Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael...
Transcript of Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael...
![Page 1: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/1.jpg)
![Page 2: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/2.jpg)
Securing Apps in the Open-By-Default CloudWinston Howes and Michael Wozniak
![Page 3: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/3.jpg)
BlackHat 2019
Michael WozniakInfrastructure Security
Who are we?
Winston HowesApplication Security
![Page 4: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/4.jpg)
Welcome to the Cloud
![Page 5: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/5.jpg)
BlackHat 2019
Welcome to the Cloud
GCEGKEApp EngineEC2 EKS
![Page 6: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/6.jpg)
BlackHat 2019
“After deploying the application, you need to expose it to the Internet so that users can access it.”- GKE Quickstart
Open By Default
![Page 7: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/7.jpg)
BlackHat 2019
Constraints● Networking
○ Not possible to have one large internal only network○ Limited enforcement options provided by AWS/GCP○ Services like App Engine must be exposed directly to the Internet
● Central Management○ Lack of central CI/CD Pipeline○ Wide variety of technologies
![Page 8: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/8.jpg)
BlackHat 2019
Development Lifecycle● It’s unclear when security should review an app.
![Page 9: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/9.jpg)
BlackHat 2019
Development Lifecycle● It’s unclear when security should review an app.
You’re on the internet 🎉
Hello 🌎
New app created
![Page 10: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/10.jpg)
BlackHat 2019
Development Lifecycle● It’s unclear when security should review an app.
New app created
You’re encouraged to file a security review.
Ready to launch
You’re on the internet 🎉
Hello 🌎
![Page 11: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/11.jpg)
BlackHat 2019
Development Lifecycle● It’s unclear when security should review an app.
New app created
You’re encouraged to file a security review.
Ready to launch
The app has a bunch of new features.
Going Steady
You’re on the internet 🎉
Hello 🌎
![Page 12: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/12.jpg)
BlackHat 2019
Development Lifecycle● It’s unclear when security should review an app.
New app created
You’re encouraged to file a security review.
Ready to launch
The app has a bunch of new features.
Going Steady
Pre-Launch Post-Launch
You’re on the internet 🎉
Hello 🌎
![Page 13: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/13.jpg)
BlackHat 2019
Considered Gating Approaches
1. Enabling Billing Post-Review2. Implement AuthN & AuthZ controls on individual
services3. Firewalls4. Google’s Identity Aware Proxy
![Page 14: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/14.jpg)
BlackHat 2019
Considered Gating Approaches
1. Enabling Billing Post-Review2. Implement AuthN & AuthZ controls on individual
services3. Firewalls4. Google’s Identity Aware Proxy
Restricts Feature Development
![Page 15: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/15.jpg)
BlackHat 2019
Considered Gating Approaches
1. Enabling Billing Post-Review2. Implement AuthN & AuthZ controls on individual
services3. Firewalls4. Google’s Identity Aware Proxy
Limited Scalability
![Page 16: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/16.jpg)
BlackHat 2019
Considered Gating Approaches
1. Enabling Billing Post-Review2. Implement AuthN & AuthZ controls on individual
services3. Firewalls4. Google’s Identity Aware Proxy
Limited Granularity
![Page 17: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/17.jpg)
BlackHat 2019
Considered Gating Approaches
1. Enabling Billing Post-Review2. Implement AuthN & AuthZ controls on individual
services3. Firewalls4. Google’s Identity Aware Proxy
Not Automatable
![Page 18: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/18.jpg)
BlackHat 2019
Goals
● Flexibility: Minimum opinions about development environments and cloud feature use*
● Scalability: No need for developer instrumentation● Granularity: By default all services are gated with granular
authN and authZ● Automatability: Reduce operational costs
*if developers want high QPS or to receive user traffic, there will be necessary changes
![Page 19: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/19.jpg)
BlackHat 2019
Laying the Groundwork: Primitives
1. Network Control2. Service Inventory
![Page 20: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/20.jpg)
BlackHat 2019
Laying the Groundwork: Primitives
Solution: Central service that enables billing and gives the security team network management access and inventories services
![Page 21: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/21.jpg)
BlackHat 2019
Development Lifecycle● It’s unclear when security should review an app.
New app created
You’re encouraged to file a security review.
Ready to launch
The app has a bunch of new features.
Going Steady
Pre-Launch Post-Launch
You’re on the internet 🎉
Hello 🌎
![Page 22: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/22.jpg)
BlackHat 2019
Development Lifecycle● It’s unclear when security should review an app.
New app created
You’re required to file a security review.
Ready to launch
The app has a bunch of new features.
Going Steady
UnManaged Managed
You’re on the internet 🎉
Hello 🌎
![Page 23: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/23.jpg)
BlackHat 2019
UnManaged Services
1. New Services in Development2. Internal Tools
Treated identically by Security
![Page 24: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/24.jpg)
BlackHat 2019
UnManaged Services: Primitives
1. Firewall Manager2. Stateless AuthN/Z Proxy
![Page 25: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/25.jpg)
BlackHat 2019
Firewall Manager
1. Import every service from our central inventory2. Set base level firewall rules on every service
a. App Engine: Only allow requests from our stateless proxyb. Other: Only allow requests from our SSH proxy
3. Revert non-Security approved modifications to the firewall rules
![Page 26: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/26.jpg)
BlackHat 2019
Firewall Manager Architecture
Service Inventory Firewall Manager (Source of Truth)
New Service
Fleet
Synchronize Firewall Rules
Update Rules
![Page 27: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/27.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy
● Support multiple forms of AuthN○ Service-to-service○ User-to-service
● Easy integration○ App Engine: zero setup○ Other: config change to stateless proxy
● Easily offboard users○ Periodic syncs with ACL source of truth
● Reliable
![Page 28: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/28.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture
1. Configuration2. Authentication and Authorization3. Proxying Requests
![Page 29: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/29.jpg)
BlackHat 2019
Update Configuration
Stateless AuthN/Z Proxy Architecture: Configuration
GCS ProxyPoll every 10 minutes
Rotator
Source Control
ACL Service
Poll every 10 minutes
Upload Configuration to GCS
Upload ACLs to GCS
![Page 30: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/30.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture: AuthN/Z
Proxy
Browser
IAP Jump Point
User tries to access service behind proxy
![Page 31: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/31.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture: AuthN/Z
Proxy
Browser
IAP Jump Point
Proxy can’t authenticate the user. Redirects to Jump Point
User reaches Google’s Identity Aware Proxy (IAP) and signs in
![Page 32: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/32.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture: AuthN/Z
Proxy
Browser
IAP Jump Point
The Jump Point creates a ticket with the user’s Identity and redirects the user to the Proxy
![Page 33: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/33.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture: AuthN/Z
Proxy
Browser
IAP Jump Point
User forwards the ticket to the proxy, which compares the identity against its ACLs and proxies the request
![Page 34: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/34.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture: AuthN/Z
Proxy
Browser
IAP Jump Point
User’s request reaches service
![Page 35: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/35.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture: AuthN/Z
Proxy
Browser
IAP Jump Point
IAP + Jump Point can be generalized as a SSO provider
SSO
![Page 36: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/36.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Architecture: Proxying
Central Proxy
App EngineService
Leaf Proxy
Service A
Service B
VPC Peering
Inbound Request
![Page 37: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/37.jpg)
BlackHat 2019
Stateless AuthN/Z Proxy Challenges
1. Higher latency, particularly for App Engine2. Double Billing - twice the egress
![Page 38: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/38.jpg)
Managed Services
![Page 39: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/39.jpg)
BlackHat 2019
Managed Services: Goals
1. Low Latency2. Cheap3. Granular Auth N/Z4. Visibility
![Page 40: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/40.jpg)
BlackHat 2019
Managed Services: Components
1. API Gateway2. Service Mesh3. Configuration Controller4. Service Sidecar
![Page 41: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/41.jpg)
BlackHat 2019
Managed Services: API Gateway
1. Envoy as a front-proxy2. Single entry point for external traffic3. Set of audited AuthN filters4. Centrally managed
API Gateway
Service A Service B Service C
![Page 42: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/42.jpg)
BlackHat 2019
Managed Services: Service Mesh
1. Centrally managed and visible routing2. Envoy provides
a. Authenticationb. Encryptionc. Metrics
3. Not routable from Internet except via API Gateway Service 1
AuthMetricsApplication
API Gateway
Config Server
Service 2
Auth
Metrics
Application
![Page 43: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/43.jpg)
BlackHat 2019
Managed Services: Configuration Controller
1. Central component to manage routes2. Routes need to be approved by owners3. Authentication included automatically based on configuration state
![Page 44: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/44.jpg)
BlackHat 2019
Managed Services: Service Sidecar
1. Envoy as a sidecar2. Connects to CA to establish identity3. Fetches config from central configuration service4. Authenticates all incoming traffic5. Exposes a port locally for service egress
Service 1
AuthMetricsApplication
![Page 45: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/45.jpg)
BlackHat 2019
Managed Services: Challenges
1. Onboarding: configuration changes require approval2. Noisy Neighbors: single account/VPC means that cloud quotas are
shared by all services3. Central Point of Failure
![Page 46: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/46.jpg)
What about the non-migrated services?
![Page 47: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/47.jpg)
BlackHat 2019
Introspection
![Page 48: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/48.jpg)
BlackHat 2019
Introspection Library
● Easy to integrate ○ Single line of code○ Supports all service frameworks
● Gathers security-critical information○ Routes○ Auth Controls (Filters, decorators, annotations, etc.)○ Packages○ Service Metadata
● Runs on instance startup● Triggers high signal alerts
![Page 49: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/49.jpg)
BlackHat 2019
Write data to bucket on instance startupPeriodically aggregate bucket data
Trigger any alertsBilling service pings Introspection service about new Service A
Provision Bucket for Service A
Introspection Architecture
Billing Enabler
GCS/S3
Introspection backend
Alert Platform
Service A
![Page 50: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/50.jpg)
BlackHat 2019
Core Infrastructure
● Firewall Manager: Gate services by default● Stateless Proxy: Allow authenticated access to services● API Gateway & Service Mesh: Production environment to run
services with controls● Introspection: Understand service state
![Page 51: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/51.jpg)
BlackHat 2019
Revisiting Goals
● Flexibility: Minimum opinions about development environments and cloud feature use*
● Scalability: No need for developer instrumentation● Granularity: By default all services are gated with granular
authN and authZ● Automatability: Reduce operational costs
*if developers want high QPS or to receive user traffic, there will be necessary changes
![Page 52: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/52.jpg)
Order of Operations
![Page 53: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/53.jpg)
BlackHat 2019
Step 1: Lay the Foundation● Create a central hook that provides ways to make future changes● Inventory all new services
![Page 54: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/54.jpg)
BlackHat 2019
Step 2: Start Simple● Gate services in development to just corporate IPs● Build Firewall Manager
![Page 55: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/55.jpg)
BlackHat 2019
Step 3: Add Granularity● Transition from IP-based auth to service identities● Build Stateless AuthN/Z Proxy● As things transition to production perform manual review
![Page 56: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/56.jpg)
BlackHat 2019
Step 4: Understand Production● Learn how your services change over time● Build out an Introspection library
![Page 57: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/57.jpg)
BlackHat 2019
Step 5: Provide Robust Controls in Production
● Build out a central gateway and service mesh● Migrate existing services
![Page 58: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/58.jpg)
Lessons Learned
![Page 59: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/59.jpg)
Security is Engineering
![Page 60: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/60.jpg)
Gain a central hook into your fleet early
![Page 61: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/61.jpg)
Visibility before enforcement
![Page 62: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/62.jpg)
Make your security posture something you can reason about
- no black boxes
![Page 63: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/63.jpg)
Offer other engineering teams a carrot
![Page 64: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/64.jpg)
![Page 65: Securing Apps in the - Black Hat Briefings … · Open-By-Default Cloud Winston Howes and Michael Wozniak. BlackHat 2019 Michael Wozniak Infrastructure Security ... EC2 EKS App Engine](https://reader034.fdocuments.net/reader034/viewer/2022050209/5f5bddbafd34f361706c7a40/html5/thumbnails/65.jpg)