conjur - aws boston meetup 2014 - defense in depth

36
.HYLQ *LOSLQ -DVRQ &DOYHUW )HEUXDU\ 'HIHQG \RXU ,QIUDVWUXFWXUH ZLWK 5RERW ,GHQWLW\ DQG $XWKRUL]DWLRQ

Upload: kevin-gilpin

Post on 13-Jun-2015

413 views

Category:

Technology


0 download

DESCRIPTION

Defend Your Infrastructure With Robot Identity and Authorization Consolidated end-user identity management and coarse-grained web application access control have improved security and improved enterprise agility. Managing access control for a multiplicity of backend services and data assets is the next challenge for IT and software development teams. Centralized management, tracking, and analysis of infrastructure identity and access controls is the next phase of evolution for security and compliance. A unified approach to infrastructure access control across the application tier improves organizational agility and transparency, improves development team productivity and sets up a well-defined collaboration between developers and devops. This presentation will highlight the following best practices, in the context of a recently developed real-world cloud-based data processing platform: • Management of “robot” and user identity for purposes of infrastructure management with discussion of Amazon IAM strengths and weaknesses • Management and distribution of keys, credentials, and other secrets • Dynamic and robust authorization of service-to-service and service-to-data requests • Access control as a functionality to satisfy regulatory and compliance requirements • The importance of an audit trail to optimize operational architecture and detect suspicious behavior

TRANSCRIPT

Page 1: Conjur - AWS Boston Meetup 2014 - Defense in Depth

.HYLQ�*LOSLQ��-DVRQ�&DOYHUW)HEUXDU\���������

'HIHQG�\RXU�,QIUDVWUXFWXUHZLWK�5RERW�,GHQWLW\�DQG�$XWKRUL]DWLRQ

Page 2: Conjur - AWS Boston Meetup 2014 - Defense in Depth

3UREOHPV�)UHTXHQWO\�6HHQ�LQ�WKH�&ORXG

2SHUDWLRQDOï /RVW�FUHGHQWLDOV���%,*�352%/(0���DFFHVV�WR�VRXUFH�FRGH��DGPLQ�ER[��RWKHU�FUHGHQWLDOV�GDWD

ï 2YHUO\�SHUPLVVLYH�FRQWUROV���HVSHFLDOO\�IRU�LQWHUQDO�,7�XVHUV

ï 3RRU�DXGLWLQJ���YHU\�IHZ�FRPSDQLHV�FDQ�UHFUHDWH�ZKDW�KDSSHQHG�IRU�D�EUHDFK���NHHS�ORJV�IRU�D�ORQJ�WLPH�RQ�VHSDUDWH�V\VWHPV

&UHGHQWLDOV�DUH�%,**(67�SUREOHP�ZLWK�$:6

$OH[�6WDPRV��$:6�UH�,QYHQW�����KWWS���ZZZ�HYHU\WDON�WY�WDONV������$PD]RQ�:HE�6HUYLFHV�UH�,QYHQW�6(&�����%XLOGLQJ�6HFXULW\�IURP�6FUDWFK�LQ�$:6

Page 3: Conjur - AWS Boston Meetup 2014 - Defense in Depth

3UREOHPV�)UHTXHQWO\�6HHQ�LQ�WKH�&ORXG

,QIUDVWUXFWXUHï ,QVHFXUH�FRQWURO�SODQH���86(�66/�(9(5<:+(5(

ï $WWDFNV�IURP�LQVLGH�WKH�&RUSRUDWH�1HWZRUN

$SSOLFDWLRQï 7RR�ORRVH�ELQGLQJV���KDFN�WKH�ZHE�VHUYLFHV�GLUHFWRU\�ĺ�5(67�LQWHUIDFH�ĺ��GR�ZKDWHYHU

ï :HE�$3,�9XOQHUDELOLWLHV

ï 3RRU�XVH�RI�FU\SWRJUDSK\

$OH[�6WDPRV��$:6�UH�,QYHQW�����KWWS���ZZZ�HYHU\WDON�WY�WDONV������$PD]RQ�:HE�6HUYLFHV�UH�,QYHQW�6(&�����%XLOGLQJ�6HFXULW\�IURP�6FUDWFK�LQ�$:6

Page 4: Conjur - AWS Boston Meetup 2014 - Defense in Depth

:H�+DYH�)DLOHG�<RX��/RUG�9DGHU

䕵 ([WHUQDO�YHQGRUV�H[SRVHG�DV�WKH�ZHDN�OLQN�LQ�HQWHUSULVH�VHFXULW\

䕵 7ULYLDO�SULYLOHJH�OHYHOV�H[SORLWHG�DQG�HVFDODWHG�WR�JDLQ�DFFHVV�WR�WKH�PRVW�FULWLFDO�GDWD

Page 5: Conjur - AWS Boston Meetup 2014 - Defense in Depth

5LJKW�6FULSW��:URQJ�(QYLURQPHQW䕵 $:6�0DLQWHQDQFH�VFULSW�GHOHWHV�

(ODVWLF�/RDG�%DODQFHU�'%�UHFRUGV�XVHG�IRU�VHOI�PDQDJHPHQW

䕵 .DERRP��1HWIOL[�HW�DO

1DWLRQ�LV�XQDEOH�WR��ZDWFK�ê$�&KULVWPDV�&DUROë�DQG�OLYH�WKH�WUXH�PHDQLQJ�RI�&KULVWPDV

Page 6: Conjur - AWS Boston Meetup 2014 - Defense in Depth

6ROXWLRQ��.HHS�7UDFN�RI�7KLQJV%H�RUJDQL]HG��DQG�

PDLQWDLQ�FRQWURO�RI�

䕵 3DVVZRUGV䕵 3ROLFLHV䕵 $FFHVV�UXOHV䕵 *URXSV�DQG�UROHV䕵 6HFXUH�FRPPXQLFDWLRQ

Page 7: Conjur - AWS Boston Meetup 2014 - Defense in Depth

&ORVLQJ�WKH�ê&RPSOLDQFH�*DSë$:6�SURYLGHV� $:6�GRHV�QRW�SURYLGH�

Ɣ 3K\VLFDO�VHFXULW\

Ɣ 6RIWZDUH�GHILQHG�QHWZRUN

Ɣ 5HOLDEOH�$0,V

Ɣ :D\V�WR�VWURQJO\�SDUWLWLRQ�LQIR��HJ��DFFRXQWV�

Ɣ 'XUDELOLW\

Ɣ ,DD6�EDFNSODQH

Ɣ 0DQDJH�$:6�FUHGHQWLDOV

Ɣ 3DVVZRUGV

Ɣ $:6�SROLFLHV

Ɣ (QFU\SWLRQ�NH\V�DQG�RWKHU�VHFUHWV

Ɣ $SSOLFDWLRQ�WLHU�DXGLW

Page 8: Conjur - AWS Boston Meetup 2014 - Defense in Depth

6QRZIODNHV䕵 /RWV�RI�2SWLRQV�LQ�$:6

䕵 0DQXDO�DGPLQLVWUDWLRQ�RI�WRR�PDQ\�RSWLRQV�SURGXFHV�êVQRZIODNHVë

䕵 ê6QRZIODNHV�VRRQ�EHFRPH�KDUG�WR�XQGHUVWDQG�DQG�PRGLI\ë

䕵 $SSOLHV�WR�VHUYHUV��SROLFLHV��DXWK]��DUFKLWHFWXUH��HWF�

7KHUHIRUH��DXWRPDWH��WHVW��DQG�YHULI\

KWWS���IOLF�NU�S��FYUI

Page 9: Conjur - AWS Boston Meetup 2014 - Defense in Depth

'RQèW�6KRUWFXW�<RXU�:D\�LQWR�7URXEOH

0DQXDO�KDFNLQJ�LV�QRW�D�VKRUWFXW

Page 10: Conjur - AWS Boston Meetup 2014 - Defense in Depth

%H�5HSURGXFLEOH

䕵 6DPH�SDFNDJHV䕵 6DPH�FRQILJXUDWLRQ

ð�DQGð

䕵 6DPH�SULYLOHJHV

Page 11: Conjur - AWS Boston Meetup 2014 - Defense in Depth

&RPPRQ�3UREOHP���$XWKRUL]DWLRQ

䕵 'HIHQG�LQ�GHSWK

䕵 6LQJOH�SHULPHWHU�GHIHQVH�LV�QRW�VXIILFLHQW

䕵 $SSO\�WKH�PRVW�H[WHQVLYH�SURWHFWLRQ�WR�WKH�PRVW�YDOXDEOH�DVVHWV

KWWS���ZZZ�FVRRQOLQH�FRP�DUWLFOH��������LQIRUPDWLRQ�VHFXULW\�GHIHQVH�LQ�GHSWK�OHVVRQV�IURP�D�EURQ]H�DJH�IRUW�"SDJH �

Page 12: Conjur - AWS Boston Meetup 2014 - Defense in Depth

<RXU�$XWK]�)RUWUHVV

&OLHQW�7HUPLQDO

6HFXUH0HVVDJH4XHXH

90��6HUYLFH Ɣ $OO�FORXG�FUHGHQWLDOV�DQG�,$0�SROLFLHV�DXWR�JHQHUDWHG�DQG�PDQDJHG�SURJUDPPDWLFDOO\

Ɣ $OO�LQWHUDFWLRQV�GHILQHG�DQG�UHSRUWDEOH�E\�DXWK]�SROLFLHV

Ɣ $OO�LQWHUDFWLRQV�FKHFNHG�E\�DXWK]Ɣ $OO�VHFUHWV�GLVWULEXWHG�SURJUDPPDWLFDOO\

ż &ORXG�NH\V��NH\�SDLUV��SDVVZRUGV��HWF�IHWFKHG�YLD�KXPDQ�RU�URERW�LGHQWLW\

ż �����DXWRPDWHG�NH\�SDVVZRUG�URWDWLRQ

Ɣ 6LJQHG�TXHXH�PHVVDJHVƔ (QFU\SWLRQ�LQ�WUDQVLWƔ (YHU\�LQWHUDFWLRQ�UHFRUGHG�WR�,DD6�DQG�

DSSOLFDWLRQ�DXGLW

Page 13: Conjur - AWS Boston Meetup 2014 - Defense in Depth

$PD]RQ�,$0���$XWRPDWH�,W䕵 9HU\�GHWDLOHG��JUDQXODU䕵 (DV\�WR�SURSDJDWH�SULYLOHJHV�WR�

90V�YLD�,$0�5ROHV�IRU�(&�䕵 *LYHV�D�ZD\�WR�SURSDJDWH�

SULYLOHJHV�IURP�XVHUV�WR�90V䕵 &DQ�ERRWVWUDS�WR�RWKHU�SULYLOHJHV䕵 ,$0�DFWLRQV�DUH�FDSWXUHG�LQ�

&ORXG7UDLO��$:6�DXGLW�

䕵 +DUG�WR�XVH�ILQH�JUDLQHG�SHUPLVVLRQV�IRU�GHYHORSPHQW

䕵 7ULDO�DQG�HUURU䕵 1R�KLJK�OHYHO�UHSRUWLQJ�RQ�

SHUPLVVLRQV

Page 14: Conjur - AWS Boston Meetup 2014 - Defense in Depth

ê:LULQJë��&RQQHFWLQJ�6\VWHPV�7RJHWKHU

(DFK�NH\�HVWDEOLVKHV�D�FRQQHFWLRQ�EHWZHHQ�WZR�DSSOLFDWLRQ�FRPSRQHQWV

$�FRPSRQHQW�ZLWKRXW�NH\V�LV�êRUSKDQHGë�DQG�KDUPOHVV���QRQ�IXQFWLRQDO

Page 15: Conjur - AWS Boston Meetup 2014 - Defense in Depth

6HFUHWV��WKH�6QRZIODNH�3UREOHP

䕵 0DQXDO�FRS\LQJ�ĺ�VQRZIODNHV��ORVV

䕵 0DQXDO�SROLFLHV�ĺ�SULYLOHJH�FUHHS

0DQXDO�ĺ�HQWURS\�ĺ��IDLOXUH

Page 16: Conjur - AWS Boston Meetup 2014 - Defense in Depth

&RQILJXUDWLRQ�0DQDJHPHQW�LV�QRW�.H\�0DQDJHPHQW

&RQILJXUDWLRQ�PDQDJHPHQW�PD\�)((/�OLNH�D�JRRG�ZD\�WR�GLVWULEXWH�VHFUHWV�

ð

%XW�WKLV�LV�MXVW�D�FDVH�RI�ZLHOGLQJ�D�KDPPHU�DQG�WUHDWLQJ�HYHU\WKLQJ�DV�D�QDLO

ð

&RQILJXUDWLRQ�PDQDJHPHQW�GRQèW�KDQGOH�VHFUHWV��DXWK]��RU�DXGLW�YHU\�ZHOO

Page 17: Conjur - AWS Boston Meetup 2014 - Defense in Depth

&RQILJXUDWLRQ�0DQDJHPHQW�LV�&RQIXVLQJ�3HRSOH�$ERXW�6HFUHWV

&RQILJXUDWLRQ�0DQDJHPHQW�LV�QRW�.H\�0DQDJHPHQW

7ZR�RUWKRJRQDO�FRQFHUQV��� ,QVWDOO�SDFNDJHV�DQG�HVWDEOLVK�

FRQILJXUDWLRQ�VHWWLQJV

�� ê:LUH�XSë�WKH�V\VWHP�ZLWK�LGHQWLW\�DQG�VHFUHWV

6\VWHP�êZLULQJë�VKRXOG�QRW�EH�LQ�WKH�GRPDLQ�RI�FRQILJXUDWLRQ�PDQDJHPHQW

Page 18: Conjur - AWS Boston Meetup 2014 - Defense in Depth

([DPSOH��&KHI

(QFU\SWHG�GDWD�EDJV�ê7KH�FKHI�FOLHQW�XVHV�VKDUHG�VHFUHW�HQFU\SWLRQë

䕵 +RZ�LV�WKH�VKDUHG�VHFUHW�GLVWULEXWHG"

䕵 <RX�VWLOO�QHHG�D�VHFUHWV�$3,��KRVW�LGHQWLW\�DQG�SHUPLVVLRQV�V\VWHP

Page 19: Conjur - AWS Boston Meetup 2014 - Defense in Depth

6R�$JDLQ

&RQILJXUDWLRQ�� �6HFUHWV

Page 20: Conjur - AWS Boston Meetup 2014 - Defense in Depth

6HFUHWV�LV�LWV�2ZQ�3UREOHP

,W�LV�QRW�D�VXE�FDWHJRU\�RI�&RQILJXUDWLRQ�0DQDJHPHQW�%(&$86(�LW�LV�DOO�DERXW�LGHQWLW\�DQG�DXWKRUL]DWLRQ��VHSDUDWLRQ�RI�UROHV�DQG�FRQFHUQV�

ê/HDVW�SULYLOHJHë��êVHSDUDWLRQ�RI�GXWLHVë��êDXGLWë�ĺ�DUH�WKH�NH\�UHTXLUHPHQWV

Page 21: Conjur - AWS Boston Meetup 2014 - Defense in Depth

$XWRPDWH�$OO�6HFUHWV�� $VVLJQ�LGHQWLW\�WR�KRVW

�� *UDQW�SULYLOHJHV�WR�KRVW

�� )HWFK�VHFUHWV�YLD�FRPPDQG�OLQH�RU�FRQILJXUDWLRQ�PDQDJHPHQW�KHOSHU

�� %HWWHU�\HW��IHWFK�DQG�XVH�VHFUHWV�RQ�GHPDQG�DQG�NHHS�WKHP�RII�PDFKLQHV

��(VWDEOLVK�LGHQWLW\�RI�WKH�KRVW��VHFUHWV�ORJLQ��X�KRVWLG��2EWDLQ�VHFUHW��VHFUHWV�IHWFK�VWDJH�P\VTO�SDVVZRUG�!��HWF�P\VTOBSDVVZRUG

SZG� �VHFUHWV�IHWFK�´VWDJH�P\VTO�SDVVZRUGµ�WHPSODWH�´�HWF�P\VTO�FRQIµ�GR��VRXUFH�´P\VTO�FRQI�HUEµ��YDULDEOHV�SDVVZRUG��SZGHQG

Page 22: Conjur - AWS Boston Meetup 2014 - Defense in Depth

,GHQWLW\�LV�WKH�)RXQGDWLRQ�RI�3HUPLVVLRQV

䕵 ,GHQWLW\�LV�WKH�PHDQV�WR�DQ�HQG䎗 &RQWURO�DQG�FHUWDLQW\

䕵 7KH�HQG�LV�JUDQWLQJ�UROHV�ZKLFK�KDYH�SULYLOHJHV

䕵 5ROH�JUDQWV�PXVW�IORZ�IURP�D�KLJKHU�DXWKRULW\

Page 23: Conjur - AWS Boston Meetup 2014 - Defense in Depth

+RVW�,GHQWLW\

䕵 $:6�SURYLGHV�WUXVWHG�VRXUFH�,3

6WUHQJWKHQ�ZLWK�

䕵 &UHGHQWLDOV�ĺ�+RVW�,G�SOXV�6HFUHW

䕵 66/�PXWXDO�DXWKHQWLFDWLRQD� 'HULYH�FHUWLILFDWHV�IURP�PDVWHU�WUXVWHG�FHUW

Page 24: Conjur - AWS Boston Meetup 2014 - Defense in Depth

,GHQWLW\�YLD�$XWKRULW\

䕵 ,GHQWLW\�IORZV�IURP�D�FHQWUDO�DXWKRULW\

䕵 7UXVW�LQ�WKH�DXWKRULW\�PXVW�EH�EXLOW�LQ

Page 25: Conjur - AWS Boston Meetup 2014 - Defense in Depth

$Q�$XWKRULW\�IRU�$:6

䕵 $�ZHE�VHUYLFH䎗 /LNH�HYHU\WKLQJ�HOVH

䕵 ,Q�D�GHGLFDWHG�$:6�DFFRXQW䎗 6R�WKDW�WKHUH�LV�QR�ZD\�WR�DFFLGHQWDOO\�êOHDNë�SULYLOHJH�WR�DFFHVV�WKH�

DXWKRULW\�ER[

䕵 ,VVXHV�H[SLULQJ�DXWK�WRNHQV

䕵 +ROGV�D�FHUWLILFDWH�ZKLFK�LV�WUXVWHG�E\�WKH�UHVW�RI�WKH�V\VWHP

Page 26: Conjur - AWS Boston Meetup 2014 - Defense in Depth

(VWDEOLVK�7UXVW�:LWK�D�&HUWLILFDWH

䕵 &UHDWH�D�êVLPSOHë�&$

䕵 %XLOG�$0,�ZLWK�HPEHGGHG�7��FHUW

䕵 $OO�\RXU�90V�ZLOO�WUXVW�WKLV�FHUW

Page 27: Conjur - AWS Boston Meetup 2014 - Defense in Depth

3OXV�SURSDJDWLQJ�LGHQWLW\�RI�RULJLQDO�UHTXHVWHU

3OXV�DQ�LGHQWLW\�EDVHG�DXWK]�JDWHNHHSHU

3OXV�D�VKDUHG�VHFUHW

6HUYLFH�WR�6HUYLFH�$XWK]

$�0DWXULW\�0RGHO�IRU�$SSV�DQG�&RQWURO�3ODQH

7UXVW�HYHU\WKLQJ��UHVWULFW�WUDIILF�YLD�VHFXULW\�JURXSV 6HFXULW\�JURXS�VHWWLQJV�

FDQ�EH�PRGLILHG

Page 28: Conjur - AWS Boston Meetup 2014 - Defense in Depth

$:6�,$0�%DG�%HKDYLRU�([DPSOH

䕵 /DXQFK�D�90�IURP�$:6�0DUNHWSODFH

䕵 90�UHTXHVWV�DQ�êDGPLQLVWUDWRUë�OHYHO�FUHGHQWLDO

䕵 3XVK�EDFN�WR�YHQGRU�\LHOGV�WKH�DFWXDO�SROLF\�WKDW�WKH�90�QHHGV

KWWS���IRUXP�[GD�GHYHORSHUV�FRP�VKRZWKUHDG�SKS"W ������SDJH �

Page 29: Conjur - AWS Boston Meetup 2014 - Defense in Depth

$:6�,$0�%HWWHU�%HKDYLRU

%HWWHU�6ROXWLRQ䕵 90�VHWXS�VFULSW�UHTXHVWV�DQ�

DGPLQ�FUHGHQWLDO

䕵 90�FUHDWHV�DQG�VDYHV�LWV�RZQ�LGHQWLW\�DQG�PLQLPDO�SROLF\

䕵 90�êIRUJHWVë�WKH�DGPLQ�FUHGHQWLDO

Page 30: Conjur - AWS Boston Meetup 2014 - Defense in Depth

$:6�,$0�%HVW�%HKDYLRU

%HVW�6ROXWLRQ䕵 9HQGRU�SURYLGHV�SROLF\

䕵 $GPLQ�FUHDWHV�,$0�UROH�DQG�DSSOLHV�SROLF\

䕵 $GPLQ�JUDQWV�WKH�,$0�UROH�WR�WKH�90

ĺ�1R�VWRUDJH�RI�FUHGHQWLDOV�RQ�GLVN

Page 31: Conjur - AWS Boston Meetup 2014 - Defense in Depth

6HFXUH�WKH�&RQWURO�3ODQH

䕵 ,QYHVW�LQ�66/�IRU�\RXU�FRQWURO�SODQH�VHUYLFHV

䕵 5REXVW�DXWKQ���DXWK]�IRU�DGPLQ�DFFHVV�WR�ER[HV䎗 35,9$7(�.(<6�,668('�%<�(&��$5(�)25�(0(5*(1&<�$&&(66�

21/<

䎗 ��IDFWRU�DXWK

䎗 $XWKRUL]DWLRQ��H�J��/'$3��ZKLFK�LV�VHSDUDWH�DQG�DGGLWLRQDO�WR�DXWKHQWLFDWLRQ�PDNHV�GH�SURYLVLRQLQJ�PXFK�HDVLHU

Page 32: Conjur - AWS Boston Meetup 2014 - Defense in Depth

,GHQWLW\�3URSDJDWLRQ���6WURQJHU�WKDQ�6HUYLFH�,GHQWLW\

1H[W�6HUYLFH���

8VHU�,GHQWLW\�3URSDJDWHG�WR�6HUYLFH�%

6HUYLFH�$

3ULYLOHJHG�8VHU��,GHQWLW\

Page 33: Conjur - AWS Boston Meetup 2014 - Defense in Depth

5HFDS���*URXQGZRUN

�� 8VH�D�VHSDUDWH�$:6�DFFRXQW�IRU�VHFXULW\�SXUSRVHV

�� %XLOG�DQ�$0,�WR�WUXVW�WKLV�DXWKRULW\D� :LUH�XS�ORJJLQJ��PRQLWRULQJ��HWF�ZKLOH�\RX�DUH�DW�LW

�� ,VVXH�LGHQWLW\�IURP�WKLV�VHUYLFH

Page 34: Conjur - AWS Boston Meetup 2014 - Defense in Depth

5HFDS���,$0

�� $XWRPDWH�WKH�JHQHUDWLRQ�RI�,$0�XVHUV��UROHV��DQG�SROLFLHV

D� &RPELQH�WKLV�ORJLF�LQWR�WHVWDEOH��UHXVDEOH��VHFXUH�PRGXOHV

�� 8VH�,$0�UROHV�WR�ERRWVWUDS�90V�LQWR�RWKHU�SULYLOHJHV

D� H�J��çGHY�ZHEVHUYHUè�,$0�UROH��JUDQWHG�WR�çGHYHORSHUVè�

XVHU�JURXS��JUDQWV�DFFHVV�WR�VHFUHWV�DSSURSULDWH�WR�WKH�ZHE�VHUYHUV

Page 35: Conjur - AWS Boston Meetup 2014 - Defense in Depth

5HFDS���6HFUHWV

�� 7UHDW�PDQDJHPHQW�RI�6HFUHWV�DV�LWV�RZQ�SUREOHP

D� 'RQèW�GLVWULEXWH�WKHP�E\�KDQG

�� 8VH�(&��5$0�DQG�HSKHPHUDO�VWRUDJH�WR�VWRUH�VHFUHWV

D� :RQèW�EH�FDSWXUHG�LQ�EDFNXSV

Page 36: Conjur - AWS Boston Meetup 2014 - Defense in Depth

7KDQN�\RX�

#NHJLOSLQ�#&RQMXU,QF

ZZZ�OLQNHGLQ�FRP�LQ�MDVRQFDOYHUW