Zero trusted networks: Why permiterer security is dead
0 likes299 views
The document discusses the inadequacies of perimeter security in protecting sensitive data stored in Elasticsearch, particularly given the rise in insider threats and remote access. It argues for a paradigm shift towards zero trust security, where no traffic is assumed to be safe, and emphasizes the need for strict access controls and monitoring. The author suggests implementing security measures directly where the data resides and adopting a least privilege strategy.
Zero trusted networks: Why permiterer security is dead
- 1. SEARCH GUARD ZERO TRUSTED NETWORKS © 2018 floragunn GmbH - All Rights Reserved OR: WHY PERIMETER SECURITY IS DEAD
- 2. © 2018 floragunn GmbH - All Rights Reserved ABOUT ME Jochen Kressin, Co-Founder & CTO of floragunn GmbH Makers of Search Guard Enterprise Security Suite for Elasticsearch Founded 2012 Main office: Berlin, Germany Partner offices: Seattle, New York, Miami, Bordeaux Meet us at booth #15 01.
- 3. © 2018 floragunn GmbH - All Rights Reserved WHY THIS TOPIC? I talk a lot to customers that are using Elasticsearch Most of them store sensitive data inside Elasticsearch Personally identifiable information: User- or customer data Financial information: Transaction data Healthcare information: Patient data Elasticsearch does not offer security out-of-the-box Natural question: How do you secure Elasticsearch? Answers are scary … 02.
- 4. © 2018 floragunn GmbH - All Rights Reserved ANSWERS 03. Evil Internet Sensitive Data Elasticsearch “It’s unprotected” Elasticsearch “Firewall” Elasticsearch “VPN and Firewall”
- 5. © 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY 04. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”
- 6. © 2018 floragunn GmbH - All Rights Reserved ASSUMPTIONS Traffic from the outside cannot be trusted Traffic inside the perimeter can be trusted Access to the perimeter can be controlled Consequences VPNs, firewalls and loadbalancers are sufficient At any point in time, we know who has access to the data Traffic inside the VPN does not need to be encrypted end-to-end Performance is more important than encryption Security breaches will be detected 05.
- 7. © 2018 floragunn GmbH - All Rights Reserved REALITY CHECK Does perimeter security work? If it works, why do we still suffer from security breaches and data loss? Data breach @ Exactis Close to 340 million personal records leaked Phone number, home address Number, age and gender of children Elasticsearch cluster publicly accessible I don’t think this was on purpose, but a human mistake 06.
- 8. © 2018 floragunn GmbH - All Rights Reserved WHAT HAS CHANGED? Access control Partners, freelancers, part-time contractors etc. These are all potential inside threats Locations Remote offices Remote workers Devices Laptops, smartphone, tablets Bring your own device 07.
- 9. © 2018 floragunn GmbH - All Rights Reserved WHAT HAS CHANGED? Cloud computing Cloud storage Microservices SaaS / PaaS / IaaS Containerization Docker, Kubernetes etc. How to apply IP-based security? Decentralized systems / clusters Internet of things 08.
- 10. © 2018 floragunn GmbH - All Rights Reserved WHERE IS THE PERIMETER NOW? 09. Office Internet Aynwhere Cloud Storage SaaS Cloud Storage Elasticsearch Datacenter
- 11. © 2018 floragunn GmbH - All Rights Reserved PERIMETER SECURITY REVISITED 10. Elasticsearch Evil Internet Firewall Loadbalancer Data Lake HTTPS HTTPS HTTPS HTTP “Untrusted” “Trusted Perimeter”
- 12. © 2018 floragunn GmbH - All Rights Reserved ZERO TRUSTED NETWORK 11. Office Internet Elasticsearch Aynwhere Datacenter Cloud Storage SaaS Cloud Storage “Untrusted”
- 13. © 2018 floragunn GmbH - All Rights Reserved FACT CHECK Companies do not have full control anymore Explosion of devices and locations Data and services are moving to the cloud Internet of Things Inside attacks are ever increasing 60% of attacks originated from the inside (IBM study 2016) Attacks via social engineering Lines between inside and outside are blurry at best 12.
- 14. © 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT No traffic can be trusted Regardless where it originates Regardless from which device No IP / port / application can be trusted Cloud, containers, IoT Traditional firewall approach flawed No user can be trusted Beware of inside attacks Outside personell 13.
- 15. © 2018 floragunn GmbH - All Rights Reserved PARADIGM SHIFT Move security to where the data lives No unsecured services Not even in a VPN No unencrypted traffic, anywhere Not even in a VPN Assume attackers are already in your network Never trust, always verify Apply least privilege strategies Inspect and log all traffic 14.
- 16. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ELASTICSEARCH 15. Search Guard Search Guard Search Guard Search Guard Node Node TLS Secured TLS Secured RESTTRANSPORT TLS Secured https://example.com:
- 17. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ELASTICSEARCH 16. Any location Any device HTTPS Validate certificates Hostname verification DNS Lookups Authentication Certificate revocation TLS Role-based access control Least privilege approach No defaults RBAC Document-level Field-level Filtering Anonymization Data Audit Logs Track access Monitor anomalies Alerting Data Lake Elasticsearch
- 18. © 2018 floragunn GmbH - All Rights Reserved OPEN SOURCE / OPEN CODE Complete Search Guard code has always been publicly accessible Code has been audited several times By the community By security experts and auditors of customers Verified by Veracode Download, inspect, audit, compile https://github.com/floragunncom/search-guard https://github.com/floragunncom/search-guard-enterprise-modules 17.
- 19. © 2018 floragunn GmbH - All Rights Reserved RESOURCES Search Guard website https://search-guard.com/ Documentation https://docs.search-guard.com Community Forum https://groups.google.com/d/forum/search-guard GitHub https://github.com/floragunncom 18.
- 20. SEARCH GUARD info@search-guard.com © 2018 floragunn GmbH - All Rights Reserved send us a message: 20
- 21. © 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin Registergericht: Amtsgericht Charlottenburg Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.