securing the perimeter around your microservices
play

Securing the Perimeter around Your Microservices Wojciech Lesniak - PowerPoint PPT Presentation

Apr 01, 2024 •139 likes •1.02k views

Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module Overview Basic Certificates Tokens, JWT Oauth2, OpenID authentication Connect Identity provider Microservices API Gateway Challenges with Edge

  1. Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k

  2. Module Overview Basic Certificates Tokens, JWT Oauth2, OpenID authentication Connect

  3. Identity provider Microservices API Gateway

  4. Challenges with Edge Security

  5. External API consumers

  6. Type of API Consumer Human (User) Non-human (Service or system)

  7. Authentication / Authorization Authe uthenti nticati tion Autho uthoriza zati tion The process of identifying who the The process of identifying what the consumer is. consumer can do.

  8. Principal of Least Privilege Every user or service consumer has the bare minimum privileges which are essential to perform their tasks.

  9. Principal of Least Privilege Limits the blast radius of any compromise to your system.

  10. Type of API Consumer Human (User) Non-human (Service or system)

  11. Human Users Client Victoria Microservice /victoria

  12. Delegation Problem Can you trust that the client is in-fact acting on behalf of the user and has their consent to do so?

  13. User Clients Proprietary data User data

  14. Delegated Access Authenticate user (resource owner) Get their consent to authorize client access to their resources

  15. Delegated Authorization Victoria Withdraw Delegate Joe

  16. API Gateway: Exposing Your API Securely

  17. Transition to Microservices PORT : 80 PORT : 8080 PORT : 8081 REST HTML REST REST Portfolio Pricing Session Data Data Access Access in-process Support Portfolio PORT : 8082 Pricing Account REST Support Data Access Data Access

  18. Clients Microservices PORT : 8080 REST Portfolio Data PORT : 8081 Access REST Pricing Data Access PORT : 8082 REST Support Data Access

  19. Clients Microservices PORT : 8080 REST API Gateway Portfolio Data PORT : 8081 Access REST Pricing Data Access PORT : 8082 Audit logs REST QOS checks Support Throttling Data DOS prevention Access

  20. Development team can focus more on business requirements rather then non- functional security requirements.

  21. Single Responsibility Principal Each microservice should perform one function and do it well.

  22. Benefits of an API Gateway Avoids the need for shared libraries making our architecture polyglot.

  23. Defensive Structures

  24. Basic- username / password Static API key Client id and client secret OpenID connect SAML Fingerprinting Certificates

  25. Clients API Gateway Firewall API Gateway API Gateway API Gateway MITM

  26. Considering Basic Authentication

  27. Basic Authentication Base64 encoded username:password dXNlcm5hbWU6cGFzc3dvcmQK He Heade der na name me Va Value Authorization Basic dXNlcm5hbWU6cGFzc3dvcmQK

  28. Why Basic Is Not Suitable for Microservices Authentication is more complex then just a username and password, requiring 2 Factor or Multifactor. For persistent login the credentials would have to be stored on the client. In a distributed system, credentials are exposed to multiple services. Delegation can only be done by requesting the users credentials.

  29. Authenticating Clients with Certificates

  30. Clients Microservices PORT : 8080 REST Firewall Portfolio Data API Gateway PORT : 8081 Access REST Pricing Data Access PORT : 8082 REST Support Data Access MITM

  32. At minimum TLS 1.2 or higher

  33. Certificate Authority API Gateway Client mTLS Public / private key, signed by CA Public / private key, signed by CA

  34. Transport Layer Security (TLS) Certificate issuers by CA CA public key, verify server

  35. Challenges with mTLS Does not solve the delegated access or the confused deputy problem. You have to maintain a Public Key Infrastructure and your Certificate Authority. Key provisioning, bootstrapping, and rotation, and invalidating keys can be challenging as the number of clients and services increases.

  36. Introducing Tokens

  37. Clients STS Firewall Authenticate Microservices Portfolio Introspection Support API Gateway Pricing Get resource

  38. Opaque Tokens – by Reference Id:1234567 1234567 Name: Victoria Email: Identity Provider vic@email.com

  39. Bearer T oken A security token with the property that any party in possession of the token (a "bearer") can use the token in the same way that any other party with possession can.

  40. Benefits of Tokens Microservices are never exposed to the users or clients password. “Single responsibility Principal” your microservices development teams don’t need to focus on non-functional security requirements. Tokens can be used to provide delegated authorization.

  41. Identity Provider

  42. Subject – Entity Requesting Access Human Machine Software user like Victoria

  43. Subject Principals Username: victoriaN Username: victoriaN name: Victoria Smith dob: 15/05/1988 Email: vic@send.com Email: vic@send.com Address: 1 Bond st Address: 1 Bond st London London gender: Female gender: Female dob: 15/05/1988 name: Victoria Smith name: Victoria Smith Address: 1 Bond st London gender: Female dob: 15/05/1988

  44. Coupling Application and Identity data API Gateway REST REST Portfolio Support Data Access Data Access Get principal Get principal Get principal sync sync principal principal principal application application

  45. Micros oserv rvices (Ex (Except pt for the or the D Data ta) API Gateway REST REST App data App data Support Portfolio Data Access Data Access Get principal Get principal Get principal principal Monolithic data store

  46. Identity Provider A service that manages the creation, maintenance of identity information for principals.

  47. Authentication as a service (AaaS) Manage and provider single sign in for all users in your applications, systems, and networks centrally.

  48. Clients Identity provider STS Authz Server Firewall Authenticate Microservices Portfolio Verify Support API Gateway Pricing Get resource

  49. Identity Provider Client Victoria Microservices API Gateway /portfolio Portfolio 401 Unauthorized Support Pricing

  50. Relaying Party principal Identity provider LDAP Victoria Client Microservices API Gateway Portfolio /portfolio Support Pricing

  51. Identity Provider Can Become a Bottleneck Identity provider verify

  52. By-value Tokens

  53. By-value Token username: victoria name: Victoria Lesniak Derpartment: reserch

  54. Claims-based identity Claims define what the subject is and is not.

  55. By-value Token Identity provider principal username: victoria name: Victoria Lesniak derpartment: reserch LDAP Signed with providers private key

  56. A signed token without the expiration date is worse than a password.

  57. What format should your by-value token be?

  58. Answer A standard token format.

  59. Different Token Formats Introduce Complexity

  60. Evolution of Security Tokens 1990s 2015 Kerberos JWT Protocol agnostic Protocol specific 2002 SAML Protocol specific

  61. Evolution of Security Tokens 1990s 2015 Kerberos JWT Protocol agnostic Protocol specific 2002 SAML Protocol specific

  62. Evolution of Security Tokens 1990s 2015 Kerberos JWT Protocol agnostic Protocol specific 2002 SAML Protocol specific

  63. JSON Web Token (JWT)

  64. JWT Optional Standard Claims Cla laim im Desc scripti ption jti Unique token identifier iss Issuer – who issued the token sub Subject – Who the claims represent. aud Audience – The recipient the token was meant for. exp Expiration – Until when the token is valid iat Issued at – The time the token was issued.

  65. JWTs can also be encrypted to prevent the content being read by unwanted parties, using the JSON Web Encryption (JWE) specification.

  66. Javascript Object Signing and Encryption (JOSE) JSON Web Token (JWT) (JWS) JSON Web Signature (JWE) JSON Web Encryption (JWA) JSON Web Algorithm

  67. Delegated Authorization with OAuth2

  68. Open Authorization (OAuth2) OAuth2 is an open standard used to allow entities to grant limited access to their resources, without sharing their credentials.

  69. Actors in OAuth Authorization server Resource server Client Issues access token to client protects Resource Owner Protected resource owns

  70. OAuth2 Authorization Code Grant User Client 1. Sign-in Crypto Portfolio Victoria 2. Redirect to auth-server <client id> 7. Forward auth code https/ /auth-server-uri/ 11. /portfolio https/ / crypto-portfolio-redirect-uri /?code=123456&state=987654 Browser client id ?client_id=crypto-portfolio&scope=profile,portfolio&response_type=code secret http POST: &redirect_uri=crypto-portfolio-uri&state=987654 Crypto Portfolio code:123456 would like to access client_id: crypto-portfolio your profile and portfolio data. client_secret: secret Approve Resource Server Authorization server client id secret

  71. Other Grant Types Client credentials

  72. Sign-in with OAuth2

  73. The Reasons for OpenID Connect

  74. OAuth2 is for delegated authorization and not designed for authentication.

  75. User Clients Proprietary data User data

Recommend

Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Subtraction Starter: 1. 4573 - 1282 = 2. 7808 - 1921 = 3. Amy has saved 45.37 in her piggy

Area and Perimeter.notebook May 13, 2020 Steps To Success: LO - To calculate the perimeter I can calculate the perimeter of a 2D shape by adding all of its sides together of a range of 2D shapes I can accurately measure the lengths of a 2D

1.18k views • 65 slides
WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We hired lots of engineers. They wrote lots of software. This causes lots of problems. Why use microservices at all? Easier releases? Ef fj ciency

709 views • 55 slides
Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL

Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL

Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL DEVELOPER / TECH LEAD @voit3k Microservices International Data Corporation (IDC) predicts that by: 2019 Q1 Microservices International Data

641 views • 39 slides
The perimeter and area of both a rhombus and a parallelogram can be found by applying the

The perimeter and area of both a rhombus and a parallelogram can be found by applying the

D AY 118 P ERIMETER AND AREA OF A RHOMBUS AND A PARALLELOGRAM ON XY - PLANE I NTRODUCTION The perimeter and area of rhombi and parallelograms have been dealt with in earlier lessons. Both the area and perimeter of these quadrilaterals can

437 views • 15 slides
KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for

KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for

KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for agility and scalability has driven Microservices adoption, but: 91% of Internet businesses are using or have plans to use microservices 86% expect

696 views • 53 slides
Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner Microservices Are Hyped So You Want To strangle The Almighty Monolith And Move Towards Microservices? Do Not Settle For Microliths Microlith Single

1.66k views • 127 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

7/17/2019 From HTTP to Kafka-based microservices FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa, FLYR Poland @wrzasa localhost:4567/index.html?print-pdf#/ 1/83 From HTTP to Kafka-based

1.15k views • 83 slides
Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How

Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How

Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How do I architect my app with microservices? What infrastructure do I need in place before I can benefit from microservices? datawire.io 2

770 views • 50 slides
Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
Microservices Smaller is Better? Eberhard Wolff Freelance consultant &amp; trainer

Microservices Smaller is Better? Eberhard Wolff Freelance consultant &amp; trainer

Microservices Smaller is Better? Eberhard Wolff Freelance consultant &amp; trainer http://ewolff.com Why Microservices? Eberhard Wolff - @ewolff Why Microservices? Strong modularization Sustainable Replaceability Development speed

1.25k views • 48 slides
DDD &amp; Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com

DDD &amp; Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com

DDD &amp; Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com Why do I like microservices? Autonomous teams with isolated implementation. Acknowledge the rough and tumble of enterprises. Cattle not

557 views • 37 slides
From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO

From Enterprise Perimeter to Distributed, Virtual Enterprise Security Ed Amoroso SVP, CSO AT&amp;T eamoroso@att.com Page 1 Sandbags Piled in Front of AT&amp;T Building 12/15/41 Page 2 Original Perimeter Objective (Circa 1995)

946 views • 61 slides
Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap

Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap

1 Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap 2 In the beginning 3 We Have Microservices 3 4 We Microservices 4 5 They need to communicate 5 I know! Ill use REST APIs 6

751 views • 64 slides
PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image

PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image

PERIMETER CENTER ZONING CITY OF DUNWOODY Welcome Project introduction Image preference exercise Next steps Agenda Craft new zoning/design standards Focus on unique character of perimeter center Implement

404 views • 14 slides
Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices

Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices

Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices microservices or Service? Free Lunch? - OSGi Services Services in the Apache Karaf ecosystem Showcase: https:/

690 views • 44 slides
Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along

Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along

Rufus King Park: Additional Entrances and Perimeter Fence Reconstruction Located located along Jamaica Avenue between 150th &amp; 153rd Streets, in the Borough of Queens. October 31, 2016 Parks Capital Design Grand Central Parkway Perimeter

615 views • 28 slides
Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol

Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol

Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol Microservices testing is hard Consumer driven contract testing About Me Independent Consultant specialising in microservices &amp; continuous delivery

1.54k views • 75 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
3rd Grade Shapes and Perimeter 2015-11-10 www.njctl.org Slide 3 / 102 Slide 4 / 102 Table of

3rd Grade Shapes and Perimeter 2015-11-10 www.njctl.org Slide 3 / 102 Slide 4 / 102 Table of

Slide 1 / 102 Slide 2 / 102 3rd Grade Shapes and Perimeter 2015-11-10 www.njctl.org Slide 3 / 102 Slide 4 / 102 Table of Contents Area Click on a topic to Perimeter go to that section Lines, Rays and Line Segments Angles Area

525 views • 25 slides
Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall (@smarthall) Daniel Hall (@smarthall) About Me About Me Systems Engineer at LIFX Making the 'Internet' in the Internet of Things About This Talk About

556 views • 18 slides
Test Driven Microservices System Confidence through Journeys, Traces &amp; Contracts

Test Driven Microservices System Confidence through Journeys, Traces &amp; Contracts

Test Driven Microservices System Confidence through Journeys, Traces &amp; Contracts @russmiles Biker me TBD Say Microservices one more time Reactive TBD A Definition The kingdom of heaven is like a mustard seed, which

1.04k views • 77 slides
Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses in Arizona Arizona L. William Staudenmaier One Arizona Center 400 East Van Buren Street, Suite 1900 Phoenix, Arizona 85004 2202 602.382.6000 |

574 views • 32 slides
Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure

Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure

Designing Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure you dont end up with Microliths Make sure you dont end up with Microliths We can do better than this Events First Domain Driven

1.68k views • 150 slides

More recommend