Protecting sensitive data in modern multi-component systems

Transcript

1. Protecting Sensitive Data in Modern Multi-Component Systems @vixentael

2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

   Acra cryptographic tools, security consulting, training

3. Data protection tools to prevent leakage and comply with regulations.

4. @vixentael Cryptography and data protection

5. 1. Architectures and data leaks. 2. Sensitive data lifecycle. 3.

   SSDLC – defining trust, threats and risks to data. 4. Typical trust patterns. 5. Security controls: tips, tricks, tools @vixentael Plan

6. speakerdeck.com/vixentael/ protecting-sensitive-data-in- modern-multi-component-systems @vixentael

7. @vixentael Modern Applications are Multi-Component

8. @vixentael https://medium.com/airbnb-engineering/data-infrastructure-at-airbnb-8adfb34f169c AirBNB data infra

9. @vixentael LinkedIn 2011-2015 https://engineering.linkedin.com/architecture/brief-history-scaling-linkedin

10. @vixentael Netflix https://medium.com/refraction-tech-everything/how-netflix-works-the-hugely- simplified-complex-stuff-that-happens-every-time-you-hit-play-3a40c9be254b

11. @vixentael Modern Applications are Multi-Component Different. Complex. Use-case oriented.

12. – Operate sensitive data. @vixentael Modern Applications are Multi-Component Different.

    Complex. Use-case oriented.

13. @vixentael So what?

14. @vixentael https://en.wikipedia.org/wiki/2012_LinkedIn_hack

15. @vixentael https://blog.linkedin.com/2016/05/18/protecting-our-members

16. @vixentael

17. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

18. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

19. twitter.com/c_pellegrino/status/981409466242486272 @vixentael

20. https://www.itgovernance.co.uk/blog/quora-data-breach-affects-100-million-accounts @vixentael

21. @vixentael mln records 0 360 720 1,080 1,440 1,800 February

    April June August October December February https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month 2018/2019

22. @vixentael mln records 0 360 720 1,080 1,440 1,800 February

    April June August October December February https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month 2018/2019

23. @vixentael https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/

24. @vixentael https://www.wired.com/story/2018-worst-hacks-so-far/ credentials geo-locations health data financial data kids locations

    cars remote control sex toys remote control

25. @vixentael Most large leaks are caused by poor architectural decisions.

26. @vixentael wrong assumptions and trust models no tests / penetration

    tests lack of understanding the data life cycle GTD / speed Why?

27. @vixentael Sensitive Data Life Cycle

28. @vixentael is any kind of data, that will break business

    objectives or prosperity of those who use data, if leaked. Sensitive data –

29. @vixentael Sensitive data depends on business personally identifiable information (PII)

    device logs and application data medical & finance data likes & preferences … https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html

30. @vixentael Secure development lifecycle methodology MS SDL OWASP S-SDLC www.microsoft.com/en-us/sdl

    www.owasp.org/index.php/ OWASP_Secure_Software_Development_ Lifecycle_Project Risk evaluation Risk assessment Threat model Security plan Secure coding Security verification Secure operations Incident response

31. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics layout

32. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics flow

33. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics actions i i o o p i p s s input processing storage output p

34. @vixentael Data classification more sensitive / less sensitive valued for

    users / for business regulated / non-regulated at rest / in motion available for users / admins / support

35. @vixentael data leakage, tampering, unauthorized access reputation risks legal responsibility

    financial damage Risks to data

36. @vixentael Data classification users PII users payments items description sales

    schedule financial reports users preferences orders history conversion analytics TLS certs AWS access staff accounts login history db access company accounts

37. @vixentael Data classification users PII users payments items description sales

    schedule financial reports users preferences orders history conversion analytics TLS certs AWS access staff accounts login history db access company accounts u p $ t u’ i

38. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics kinds of data i i o o p i p s s u u p $ $ $ p u t $ u u’ i u p

39. @vixentael Can we protect everything everywhere?

40. @vixentael – No. Can we protect everything everywhere?

41. @vixentael Can we protect everything everywhere? – No. – Risks

    impact – Trust and threats – Attack vectors prioritization

42. @vixentael Trust model (per node) 1. What kind of data

    it operates?

43. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node?

44. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node? 3. If needs sensitive plaintext, who stores the keys?

45. @vixentael Trust model (per node) 1. What kind of data

    it operates? 2. Do we trust/control this node? 3. If needs sensitive plaintext, who stores the keys? 4. What are security controls?

46. @vixentael web frontend users & orders mobile frontend web admin

    prediction service 3rd party analytics items payment service orders processing logistics API user actions analytics trust model ☠ ☠ ☠ ⚠ ❇ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠

47. @vixentael Trust model helps to understand where to implement proper

    security controls that prevent risks.

48. @vixentael Security control – a practical implementation of risk prevention

    technique in your code and infrastructure. Reactive: 
 - detect incident
 - correct / limit damage Proactive: 
 - prevent risk

49. @vixentael Proactive controls Data security encryption Access security authentication, firewalls,

    OS Node security firewalls, compartmentalization, OS

50. @vixentael Reactive controls: detect Data security integrity checks, authenticated crypto

    Access security honeypots, access logging Node security IDS, monitoring

51. @vixentael Reactive controls: limit damage Data security Access security Node

    security key management, backups credential management, jailbans infrastructural management

52. @vixentael 1. Identify sensitive data, understand sensitive data lifecycle, classify

    data. 2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Infrastructural data protection 101

53. @vixentael Principle of least privilege (secure by default)

54. None

55. @vixentael Patterns

56. @vixentael “Everyone Knows Everything”

57. @vixentael “Everyone Knows Everything” 1. Many components, everyone has access

    to database via same API. 2. API without auth (brute-force ID to get info about objects). 3. Storing plaintext data. 4. Transferring back and forth all data (aka large JSON). 5. Transfer data in plaintext inside infrastructure. 6. Storing all data in the same place. 7. Logging everything (including secrets). 8. No monitoring for non-legit access.

58. @vixentael

59. @vixentael “Narrowing and controlling trust”

60. @vixentael “Narrowing and controlling trust” 1. Echelonization. 2. Compartmentalization. 3.

    Verify trust (PKI). $ Limit trust:

61. @vixentael 1. Pseudonymization. 2. Anonymization. 3. Minimize lifecycle and scope.

    “Narrowing and controlling trust” % Limit data:

62. @vixentael 4. Don’t store all data in one place. 5.

    Don’t send all data if only some piece needed. “Narrowing and controlling trust” % Limit data:

63. @vixentael 1. Encrypt data for exact use-case (to be accessible

    by specific users/systems). 2. Store keys in trusted zone (KMS, Vault). 3. Proper key management: rotate, revoke, backup. “Narrowing and controlling trust” & Encrypt data:

64. @vixentael 1. Separate API for each app. 2. Session handling,

    session expiration. 3. Encrypt transport inside network. “Narrowing and controlling trust” ' Protect transport: https://www.cossacklabs.com/avoid-ssl-for-your-next-app.html

65. @vixentael 1. Access to critical data. 2. Access to keys.

    3. Unusual behavior. 4. Honey pots / honey tokens. “Narrowing and controlling trust” ( Monitor everything:

66. @vixentael “Narrowing and controlling trust” $ Limit trust. ( Monitor

    everything. ' Protect transport. % Limit data. & Encrypt data.

67. @vixentael “Zero Knowledge / No Knowledge”

68. @vixentael ZKA is a design principle that enables software to

    provide services over protected client data without having an unencrypted access to it. “Zero Knowledge Architecture”

69. @vixentael $ E2EE clients “Zero Knowledge Architecture”

70. @vixentael % all operations on encrypted data: – CRUD –

    control access to data from different users – search (in encrypted data) “Zero Knowledge Architecture” $ E2EE clients

71. @vixentael authentication “Zero Knowledge Architecture” data collaboration messaging https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html

72. @vixentael Zero Knowledge Architecture Narrowing and Controlling Trust Everyone Knows

    Everything

73. @vixentael Tips, tricks, tools

74. @vixentael Cover maximum risks using minimum tools and processes. Add

    details when system evolves.

75. @vixentael Control and monitor perimeter. Control and monitor intranet: between

    networks, between hosts. IDS & HIDS. Firewalls / IDS

76. @vixentael WAF database firewalls SQL firewalls Data firewalls

77. @vixentael Acra https://github.com/cossacklabs/acra Green SQL https://github.com/larskanis/greensql-fw Hexatier http://www.hexatier.com/ Oracle database

    firewall / TDE http://www.oracle.com/ Data firewalls

78. @vixentael Acra – Oracle for Postgres/MySQL cossacklabs.com/acra/ github.com/cossacklabs/acra/ marketplace.digitalocean.com/apps/acra

79. @vixentael SIEM Aggregate logs into single point for further analysis:

    Triggers on leaking assets. Triggers on typical attacks. Correlation analysis.

80. @vixentael Audit logs On every access to sensitive data. Non-falsiable.

    Easy-to-analyze. https://cloud.google.com/logging/docs/audit/

81. @vixentael At rest encryption. Separated encryption and decryption. Use different

    keys for different clients. Data encryption

82. @vixentael Encryption libraries should ★ use strong & audited crypto

    ★ work everywhere ★ hide cryptographic details ★ be hard to mis-use ★ have integration with key storage

83. @vixentael Encryption libraries libsodium themis keyczar tink github.com/cossacklabs/themis github.com/jedisct1/libsodium github.com/google/tink

    github.com/google/keyczar

84. @vixentael Data in motion protection Well-configured TLS and suitable per-usecase

    protocols.

85. @vixentael Data in motion protection / TLS private keys RSA-2048,

    ECDSA-256 obtain certificate from reliable CA TLS v1.3-v1.2 use secure cipher suites TLS_ECDHE_ECDSA_WITH_AES_2 56_GCM_SHA384 ✅ enable Forward Secrecy ✅ enable HSTS (web) github.com/ssllabs/research/wiki/SSL-and-TLS- Deployment-Best-Practices Rotate certificates often

86. @vixentael Data in motion protection / protocols axolotl themis noise

    github.com/cossacklabs/themis noiseprotocol.org github.com/whispersystems/libsignal-protocol-c

87. @vixentael Hermes https://github.com/cossacklabs/hermes-core ZeroKit https://tresorit.com/zerokit E2EE for data collaboration

88. @vixentael Honey pots fake sensitive data records fake accounts vulnerable

    nodes with open ports fake API calls / API tokens / keys + triggers } https://hackernoon.com/poison-records-acra-eli5-d78250ef94f

89. @vixentael https://www.owasp.org/index.php/Web_Application_Security_Guidance Web Application Security Guidance https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet Secure Coding Cheat

    Sheet https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Secure Coding Practices OWASP guidelines https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Password Storage Cheat Sheet

90. @vixentael Summary

91. @vixentael 1. Identify sensitive data, understand sensitive data lifecycle, classify

    data. 2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Infrastructural data protection 101

92. @vixentael It is secure. It’s not broken yet.

93. Home reading :) https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as a Product https://samnewman.io/talks/insecure-transit-microservice-security/ Insecure

    Transit - Microservice Security https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-security-4b8ceb5ccb88 12 and 1 ideas how to enhance backend data security https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-be3743af7614 How to prevent database leaks and injections

94. My other security slides github.com/vixentael/ my-talks

95. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security consulting, training

96. Image credits www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond,

    dinosoftlabs Authors: