AWS re:Invent 2016: Microservices, Macro Security Needs: How Nike Uses a Multi-Layer, End-to-End...

Post on 06-Jan-2017

152 views 1 download

Transcript of AWS re:Invent 2016: Microservices, Macro Security Needs: How Nike Uses a Multi-Layer, End-to-End...

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

HOW NIKE USES A MULTI-LAYER, END-TO-END

SECURITY APPROACH

TO PROTECT MICROSERVICE-BASED SOLUTIONS AT

SCALE

MICROSERVICES, MACRO SECURITY NEEDS

NOVEMBER 29,

2016

ANDREW FLAVELL,

NIKE INC

(SEC307)

WHAT YOU SHOULD LEARN FROM US.

K E Y T A K E A W A Y S

LAYERED SECURITY

COMMUNICATION MODELS

MANAGING SECRETS

SERVE EVERY ATHLETE*PERSONALLY

N I K E D I G I T A L M I S S I O N

*IF YOU HAVE A BODY, YOU’RE AN ATHLETE.

NIKE DIGITAL 5NIKE DIGITAL 5

DELIVER THE MOST CONNECTED

PORTFOLIO OF DIGITAL PRODUCTS AND

SERVICES TO PERSONALLY SERVE

ATHLETES* TO BE THEIR BEST

N I K E D I G I T A L V I S I O N

N I K E R E T A I L N I K E . C O M S N K R S N I K E + N + R C N + T C L I V E E V E N T S

O U R W O R K

NIKE DIGITAL 7

P A S T

DATACENTERS

MONOLITHS

BIG BANG RELEASES

TRUSTED

NETWORK/PERIMETER

SECURITY MODEL

P R E S E N T - F U T U R E

CLOUD

MICROSERVICES

CI/CD/AGILE

ZERO TRUST SECURITY

MODEL

NIKE DIGITAL 7

P A S T - P R E S E N T - F U T U R E

NIKE DIGITAL 8NIKE DIGITAL 8

PRINCIPLE OF LEAST PRIVILEGE

ZERO-TRUST MODEL OVER PERIMETER MODEL

AUTOMATION

SELF-SERVICE

P R I N C I P L E S

NIKE DIGITAL 9NIKE DIGITAL 9

A U T H E N T I C A T I O N A U T H O R I Z A T I O N E N C R Y P T I O N

F O U N D A T I O N A L E L E M E N T S

LAYEREDSECURITY

NIKE DIGITAL 11NIKE DIGITAL 11

P E O P L E / I A M

P H Y S I C A L S E C U R I T Y

N E T W O R K

A W S S E R V I C E S

E C 2 I N S T A N C E S

L A Y E R E D S E C U R I T Y

NIKE DIGITAL 12NIKE DIGITAL 12

L A Y E R E D S E C U R I T Y : P H Y S I C A L S E C U R I T Y

EACH EMPLOYEE HAS A BADGE FOR AUTHENTICATION

NIKE FACILITIES REQUIRE BADGES FOR ENTRY PHYSICAL MFA TOKEN DEVICES

NIKE DIGITAL 13NIKE DIGITAL 13

L A Y E R E D S E C U R I T Y : P E O P L E / I A M

A U T H E N T I C A T I O N A U T H O R I Z A T I O N

NIKE AMAZON

ROLE 1

ROLE 2

ROLE 3

IAM

SSO PROVIDER

SINGLE SIGN ON/

FEDERATION

NIKE DIGITAL 14NIKE DIGITAL 14

ROUTING

VPCS

VPC ACLS

SECURITY GROUPS

ONLY HAVE PUBLIC ENDPOINTS BE ROUTABLE

VPC EDGES LIMIT THE “BLAST RADIUS” OF COMPROMISE

LIMIT INGRESS USING PRINCIPLE OF LEAST

PRIVILEGE

LIMIT COMMUNICATIONS BASED ON PRINCIPLE

OF LEAST PRIVILEGE

L A Y E R E D S E C U R I T Y : N E T W O R K

NIKE DIGITAL 15

SERVICE 2

SERVICE 1 S3 BUCKET

SNS TOPIC

DYNAMO DB

NIKE DIGITAL 15

L A Y E R E D S E C U R I T Y : A W S S E R V I C E S

IAM

NIKE DIGITAL 16NIKE DIGITAL 16

S E C U R I T Y G R O U P S

M U S T U S E A S E C U R I T Y S U I T E T H A T I N C L U D E S A V , I D S , I P S ,

F I M

P A T C H I N G

“ I M M U T A B L E ” A M I S

S E C U R E C E N T R A L C O N F I G U R A T I O N M A N A G E M E N T

L A Y E R E D S E C U R I T Y : E C 2 I N S T A N C E S

COMMUNICATIONMODELS

NIKE DIGITAL 18NIKE DIGITAL 18

C O M M U N I C A T I O N M O D E L S

AP

I G

AT

EW

AY

NIKE

DEVELOPER

CONSUMERNIKE

BUSINESS USER

SERVICE

DISCOVERY

DOMAIN1.NIKECLOUD.COM

AMAZON ELB

EDGE ROUTER

SERVICES

DATA STORE

SERVICE

DISCOVERY

AMAZON ELB

EDGE ROUTER

SERVICES

DATA STORE

DOMAIN2.NIKECLOUD.COM

AWS

NIKE DIGITAL 19NIKE DIGITAL 19

domain.nikecloud.com

EDGE ROUTER

SERVICES EC2

SERVICES EC2

C O N S U M E R A N D I N T E R N A L B U S I N E S S U S E R

SERVICE

DISCOVERY

API.NIKE.COM

API GATEWAY

DOMAIN1.NIKECLOUD.COM

AMAZON ELB

EDGE ROUTER

SERVICES

DATA STORE

CONSUMER

OAUTH SERVICES

R E S T + T L S + A U T H T O K E N ( O A U T H , J W T )

NIKE DIGITAL 20

SERVICE

DISCOVERY

DOMAIN 1

AMAZON ELB

EDGE ROUTER

SERVICE 1

DATA STORE

SERVICE

DISCOVERY

DOMAIN 2

AMAZON ELB

EDGE ROUTER

SERVICE 2

DATA STORE

DOMAIN2.NIKECLOUD.COM

NIKE DIGITAL 20

I N T E R - D O M A I N A P P - T O - A P P

PUBLIC

INTERNET

R E S T + T L S + A U T H T O K E N ( O A U T H , J W T )

NIKE DIGITAL 21NIKE DIGITAL 21

I N T R A - D O M A I N A P P - T O - A P P

SERVICE 1 SERVICE 2

SERVICE 3

SERVICE

DISCOVERY

DOMAIN

SERVICE 1 SECURITY GROUP SERVICE 2 SECURITY GROUP

RULE: ALLOW FROM S1

PRIVATE

NETWORK

R E S T + T L S + S G

NIKE DIGITAL 22NIKE DIGITAL 22

D E V E L O P E R

PROXYPROXY.NIKE.COM

EIP EC2

DOMAIN

NIKE INFRASTRUCTURE SECURITY GROUP

RULE: ALLOW NAT EIP

NAT

AWS

CORPORATE DIRECTORY

DEVELOPER DIRECT CONNECT

SSH

S S H + D I R E C T O R Y S E R V I C E S + S G

NIKE DIGITAL 23NIKE DIGITAL 23

I N T R A D O M A I N A P P - T O - D A T A S T O R E

SERVICE A

SERVICE

DISCOVERY

DOMAIN

DATA STORE SECURITY GROUP

SERVICE A SECURITY GROUP

RULE: ALLOW FROM SERVICE A

DATA STORE

D S P R O T O C O L + P W D S + S G S + E N C R Y P T

MANAGINGSECRETS

CERBERUS

NIKE DIGITAL 25NIKE DIGITAL 25

S E C R E T S S O L U T I O N S : C E R B E R U S

NIKE DIGITAL 26NIKE DIGITAL 26

C E R B E R U S C O M P O N E N T S

HASHICORP VAULT

CERBERUS MANAGEMENT

SERVICE

CLOUD APPLICATIONCERBERUS MANAGEMENT

DASHBOARD ASSETS

ROUTER{REST API}

USER

NIKE DIGITAL 27NIKE DIGITAL 27

IAM ROLE BASED AUTHENTICATION

USER AUTHENTICATION VIA SSO PROVIDER

CLOUD NATIVE OPERATIONS/INFRASTRUCTURE

UI FOR MANAGING ACCESS CONTROL AND SECRETS

W H A T C E R B E R U S A D D S T O V A U L T

NIKE DIGITAL 28NIKE DIGITAL 28

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

NIKE DIGITAL 29NIKE DIGITAL 29

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

GET IAM ROLES

IAM ROLES

NIKE DIGITAL 30NIKE DIGITAL 30

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

GET IAM ROLES

IAM ROLES

AUTHENTICATE (IAM ROLE, REGION)

NIKE DIGITAL 31NIKE DIGITAL 31

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

GET IAM ROLES

IAM ROLES

AUTHENTICATE (IAM ROLE, REGION)

GENERATE AUTHENTICATION

TOKEN

NIKE DIGITAL 32NIKE DIGITAL 32

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

GET IAM ROLES

IAM ROLES

AUTHENTICATE (IAM ROLE, REGION)

GENERATE AUTHENTICATION

TOKEN

CREAT CMK (IAM ROLE, REGION)

CMK ID

NIKE DIGITAL 33NIKE DIGITAL 33

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

GET IAM ROLES

IAM ROLES

AUTHENTICATE (IAM ROLE, REGION)

GENERATE AUTHENTICATION

TOKEN

CREAT CMK (IAM ROLE, REGION)

CMK ID

ENCRYPT (AUTH TOKEN, CMK ID)

ENCRYPTED AUTH TOKEN

NIKE DIGITAL 34NIKE DIGITAL 34

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

GET IAM ROLES

IAM ROLES

AUTHENTICATE (IAM ROLE, REGION)

GENERATE AUTHENTICATION

TOKEN

CREAT CMK (IAM ROLE, REGION)

CMK ID

ENCRYPT (AUTH TOKEN, CMK ID)

ENCRYPTED AUTH TOKEN

AUTH RESPONSE, INCLUDING ENCRYPTED AUTH TOKEN

NIKE DIGITAL 35NIKE DIGITAL 35

I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS

GET IAM ROLES

IAM ROLES

AUTHENTICATE (IAM ROLE, REGION)

GENERATE AUTHENTICATION

TOKEN

CREAT CMK (IAM ROLE, REGION)

CMK ID

ENCRYPT (AUTH TOKEN, CMK ID)

ENCRYPTED AUTH TOKEN

AUTH RESPONSE, INCLUDING ENCRYPTED AUTH TOKEN

DECRYPT (REGION, CMKid, ENCRYPTED AUTH TOKEN)

DECRYPTED AUTH TOKEN

NIKE DIGITAL 36NIKE DIGITAL 36

MANAGE DATABASE PASSWORDS

MANAGE (STORE, RETRIEVE, ROTATE) API KEYS

STORE/RETRIEVE JWT TOKENS

GENERAL-PURPOSE RUN-TIME CONFIG STORE

H O W W E U S E C E R B E R U S A T N I K E

DEMO

WHAT YOU LEARNTFROM US.

K E Y T A K E A W A Y S

LAYERED SECURITY

COMMUNICATION MODELS

MANAGING SECRETS

NIKE DIGITAL 39NIKE DIGITAL 39

CHECK

OUT

W H E R E T O L E A R N M O R E

CERBERUS ON GITHUB: HTTPS://GITHUB.COM/NIKE-INC/CERBERUS

C E R B E R U S

NIKE DIGITAL 40NIKE DIGITAL 40

N I K E O S S

W I N G T I P SF A S T B R E A K

B A C K S T O P P E R

C E R B E R U S

NIKE GITHUB: HTTP://NIKE-INC.GITHUB.IO/

QUESTIONS?

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thank you!