![Page 1: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/1.jpg)
Securing MicroservicesThreat Modelling and Session Security
Presented by David Hoelzer (SANS) and Matt Silverlock (CloudFlare)
![Page 2: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/2.jpg)
What is a "microservice"?
(and what security challenges do they bring?)
![Page 3: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/3.jpg)
What is a microservice?
● Modular approach to building services.● Reinvention of the Service Orientated Architecture (SOA)
model.● Micro-services often declare API contracts, but
development & deployment are self-contained.
![Page 4: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/4.jpg)
What is a microservice?
Benefits
● Less coupling: easier to reason about changes.● Apply the most appropriate technology to the problem at
hand● Better suits larger organizations with multiple teams.● Easier to test when self-contained: less infrastructure to
spin up when iterating.
![Page 5: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/5.jpg)
What is a microservice?Challenges
● Multiple moving parts: more surface area to secure as services communicate to each other.
● Can add complexity into smaller organizations: more tech stacks to maintain, update and patch.
● The need to define formal API contracts so that services can reliably communicate to each other with different development cycles.
![Page 6: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/6.jpg)
Threat Modelling
Understand what you're defending against.
![Page 7: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/7.jpg)
Threat Modelling
● Stop thinking about what it’s supposed to do○ Stand back and try to think about how someone could abuse it○ Start where you have security mitigations○ Next, think about where you don’t and the assumptions made
![Page 8: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/8.jpg)
Threat Modelling
![Page 9: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/9.jpg)
Threat Modelling
![Page 10: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/10.jpg)
Threat Modelling
![Page 11: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/11.jpg)
What’s the Point?
● Organizations have many mitigations○ Firewalls, AV, IDS, etc.
● The threat is not clearly identified by any single activity○ It’s the behavior rather than a signature
![Page 12: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/12.jpg)
What’s the Point for Microservices?
● Monolithic Web Applications○ Session issues are a very well known problem
● Microservices○ We still have sessions, but they are often far more stateless!○ How do we define an authenticated “session”?○ Are there behaviors that we can defend against?
![Page 13: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/13.jpg)
Microservices Session Threat
![Page 14: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/14.jpg)
Microservices Session Impersonation
![Page 15: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/15.jpg)
Threat Modelling
● Everyone watches for repeated authentication failures○ Do you currently include anything in the session verification
process?
![Page 16: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/16.jpg)
Threat Modelling
● API keys are a possible approach○ Issue public/private keypair○ All requests must be signed with public key
■ more computation, but not awful● How critical is it that the API keys are protected by end
users or apps?
![Page 17: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/17.jpg)
Threat Modelling
● Session issues are not new○ Microservices changes the game since these are inherently
non-monolithic applications○ It is critical that the, “We do one thing well” philosophy include a
thoughtful analysis of potential threats and exposures● Requires threat-focused defensive coding
![Page 18: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/18.jpg)
Layered Defenses
There are no silver bullets.
![Page 19: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/19.jpg)
Layered Defenses
● Offload work to the network edge: validate traffic (firewall, reputation, rate limiting) before it reaches your services.
![Page 20: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/20.jpg)
Layered Defenses
● Protect your resources: prevent outside attackers from consuming resources (spawning more containers may not be the solution)
![Page 21: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/21.jpg)
Layered Defenses
● Protect your data: multiple discrete services now accessing shared datastores. Each service should only access what it needs, and no more.
![Page 22: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/22.jpg)
Layered Defenses
● Secure containers: authenticate endpoints, support revocation, and keep images updated.
![Page 23: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/23.jpg)
Layered Defenses
● Know what you're running: always pulling down the latest image from an image repository or from GitHub may not be a great idea.
![Page 24: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/24.jpg)
Layered Defenses
● Manage secrets: do your microservices have access to the secrets they need, and only the secrets they need?
![Page 25: Hardening Microservices Security: Building a Layered Defense Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022022414/58767ea71a28ab1b158b54d7/html5/thumbnails/25.jpg)
Questions & Answers