security recipes for the new digital era - rsa conference · pdf filesecurity recipes for the...
TRANSCRIPT
SESSION ID:
Security recipes for the new digital era
CSV-R04
Tomás Herranz
Head of Engineering & SecDevOps– Security ArchitectureBBVA@tomasherranz
1
Introduction
2
Current situation
Introduction
+135k employees company
+20 different innovation teams
+50 different innovation projects
Agile methodologies
+100 different technologies … and growing!
3
Introduction
4
Bad news : And they all require security !
Poor security guy
Introduction
5
Good news : Change of paradigm
Introduction
Prepare to code (again)
Flexible
Keep updated (Self-learner)
Become an transformation enabler, not a stopper
6
Security skills revisited
Introduction
Tailor made solutions
Months to develop + deploy
Hard to administrate & monitor
Monolithic architecture
Expensive $$$
7
Generic Solutions
Minutes to deploy
Central point of administration & monitoring
Modular architecture
Almost ‘free’
FROM TO
Introduction
8
Build Buy
Competitive Advantage
Innovation
Flexible
Commodity
Mature
Business as usual
Security cook book
9
Set of ingredients
Set of instructions
What we learnt
What worked for us
Based on :
Recipe :
Recipe #1: One proxy to rule them all
Single entry point
Technology agnostic, just http services
Standard & homogeneous solutions
10
Ingredients :
WAF : ModSecurity + OWASP core rule setWeb Server: Apache/Nginx
Spring securityMongoDBRedis
AV : ClamAV (Optional)
Instructions :
One proxy to rule them all
Recipe #1 : One proxy to rule them all
11
One proxy to rule them all : AuthN + AuthZ
Security reverse proxy
Backend 1 Backend 2 Backend 3
Single entry point
AuthNAuthZ
Local AuthZDelegated AuthZ
Basic authBiometrics
Delegated auth (SAML, oAuth)Second factor
Recipe #1 : One proxy to rule them all
Modular
12
Features
Hot Protection Easy to deploy
Ready 4 Cloud WAF + AV Standard
Open Source API-fied Monitored
Recipe #1 : One proxy to rule them all
Spring SecurityPowerful and highly customizable authentication and access-control framework.
13
What we used
oAuth2, JWT, SAMLv2ModSecurity WAF + OWASP RuleSet + ClamAV
Docker and AnsibleOpen platform for developers and sysadmins to build, ship, and run distributed applications.
ELK StackElasticSearch + Logstash + KibanaCollect, parse, and store logs for later use.
ModSecurityOpenSource Layer 7 Application Firewall with OWASP Core Rule Set.
ClamAVOpenSource Antivirus.
Spring Security, Redis, MongoDB, Logstash
Docker Container, Ansible Playbook
StandardOAuthv2 + JWT, SAMLv2.
Recipe #1 : One proxy to rule them all
14
AuthN AuthZ User Lifecycle Security services
Monitoring
Logging
Local AutnN SSO
Delegated AutnN Second factors
Local AutnZ Delegated AuthZ User CRUD Password resetData transit encryption
Secure credential vault
Health services
Standard logging Audit logging
Admin Frontend
Introducing
Recipe #1 : One proxy to rule them all
15
Frontend Screenshots
Recipe #2: Policy enforcement
Segregate access decision from point of use
Use standards
16
Ingredients :
Instructions :
Policy enforcement
WSO2 Identity Server (PDP)Security proxy (PEP)External apps info (PIP)
Recipe #2 : Policy enforcement
XACML 3.0 (JSON Support)
17
Policy enforcement
PDP
PAP
PIP
PRP
PEP Policy enforcement point Policy administration point
Policy decision point Policy information point
Policy retrieval point
Recipe #2 : Policy enforcement
18
Security reverse proxy (PEP)
Backend 1 Backend 2 Backend 3
Single entry point
PDP
PIP
PAP
PRP
Recipe #2 : Policy enforcement
Code repository (e.g Git)
Versionable
‘Human readable’
19
Sample policies
Security policy
Business policyPRP
Historical data
Behavior analysis
Scoring System (Policy chain)
If you want to go further …
Allow access to resource Accounts with attribute CustomerID=x
if Subject match AccountOwner
and action is read
with obligation
on Permit: doLog_Inform(CustomerID, Subject, time)
on Deny : doLog_UnauthorizedLogin(CustomerID, Subject, time)
Allow access to resource Accounts with attribute CustomerID=x
if SourceIP match KnownIPList
and action is write
with obligation
on Permit: doLog_Inform(CustomerID, Subject, time)
on Deny : doLog_UnauthorizedLogin(CustomerID, Subject, time)
Recipe #3 : Speedy surf board : Automating security deployments
Eat
Sleep
AUTOMATE
Repeat
20
Ingredients :
AnsibleTerraform Instructions :
Speedy surf board : Automating security
deployments
Recipe #3: Speedy surf board : Automating security deployments
Easily deploy security
Technology agnostic
Fast
Repeatable
21
The wave has come … and you need a speedy surfboard to ride it.
Automation becomes a MUST
Recipe #3: Speedy surf board : Automating security deployments
Recipe catalog
Security proxy
IDS
IPS
IdP
Second factor gateway
22
Project 1
Project 3Project 2Project 1
Chimera
Recipe #3: Speedy surf board : Automating security deployments
23
Under the hood
Recipe repository
Chimera
API SSH
Benefits :Central control, monitor & audit
Cloud agnostic
Seconds to deploy
Completely Api-fied
What we achieved
24
One proxy to rule them all Policy enforcement Speedy surf board : Automating
security deployments
Business impact
New technologies enabled in a secure manner
Security development cost reduced
Metrics
Time to protect
Business impact
Human interaction reduced (Less prone to errors)
Centralized policies repository (Better control)
Business impact
Security deployment costs reduced
Reduced bureaucracy
Metrics
Time to enforce
Metrics
Time to deploy
20+days
3days
2days
0Instant !
3days
1minute
Top ten tips
1) Anticipate to be able to run with business
2) Adopt, take advantage of new ways of doing things
3) Change of attitude : Less ‘No’ and more ‘Not that way’
4) Keep transparent
5) Agile and flexible
25
Top ten tips
6) Be standard
7) Read, read and read …
8) Segregation of duties
9) Automate as much as you can
26
#RSAC
27
10 ) Keep calm… and just ride the wave …
Thanks !!!
Reference
WS02 Identity server
ELK stack explained
How to install ELK stack
IETF XAMCL 3.0
AAA authorization framework
Ansible
Terraform
28
* All the pictures used on this presentation are under the ‘Creative commons CC0’ license