Hardening Microservices Security: Building a Layered Defense Strategy
-
Upload
cloudflare -
Category
Technology
-
view
5.470 -
download
1
Transcript of Hardening Microservices Security: Building a Layered Defense Strategy
Securing MicroservicesThreat Modelling and Session Security
Presented by David Hoelzer (SANS) and Matt Silverlock (CloudFlare)
What is a "microservice"?
(and what security challenges do they bring?)
What is a microservice?
● Modular approach to building services.● Reinvention of the Service Orientated Architecture (SOA)
model.● Micro-services often declare API contracts, but
development & deployment are self-contained.
What is a microservice?
Benefits
● Less coupling: easier to reason about changes.● Apply the most appropriate technology to the problem at
hand● Better suits larger organizations with multiple teams.● Easier to test when self-contained: less infrastructure to
spin up when iterating.
What is a microservice?Challenges
● Multiple moving parts: more surface area to secure as services communicate to each other.
● Can add complexity into smaller organizations: more tech stacks to maintain, update and patch.
● The need to define formal API contracts so that services can reliably communicate to each other with different development cycles.
Threat Modelling
Understand what you're defending against.
Threat Modelling
● Stop thinking about what it’s supposed to do○ Stand back and try to think about how someone could abuse it○ Start where you have security mitigations○ Next, think about where you don’t and the assumptions made
Threat Modelling
Threat Modelling
Threat Modelling
What’s the Point?
● Organizations have many mitigations○ Firewalls, AV, IDS, etc.
● The threat is not clearly identified by any single activity○ It’s the behavior rather than a signature
What’s the Point for Microservices?
● Monolithic Web Applications○ Session issues are a very well known problem
● Microservices○ We still have sessions, but they are often far more stateless!○ How do we define an authenticated “session”?○ Are there behaviors that we can defend against?
Microservices Session Threat
Microservices Session Impersonation
Threat Modelling
● Everyone watches for repeated authentication failures○ Do you currently include anything in the session verification
process?
Threat Modelling
● API keys are a possible approach○ Issue public/private keypair○ All requests must be signed with public key
■ more computation, but not awful● How critical is it that the API keys are protected by end
users or apps?
Threat Modelling
● Session issues are not new○ Microservices changes the game since these are inherently
non-monolithic applications○ It is critical that the, “We do one thing well” philosophy include a
thoughtful analysis of potential threats and exposures● Requires threat-focused defensive coding
Layered Defenses
There are no silver bullets.
Layered Defenses
● Offload work to the network edge: validate traffic (firewall, reputation, rate limiting) before it reaches your services.
Layered Defenses
● Protect your resources: prevent outside attackers from consuming resources (spawning more containers may not be the solution)
Layered Defenses
● Protect your data: multiple discrete services now accessing shared datastores. Each service should only access what it needs, and no more.
Layered Defenses
● Secure containers: authenticate endpoints, support revocation, and keep images updated.
Layered Defenses
● Know what you're running: always pulling down the latest image from an image repository or from GitHub may not be a great idea.
Layered Defenses
● Manage secrets: do your microservices have access to the secrets they need, and only the secrets they need?
Questions & Answers