The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
0 likes59 views
The document discusses cloud security vulnerabilities, focusing on exposed cloud instances and the risks of sensitive data leakage due to poor access controls and compromised credentials. It emphasizes the importance of automating data security, outlining a framework for DataSecOps that integrates continuous security practices within data operations. The presentation highlights the need for strong authentication measures and just-in-time access provisioning to enhance data security while facilitating productivity.
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
- 2. Trending Actual Cloud Attacks - Eliminate the noise Alex Geleg
- 6. Attack Flow Attacker’s Machine Vulnerable Cloud Hosted Website Cloud Instance/Pod Internal Infrastructure Roles and Permissions
- 7. Impact • Reputation • Disruption of Service • Leakage of sensitive data • Regulatory fines
- 8. Mitigation Access to internal services Restrict Continuously for web and infrastructure vulnerabilities Scan Privileges and Roles Control
- 10. Attack Flow Attacker’s Machine Organization GitHub Cloud accounts and resources S3 buckets and Blobs Website Source Code API-Keys And Secret keys
- 11. Impact • Financial damage from key abuse • Infrastructure access and takeover • Sensitive data leakage
- 12. Mitigation Git, Web Applications and Exposed Storage Scan Developers not to store cleartext keys Train Control Privileges Control
- 15. Impact • Lack of detection • Long time organization assets abuse • Cloud Account takeover
- 16. Mitigation a strong and long Password Policy Maintain Multi Factor Authentication (MFA) Enable Inactive Identities and empty groups Delete Access Keys Rotate
- 18. Reducing Operational Costs by Automating Data Security Ben Herzberg
- 19. January 2023 © 2023 Satori Inc. All rights reserved. Reducing Operational Costs by Automating Data Security
- 20. 20 About Me @KernelXSS https://www.linkedin.com/in/sysadmin ben@satoricyber.com ● Co-author of “Snowflake Security” (Apress) ● A DataSecOps Guy ● Chief Scientist, Satori ● Now also VPM :) ● Formerly: ○ Head of Research (Imperva) ○ CTO (Cynet)
- 21. 21 Agenda ● Data & Data Security ● DataSecOps ● Why Automate? And Why Now? ● What & How Do You Automate? ● Examples ● Q&A
- 22. Intro: Data and Data Security
- 23. 23 *Source: Statista, 7 June 2021 .
- 24. 24 Default To Know Need To Know Need To Share
- 29. DataSecOps
- 31. 31 DevOops DevOps as a team, not as a mindset Misconfigurations and Change Management Cost of security-as-a-patch can be high Security has to be bolted into the process!
- 32. 32 From DevOps to DevSecOps ● Shift-left ● Incremental changes ● Automation ● Security is embedded into the process Source: https://meming.world
- 33. 33 So… What’s DataSecOps? An agile, holistic, security-embedded approach to coordination of the ever-changing data and its users, aimed at delivering quick data-to-value, while keeping data private, safe and well-governed.
- 34. 34 DataSecOps Principles ● Security as continuous part of their data operations, not an afterthought ● Ad-hoc continuous ● Separation of environments, testing & automation ● Prioritization is key - mostly sensitive data ● Data is clearly owned ● Simplified & deterministic data access
- 36. 36 Would you do Manual DevSecOps?
- 37. Why Automate?
- 38. We are a billion dollar company but anyone can run a SQL query and get a million email addresses. VP Data Engineering, SaaS Company ״ I have an army of people creating users, roles and views. By the time they are done, it's already outdated. CDO, Financial Services Company ״ Security vs. Productivity
- 39. We all know… 29% loss of revenue due to Data Breach.
- 40. But this is AS IMPORTANT… Between 60% and 85% of data projects fail. DevOps + Data engineering teams experience 20%-30% loss of productivity.
- 41. Or looking at it from another perspective… 62% says security & compliance slows down data projects 71%-79% Of Data Leaders Deal with PII
- 42. Automated Compliance Always know where data is, who has access to it, what are they doing with it Tight Security User can only access data they need when they need it Productivity Central governance, distributed operations with no restrictions on data architecture Key benefits of Just-in-Time Automated Access
- 45. What & How To Automate
- 46. 46 What To Automate? ● Whatever: ○ has the most effect on security & compliance ○ is taking its toll ● Meaning: ○ Log processing ○ Data access (Authentication & Authorization) ○ Security policies
- 47. 47 The Challenge ● Security teams are in charge of security ● Data is (usually) a black box
- 48. 48 The Journey to Access Automation Level 1 Level 2 Level 3 Data Access Model Ad-hoc Access Basic Access Management Just-in-Time Access Provisioning Employees get access upfront when they join or ad-hoc when requested. Basic RBAC framework. Employees get access Just-in-Time based on business needs. Permissions Persistence 100% High 90% Based on business needs (~20%) Automation Fully manual Role provisioning Some policies Fully automated Typical Time 1-3 months 6-9 months 12-18 months
- 49. 49 How? ● DIY ● Orchestration ● Data Security Platform 😸
- 51. 51 DevOps: Access To Production ● Productivity was NOT top concern. ● 25% of DevOps time was spent on granting/revoking permissions, etc. ● Moving to JIT → several headcounts are now working on MEANINGFUL things. ● Factors: # data users, grant time, revoke time, monitoring time, pager duties
- 52. 52 Data Engineers: DWH ● Project initiated by the data team (DIY) ● Tale chasing: ○ Masking, RLS ○ Managing RBAC, ABAC ○ Moving targets ● # data users, time to set policies which gets longer, roles management/explosion
- 53. Conclusion
- 54. 54 Takeaways ● It’s 2023 ● Got data? users? congrats, you need to automate. ● Choose how!
- 55. 55 Thanks! (+Questions) @KernelXSS https://www.linkedin.com/in/sysadmin ben@satoricyber.com Keep in touch! Read More satoricyber.com blog.satoricyber.com
- 56. Keep your BigQuery data encrypted Ran Tibi
- 57. Keep your BigQuery data encrypted Ran Tibi
- 58. 58
- 62. 62 {"id": "1", "email": "ran@example.com"} {"id": "2", "email": "rose@example.com"} {"id": "3", "email": "fox@example.com"} {"id": "4", "email": "pilot@example.com"} users.json
- 63. 63
- 65. 65 Application BigQuery GCS PubSub Dataflow Encryption in transit SSL SSL SSL SSL SSL SSL SSL
- 66. 66 Application BigQuery GCS PubSub Dataflow Encryption in transit Encryption at rest SSL SSL SSL SSL SSL SSL SSL
- 67. 67
- 68. 68 Application BigQuery GCS PubSub Dataflow Encryption in transit Encryption at rest Application layer encryption SSL SSL SSL SSL SSL SSL SSL
- 69. 69
- 70. SELECT email, DECRYPT(email) decrypted_email FROM `app.users_encrypted` 70
- 71. AEAD Functions Authenticated Encryption with Associated Data ● Encrypt ● Decrypt ● Create keyset ● … 71
- 72. 72 DECLARE keyset BYTES; set keyset = from_base64('CKeEwo...MOqyAB'); select email, DETERMINISTIC_DECRYPT_STRING(keyset, email, "") AS decrypted_email FROM `aead-poc.app.users_encrypted`;
- 73. 73 DECLARE keyset BYTES; set keyset = from_base64('CKeEwo...MOqyAB'); select email, DETERMINISTIC_DECRYPT_STRING(keyset, email, "") AS decrypted_email FROM `aead-poc.app.users_encrypted`;
- 74. 74 But… DECLARE keyset BYTES; set keyset = from_base64('CKeEwo...MOqyAB'); select email, DETERMINISTIC_DECRYPT_STRING(keyset, email, "") AS decrypted_email FROM `aead-poc.app.users_encrypted`;
- 75. 75 DEK Data Encryption Key KEK Key Encryption Key Symmetric Encryption Wrapper Encrypted DEK
- 76. Data encryption / decryption process 76 76 DEK KEK Symmetric Decryption Wrapper Encryption Algorithm Sensitive message Encrypted message Encryption Decryption
- 77. Google KMS ✔ Create key ✔ Encrypt / Decrypt ✘ Export key 77
- 79. Runtime encryption process using KMS 79 79 DEK KEK Application Wrapper Encryption Algorithm Sensitive message Encrypted message Encryption Decryption Google KMS decrypt
- 80. 80 gcloud kms keyrings create poc-keyring --location us-central1 gcloud kms keys create kek --keyring poc-keyring --location us-central1 --purpose "encryption" Create KEK in KMS
- 81. 81 SET kms_resource_name = 'gcp-kms://projects/aead- poc/locations/us-central1/keyRings/poc- keyring/cryptoKeys/kek'; SELECT KEYS.NEW_WRAPPED_KEYSET( kms_resource_name, 'DETERMINISTIC_AEAD_AES_SIV_CMAC_256') Generate wrapper
- 83. On-demand decrypt in BigQuery 83 SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead- poc/locations/us-central1/keyRings/poc- keyring/cryptoKeys/kek'; SET WRAPPER = FROM_BASE64("CiQA14LE......................brY9fZ3U="); SELECT email, DETERMINISTIC_DECRYPT_STRING( KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER), email, "") decrypted_email FROM `aead-poc.app.users_encrypted`
- 84. On-demand decrypt in BigQuery 84 SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead- poc/locations/us-central1/keyRings/poc- keyring/cryptoKeys/kek'; SET WRAPPER = FROM_BASE64("CiQA14LE......................brY9fZ3U="); SELECT email, DETERMINISTIC_DECRYPT_STRING( KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER), email, "") decrypted_email FROM `aead-poc.app.users_encrypted`
- 85. On-demand decrypt in BigQuery 85 CREATE OR REPLACE FUNCTION `aead-poc.app.decrypt`(encodedText bytes) RETURNS STRING AS ( DETERMINISTIC_DECRYPT_STRING( KEYS.KEYSET_CHAIN('gcp-kms://projects/aead- poc/locations/us-central1/keyRings/poc- keyring/cryptoKeys/kek', b'004324........003'), encodedText, "") );
- 86. SELECT email, `aead-poc.app.decrypt`(email) decrypted_email FROM `app.users_encrypted` 86
- 89. No one except for the application runtime has access to the DEK 89
- 90. Use Tink for encryption in application side 90 import tink daead.register() keyset_handle = tink.KeysetHandle.read( tink.JsonKeysetReader('{"encryptedKeyset":"Ci..g=",...}'), gcpkms.GcpKmsClient('',gcp_credential_path) .get_aead('gcp-kms://projects/…/kek')) cipher = keyset_handle.primitive(daead.DeterministicAead) ciphertext = cipher.encrypt_deterministically(b'plaintext', b'') plaintext = cipher.decrypt_deterministically(ciphertext, b'') Decrypt the wrapper Wrapper KEK URI Create Cipher object Encrypt / Decrypt using the DEK
- 91. On-demand encrypt in BigQuery 91 SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead- poc/locations/us-central1/keyRings/poc- keyring/cryptoKeys/kek'; SET WRAPPER = FROM_BASE64("CiQA14LE......................brY9fZ3U="); CREATE TABLE `aead-poc.app.users_encrypted` as SELECT DETERMINISTIC_ENCRYPT( KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER), email, "") email FROM `aead-poc.app.users`
- 92. 92 Application BigQuery GCS PubSub Dataflow Encryption in transit Encryption at rest Application layer encryption SSL SSL SSL SSL SSL SSL SSL
- 94. Performance 94 100M Records 64 Bytes Plain text Decrypt first Elapsed time Slot time Elapsed time Slot time Substring + group by 14 sec 10 min 15 sec 18 min Select distinct 21 sec 23 min 22 sec 35 min ~50-80% Almost the same
- 95. Pricing 95 SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead- poc/locations/us-central1/keyRings/poc- keyring/cryptoKeys/kek'; SET WRAPPER = FROM_BASE64("CiQA14LE......................brY9fZ3U="); SELECT DETERMINISTIC_DECRYPT_STRING( KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER), email, "") decrypted_email FROM `aead-poc.app.users_encrypted`
- 96. Pricing 96 Storage overhead 21 Bytes per encrypted field
- 97. Limitations ● Key per tenant - not supported 97 select email, DETERMINISTIC_DECRYPT_STRING( KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, tp.wrapper), email, "") AS decrypted_email FROM `aead-poc.app.users_encrypted` JOIN `aead-poc.app.tenants_wrappers` tw USING (tenant_id)
- 98. Keep it in mind 98
- 100. Q & A 100
- 101. Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups