https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI PA193 - Secure coding principles and practices Cloud programming security Lumir Honus PA193 | Lesson | Cloud programming security1 https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Agenda • Introduction • Evolution of enterprise architecture • Storing secrets in the Keyvault • Application authorization, how to pass secret to the app • Cloud infrastructure security 2 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI What I did after I graduated: • Founded a software development startup company … and failed. • Joined AT&T as Tier2 engineer … for a temporary job ☺ • Networking is interesting, passed CCIE certification, became network architect • Designed complex enterprise datacenters for large financial institutions • Founded AT&T Software Defined Datacenter offering 3 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Classical concept of enterprise security • N-Tier application design • Attackers are outside • Premise based firewalls split security zones • Workload is relatively static, must have “static” IP address to be defined in firewall policies 4 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cisco Enterprise reference network design (2015) 5 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Google BeyondCorp (2014) • Access to services must not be determined by the network from which you connect • Access to services is granted based on contextual factors from the user and their device • Access to services must be authenticated, authorized, and encrypted 6 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Covid19 – and home office • It works just fine , right ? Thought: • If half of your workload is in the cloud and majority of people works from home, where is your perimeter ? 7 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI SASE – Secure access service edge 8 PA193 | Lesson | Cloud programming security First described by Gartner Convergence of: • WAN • Network security services • Zero Trust environment Into • Cloud-delivered service model https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Everything I knew about network architecture is dead ! • The world has changed • Technologies changes, but basic principles remain valid • Cryptography is critical -- yet surprisingly few people understands it 9 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI10 PA193 | Lesson | Cloud programming security Scenario what we will be focusing on during this session and lab https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI VAULTs 11 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI What is Azure Keyvault 12 PA193 | Lesson | Cloud programming security Cloud service that provides a secure store for secrets. Securely store keys, passwords, certificates, and other secrets. Provides API accessible via REST + OAUTH2 Granular Role Based Access control Strong focus on audit – who can define and see the password https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Azure Keyvault roles 13 PA193 | Lesson | Cloud programming security Built-in role Description Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Crypto Service Encryption User Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Crypto User Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Reader Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Secrets User Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. Apply principle of least privillege https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Keyvault for certificate management 14 PA193 | Lesson | Cloud programming security (1) - Application is creating a certificate which internally begins by creating a key in your key vault. (2) - Key Vault sends an TLS/SSL Certificate Request to the CA. (3) - Your application polls, in a loop and wait process, for your Key Vault for certificate completion. The certificate creation is complete when Key Vault receives the CA’s response with x509 certificate. (4) - The CA responds to Key Vault's TLS/SSL Certificate Request with an X509 TLS/SSL Certificate. (5) - Your new certificate creation completes with the merger of the X509 Certificate for the CA. https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI What are the architecture decisions ? Many Vault offerings: • Venafi • Azure • AWS • Hashicorp • Spring vault 15 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNI Lecturer notes https://crocs.fi.muni.cz @CRoCS_MUNI Selecting Vault solution – architecture decisions: • What are the regulatory requirements ? Do you need HSM ? • How many vaults do you need ? One per company, per environment, per application ? • What do you need to integrate with ? • Buy or build (Cloud service or self-managed) ? • What are the cost implications ? 16 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Azure cost implications: 17 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI AAA Authentication + Authorization + Accounting 18 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Application • Need to authenticate and authorize clients/users (not our primary focus in this seminar) • Need to authenticate itself to against various backend APIs and resources (Keyvault, DB, etc…) • How ? 19 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Client credentials grant 20 PA193 | Lesson | Cloud programming security • ClientID + Client secret • Client ID + certificate https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI OAUTH2 + OpenID Connect • Adopted by all major cloud service providers • OpenID Connect extends OAuth 2.0 by providing user authentication and single sign-on • Study: – https://oauth.net/2/ 21 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI How to pass secrets to the application ? 1) Hardcode it in the code / image ☺ 2) Hardcode it in the code / image, but encrypt by some “secret algorithm” ☺ 3) Store it on the disk and inject into the application runtime – Is your disk encrypted in all your runtime environments ? Can you pass PCI DSS compliance audit ? 4) Pass it via ENV variables – Better – especially if you can limit it to the application process 5) Use “managed identity” solution 22 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Never store secrets in GIT repositories • Seems obvious but • No matter how many times I say it, people still do it • Update your .gitignore files to prevent secrets in the GIT repository • Use automated SAST scanning to detect it • Bounty hunters 23 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Store secrets in docker image Dockerfile ENV secret=pass1435 COPY app.jar / CMD [“java app.jar”] 24 PA193 | Lesson | Cloud programming security Problem Docker info…. https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Encrypt cipher • Create library “encrypt.jar” • Cipher.decrypt(…) 25 PA193 | Lesson | Cloud programming security Problem: -- library can be reverted -- library is published in MAVEN https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Mount secrets as a volume 26 PA193 | Lesson | Cloud programming security Volume has a content of the secret https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Pass secrets as ENV variables 27 PA193 | Lesson | Cloud programming security Env variable value read from secret https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Secrets encryption: • Kubernetes Secrets are by default stored unencrypted in ETCD (Kubernetes API server database) 28 PA193 | Lesson | Cloud programming security PCI DSS: “The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and keyencrypting keys. Because one key-encrypting key may grant access to many data-encrypting keys, the keyencrypting keys require strong protection measures.” https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Azure managed identity • Developers don’t need to manage credentials (credentials are not even accessible by users) • System-assigned – For example Kubernetes (AKS) • User-assigned – Standalone Azure resource 29 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Managed identity -- How it works 30 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Infrastructure security in cloud 31 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud brings new security challenges • Cloud has powerful tools to enforce security • But you need to know what you are doing – you are one “wrong click” from being exposed on Internet • Build automated patterns / playbooks • Use defense in depth principle • Use audit and compliance tools to validate that deployment is compliant with intended architecture 32 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Design exercise 33 PA193 | Lesson | Cloud programming security Let’s assume that application is an internal HR system What can be improved https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Private link 34 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI35 PA193 | Lesson | Cloud programming security Typical design https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Challenges with Kubernetes • Kubernetes workload is often short-lived and has dynamic IP addresses • By default, Kubernetes has open policy – any POD can communicate with any other PODs (even across namespaces) • Many approaches how to solve it: – Ingress – Network policy (CNI) – Service Mesh 36 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud adoption in enterprises 37 PA193 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud transformation 38 PA193 | Lesson | Cloud programming security Of organization’s total IT environment is at least somewhat in the cloud today 92% Mostly on-premise with some cloud 54% Cloud only 9% Source: IDC Cloud Computing Study If cloud is so cool, why not everybody is using it ? https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud Repatriation (analysis by Andreessen Horowitz) • Dropbox detailed in its S-1 a whopping $75M in cumulative savings over the two years prior to IPO due to their infrastructure optimization overhaul, the majority of which entailed repatriating workloads from public cloud. • Thomas Dullien, former Google engineer and co-founder of cloud computing optimization company Optimyze, estimates that repatriating $100M of annual public cloud spend can translate to roughly less than half that amount in all-in annual total cost of ownership (TCO) — from server racks, real estate, and cooling to network and engineering costs. • Extending this analysis to the broader universe of scale public companies that stands to benefit from related savings, we estimate that the total impact is potentially greater than $500B. • If you’re operating at scale, the cost of cloud can at least double your infrastructure bill. 39 PA193 | Lesson | Cloud programming security https://a16z.com/2021/05/27/cost-of-cloud-paradox-market-cap-cloud-lifecycle-scale-growth-repatriation-optimization/?utm_source=thenewstack&utm_medium=website&utm_campaign=platform The Cost of Cloud, a Trillion Dollar Paradox https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI LABS Make sure that you have personal account in the Azure Use your education license or register via https://azure.microsoft.com/enus/free (200$ free credit) During preparation for the course, I spent 0.26 Eur for compute ☺ 40 PA193 | Lesson | Cloud programming security