Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights...
Transcript of Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights...
![Page 1: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/1.jpg)
Confidential
Shashank Mohan Jain | Dinesh Kumar
![Page 2: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/2.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 2InternalConfidential
Agenda
Introduction
SAP Cloud Platform
o Architecture
o PostgreSQL-as-a-Service
Network Security
Isolating control plane and data plane
Infrastructure level security
Isolation among postgreSQL service instances
Isolation among processes in a service instance
Limiting access & resources to processes
![Page 3: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/3.jpg)
Confidential
SAP CLOUD PLATFORM
An open platform-as-a-service (PaaS) product
![Page 4: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/4.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 4InternalConfidential
Securing PostgreSQL as a Service
SAP CLOUD PLATFORM
Open platform as a Service based on Cloud Foundry
Provides core backing services for building applications
Supports multiple IAAS – Openstack, AWS, Azure & GCP
Multi-tenancy support
![Page 5: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/5.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 5InternalConfidential
Securing PostgreSQL as a Service
![Page 6: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/6.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 6InternalConfidential
Securing PostgreSQL as a Service
PostgreSQL as a Service
A service instance comprises of 5 VMs
Different service plans
One Primary and one Standby
3 pgpool for failover / HA.
![Page 7: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/7.jpg)
Confidential
NETWORK SECURITY
![Page 8: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/8.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 8InternalConfidential
Securing PostgreSQL as a Service
Network Layout
REGION
Backing Services Virtual Network (VPC/VNet)
Internet Gateway
Router
Availability Zone -1 Availability Zone - 2 Availability Zone - 3
Subnet-1 Subnet-2 Subnet-3
R
Routing Tables
VPC Routing
![Page 9: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/9.jpg)
Confidential
ISOLATING CONTROL PLANE & DATA PLANE
![Page 10: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/10.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 10InternalConfidential
Securing PostgreSQL as a Service
Subnet Layout
![Page 11: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/11.jpg)
Confidential
INFRASTRUCTURE LEVEL SECURITY
![Page 12: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/12.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 12InternalConfidential
Securing PostgreSQL as a Service
Infrastructure Level Security
Firewall Rules
Security Groups
IP Spoofing prevention at IAAS level
![Page 13: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/13.jpg)
Confidential
ISOLATION
Among between PostgreSQL instances & within an instance
![Page 14: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/14.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 14InternalConfidential
Securing PostgreSQL as a Service
Isolation between PostgreSQL instances
Bosh custom plugin – IPTables Manager
Applies iptable rules to each vm in a service instance
VMs in one instance cannot communicate with VMs in other instances
Communication within a service instance is allowed
ICMP based attacks minimized by allowing required types
![Page 15: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/15.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 15InternalConfidential
Securing PostgreSQL as a Service
Isolation among processes in a service instance
Each VM runs supporting processes in addition to postgres
Postgres runs as non-root user with limited access to required resources. (DAC)
Further isolation using MAC - SELinux
![Page 16: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/16.jpg)
Confidential
Demo – Isolation
![Page 17: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/17.jpg)
Confidential
LIMITING ACCESS & RESOURCES TO PROCESSES
![Page 18: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/18.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 18InternalConfidential
Securing PostgreSQL as a Service
Limiting access & resources
Limit the usage using *__getrlimit()__* and *__setrlimit()__* functions
Processes in the VM are sandboxed using seccomp
Restricts the usage of system calls to the bare minimum required
![Page 19: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/19.jpg)
Confidential
Demo – Reverse shell vulnerability
![Page 20: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/20.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved.© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Shashank Mohan Jain | Dinesh Kumar
Thank you
![Page 21: Shashank Mohan Jain | Dinesh Kumar...© 2018 SAP SE or an SAP affiliate company. All rights reserved. ConfidentialInternal 2 Agenda Introduction SAP Cloud Platform o Architecture o](https://reader036.fdocuments.in/reader036/viewer/2022070820/5f1c3ddb46edc230ea7cae82/html5/thumbnails/21.jpg)
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 21Internal
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.