25. @vixentael “Everyone Knows Everything” 1. Many components, everyone has access

    to database via same API. 2. API without auth (brute-force ID to get info about objects). 3. Storing plaintext data. 4. Transferring back and forth all data (aka large JSON). 5. Transfer data in plaintext inside infrastructure. 6. Storing all data in the same place. 7. Logging everything (including secrets). 8. No monitoring for non-legit access.
  26. @vixentael 4. Don’t store all data in one place. 5.

    Don’t send all data if only some piece needed. “Narrowing and controlling trust” % Limit data:
  27. @vixentael 1. Encrypt data for exact use-case (to be accessible

    by specific users/systems). 2. Store keys in trusted zone (KMS, Vault). 3. Proper key management: rotate, revoke, backup. “Narrowing and controlling trust” & Encrypt data:
  28. @vixentael 1. Separate API for each app. 2. Session handling,

    session expiration. 3. Encrypt transport inside network. “Narrowing and controlling trust” ' Protect transport: https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html
  29. @vixentael 1. Access to critical data. 2. Access to keys.

    3. Unusual behavior. 4. Honey pots / honey tokens. “Narrowing and controlling trust” ( Monitor everything:
  30. @vixentael “Narrowing and controlling trust” $ Limit trust. ( Monitor

    everything. ' Protect transport. % Limit data. & Encrypt data.
  31. @vixentael ZKA is a design principle that enables software to

    provide services over protected client data without having an unencrypted access to it. “Zero Knowledge Architecture”
  32. @vixentael % all operations on encrypted data: – CRUD –

    control access to data from different users – search (in encrypted data) “Zero Knowledge Architecture” $ E2EE clients
  33. @vixentael Control and monitor perimeter. Control and monitor intranet: between

    networks, between hosts. IDS & HIDS. Firewalls / IDS
  34. @vixentael SIEM Aggregate logs into single point for further analysis:

    Triggers on leaking assets. Triggers on typical attacks. Correlation analysis.
  35. @vixentael Audit logs On every access to sensitive data. Non-falsiable.

    Easy-to-analyze. https://cloud.google.com/logging/docs/audit/
  36. @vixentael Encryption libraries should ★ use strong & audited crypto

    ★ work everywhere ★ hide cryptographic details ★ be hard to mis-use ★ have integration with key storage
  37. @vixentael Data in motion protection / TLS private keys RSA-2048,

    ECDSA-256 obtain certificate from reliable CA TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_2 56_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices Rotate certificates often
  38. @vixentael Data in motion protection / protocols axolotl themis noise

    github.com/cossacklabs/themis noiseprotocol.org github.com/whispersystems/libsignal-protocol-c
  39. @vixentael Honey pots fake sensitive data records fake accounts vulnerable

    nodes with open ports fake API calls / API tokens / keys + triggers } https://hackernoon.com/poison-records-acra-eli5-d78250ef94f
  40. @vixentael https://www.owasp.org/index.php/Web_Application_Security_Guidance Web Application Security Guidance https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet Secure Coding Cheat

    Sheet https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices OWASP guidelines https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Password Storage Cheat Sheet
  41. @vixentael 1. Identify sensitive data, understand sensitive data lifecycle, classify

    data. 2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Infrastructural data protection 101
  42. Home reading :) https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as a Product https://samnewman.io/talks/insecure-transit-microservice-security/ Insecure

    Transit - Microservice Security https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-security-4b8ceb5ccb88 12 and 1 ideas how to enhance backend data security https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-be3743af7614 How to prevent database leaks and injections
  43. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security consulting, training