https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI PV286 - Secure coding principles and practices Cloud programming security Lumir Honus PV286 | Lesson | Cloud programming security1 https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Agenda • Introduction • Evolution of enterprise architecture • Cloud fundamentals • Storing secrets in the Keyvault • Application authorization, how to pass secret to the app 2 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI What I did after I graduated: • Founded a software development startup company … and failed. • Joined AT&T as Tier2 engineer … for a temporary job ☺ • Networking is interesting, passed CCIE certification, became network architect • Designed complex enterprise datacenters for large financial institutions • Founded AT&T Software Defined Datacenter offering • Software Defined Datacenter evolved into Software Defined IT Infrastructure 3 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Classical concept of enterprise security • N-Tier application design • Attackers are outside • Premise based firewalls split security zones • Workload is relatively static, must have “static” IP address to be defined in firewall policies 4 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cisco Enterprise reference network design (2015) 5 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Google BeyondCorp (2014) • Access to services must not be determined by the network from which you connect • Access to services is granted based on contextual factors from the user and their device • Access to services must be authenticated, authorized, and encrypted 6 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Covid19 – and home office • It works just fine, right ? Thought: • If half of your workload is in the cloud and majority of people works from home, where is your perimeter ? 7 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI SASE – Secure access service edge 8 PV286 | Lesson | Cloud programming security First described by Gartner Convergence of: • WAN • Network security services • Zero Trust environment Into • Cloud-delivered service model https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Zero trust • Verify explicitly - Always authenticate and authorize based on all available data points. • Use least privilege access - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. • Assume breach - Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. 9 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Everything I knew about network architecture is dead ! • The world has changed • Technologies changes, but basic principles remains • Cryptography is critical -- yet surprisingly few people understands it 10 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI11 PV286 | Lesson | Cloud programming security Scenario what we will be focusing on during this session and lab https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI (Azure) cloud fundamentals 12 PV286 | Lesson | Cloud programming security Virtual Network (VNET) - “Virtual routing domain” - A logical isolation of the cloud dedicated to your subscription - Contains one or more subnets Subnet - IP subnet - range of IP addresses in the virtual network - Has routing table + network security group Network security group - Applied typically on VNIC / VM level - Works on layer4 only Azure Firewall - Works on Layer4 + Layer7 - Centralized policy, usually used as “north-south” security perimeter https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud brings new security challenges • Cloud has powerful tools to enforce security • But you need to know what you are doing – you are one “wrong click” from being exposed on Internet • Build automated patterns / playbooks • Use defense in depth principle • Use audit and compliance tools to validate that deployment is compliant with intended architecture 13 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Azure Segmentation patterns 14 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Hub and spoke pattern 15 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI16 PV286 | Lesson | Cloud programming security Fabric Service MS Azure AWS Data Centre HA Region Pairs Availability Zone Tenant Resource Group EC Instance Subnets Subnets Private/Public Net VLAN Subnet Private/Public Net Routing Domain Virtual Network VPC Load Balancing Network Load Balancer Elastic LB Firewall Azure Firewall Web App FW DNS DNS Amazon Route 53 Cloud Connection Azure ExpressRoute AWS Direct Connect Private VLAN ASG Security Group Access Control List NSG Security Group Rule Outbound ACL Outbound Rule Outbound Rule Inbound ACL Inbound Rule Inbound Rule Cloud comparison https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI VAULTs 17 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI What is Azure Keyvault 18 PV286 | Lesson | Cloud programming security Cloud service that provides a secure store for secrets. Securely store keys, passwords, certificates, and other secrets. Provides API accessible via REST + OAUTH2 Granular Role Based Access control Strong focus on audit – who can define and see the password https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Microsoft vault types – same API: • Azure Key Vault (Standard Tier): A FIPS 140-2 Level 1 • Azure Key Vault (Premium Tier): A FIPS 140-2 Level 2 • Azure Managed HSM: A FIPS 140-2 Level 3 • Azure Dedicated HSM: A FIPS 140-2 Level 3 • Azure Payments HSM: A FIPS 140-2 Level 3, PCI HSM v3 19 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Azure Keyvault roles 20 PV286 | Lesson | Cloud programming security Built-in role Description Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Crypto Service Encryption User Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Crypto User Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Reader Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Key Vault Secrets User Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. Apply principle of least privillege https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Keyvault for certificate management 21 PV286 | Lesson | Cloud programming security (1) - Application is creating a certificate which internally begins by creating a key in your key vault. (2) - Key Vault sends an TLS/SSL Certificate Request to the CA. (3) - Your application polls, in a loop and wait process, for your Key Vault for certificate completion. The certificate creation is complete when Key Vault receives the CA’s response with x509 certificate. (4) - The CA responds to Key Vault's TLS/SSL Certificate Request with an X509 TLS/SSL Certificate. (5) - Your new certificate creation completes with the merger of the X509 Certificate for the CA. https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI What are the architecture decisions ? Many Vault offerings: • Venafi • Azure • AWS • Hashicorp • Spring vault 22 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNI Lecturer notes https://crocs.fi.muni.cz @CRoCS_MUNI Selecting Vault solution – architecture decisions: • What are the regulatory requirements ? Do you need HSM ? • How many vaults do you need ? One per company, per environment, per application ? • What do you need to integrate with ? • Buy or build (Cloud service or self-managed) ? • What are the cost implications ? 23 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Azure cost implications: 24 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI AAA Authentication + Authorization + Accounting 25 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Application • Need to authenticate and authorize clients/users (not our primary focus in this seminar) • Need to authenticate itself to against various backend APIs and resources (Keyvault, DB, etc…) • How ? 26 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Client credentials grant 27 PV286 | Lesson | Cloud programming security • ClientID + Client secret • Client ID + certificate https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI OAUTH2 + OpenID Connect • Adopted by all major cloud service providers • OpenID Connect extends OAuth 2.0 by providing user authentication and single sign-on • Study: – https://oauth.net/2/ 28 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI How to pass secrets to the application ? 1) Hardcode it in the code / image ☺ 2) Hardcode it in the code / image, but encrypt by some “secret algorithm” ☺ 3) Store it on the disk and inject into the application runtime – Is your disk encrypted in all your runtime environments ? Can you pass PCI DSS compliance audit ? 4) Pass it via ENV variables – Better – especially if you can limit it to the application process 5) Use “managed identity” solution 29 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Never store secrets in GIT repositories • Seems obvious but • No matter how many times I say it, people still do it • Update your .gitignore files to prevent secrets in the GIT repository • Use automated SAST scanning to detect it • Bounty hunters 30 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Store secrets in docker image Dockerfile ENV secret=pass1435 COPY app.jar / CMD [“java app.jar”] 31 PV286 | Lesson | Cloud programming security Problem Docker info…. https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Encrypt cipher • Create library “encrypt.jar” • Cipher.decrypt(…) 32 PV286 | Lesson | Cloud programming security Problem: -- library can be reverted -- library is published in MAVEN https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Mount secrets as a volume 33 PV286 | Lesson | Cloud programming security Volume has a content of the secret https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Pass secrets as ENV variables 34 PV286 | Lesson | Cloud programming security Env variable value read from secret https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Secrets encryption: • Kubernetes Secrets are by default stored unencrypted in ETCD (Kubernetes API server database) 35 PV286 | Lesson | Cloud programming security PCI DSS: “The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and keyencrypting keys. Because one key-encrypting key may grant access to many data-encrypting keys, the keyencrypting keys require strong protection measures.” https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Azure managed identity • Developers don’t need to manage credentials (credentials are not even accessible by users) • System-assigned – For example Kubernetes (AKS) • User-assigned – Standalone Azure resource 36 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Managed identity -- How it works 37 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Workload identity 38 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Infrastructure security in cloud 39 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Design exercise 40 PV286 | Lesson | Cloud programming security Let’s assume that application is an internal HR system What can be improved https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Private link 41 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI42 PV286 | Lesson | Cloud programming security Typical design https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Challenges with Kubernetes • Kubernetes workload is often short-lived and has dynamic IP addresses • By default, Kubernetes has open policy – any POD can communicate with any other PODs (even across namespaces) • Many approaches how to solve it: – Ingress – Network policy (CNI) – Service Mesh 43 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud adoption in enterprises 44 PV286 | Lesson | Cloud programming security https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud transformation 45 PV286 | Lesson | Cloud programming security Of organization’s total IT environment is at least somewhat in the cloud today 92% Mostly on-premise with some cloud 54% Cloud only 9% Source: IDC Cloud Computing Study If cloud is so cool, why not everybody is using it ? https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI Cloud Repatriation (analysis by Andreessen Horowitz) • Dropbox detailed in its S-1 a whopping $75M in cumulative savings over the two years prior to IPO due to their infrastructure optimization overhaul, the majority of which entailed repatriating workloads from public cloud. • Thomas Dullien, former Google engineer and co-founder of cloud computing optimization company Optimyze, estimates that repatriating $100M of annual public cloud spend can translate to roughly less than half that amount in all-in annual total cost of ownership (TCO) — from server racks, real estate, and cooling to network and engineering costs. • Extending this analysis to the broader universe of scale public companies that stands to benefit from related savings, we estimate that the total impact is potentially greater than $500B. • If you’re operating at scale, the cost of cloud can at least double your infrastructure bill. 46 PV286 | Lesson | Cloud programming security https://a16z.com/2021/05/27/cost-of-cloud-paradox-market-cap-cloud-lifecycle-scale-growth-repatriation-optimization/?utm_source=thenewstack&utm_medium=website&utm_campaign=platform The Cost of Cloud, a Trillion Dollar Paradox https://crocs.fi.muni.cz @CRoCS_MUNIhttps://crocs.fi.muni.cz @CRoCS_MUNI LABS Make sure that you have personal account in the Azure Use your education license or register via https://azure.microsoft.com/enus/free (200$ free credit) During preparation for the course, I spent 0.26 Eur for compute ☺ 47 PV286 | Lesson | Cloud programming security