Topics:
• RepoKid
Netflix’s Open-source Strategy to Rightsizing Cloud Permissions at Scale
• BetterTLS
A test suite for HTTPS clients implementing verification of the Name Constraints certificate extension
• Authorization at Netflix
Netflix’s architecture for implementing Authorization at scale
• Open Policy Agent
An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. (www.openpolicyagent.org)
• Introducing PADME (Policy Access Decision Management Engine)
A modern policy management for distributed heterogenous systems. (www.padme.io)
Demo Stations:
• Stethoscope
Personalized, user-focused recommendations for employee information security.
• HubCommander
Slack bot for GitHub organization management -- and other things too!
• Open Policy Agent
An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
5. Set Builder: (Me)
● Name: Patrick Kelley @monkeysecurity
● ~ 5 years @ Netflix
● Decent trampoline jumper
● OSS Fan
○ SecurityMonkey
○ CloudAux
○ PolicyUniverse
○ Aardvark
○ Repokid
○ SWAG
6. You are Entitled to Nothing
Permissions granted to new apps:
● Permissions are automatically granted to applications on deploy.
● Apps start with a small base-set of permissions.
● Manual interaction with the security team is limited.
Eventually:
● Default permission set is empty. We peek inside your AMI to build policies.
● Library owners define required permissions.*
7. Remove Unused
PermissionsRepokid gathers data from multiple plugins and
determines which permissions may be removed.
After sending notifications, repokid will “repo”
unused permissions. If something goes wrong,
repokid allows for easy rollback.
https://github.com/Netflix/repokid
https://github.com/Netflix-Skunkworks/aardvark
14. Responsibility, Risk, and Transparency
bankof
america
.com
ACME
Root CA
17.59.228.350
ACME
Root CA
bankofamerica.com
15. We want to apply authorization
rules to CAs.
Is ACME Root CA authorized to
create a certificate for
bankofamerica.com?
16. The Name Constraints X509 Extension
● RFC 5280 (May 2008)
● Applies only to CA certificates. Specifies:
○ Type of name to which it applies (DNS, IP, etc)
○ Subtree (DNS prefix or IP range)
○ Whitelisted or blacklisted
● Constraints on CA hierarchy can be nested!
Implementations should “intersect” the constraints.
○ The ACME Root CA can be whitelisted for *.internal
○ The ACME Test Environment CA can be blacklisted
for *.prod.internal
17. How Name Constraints Works
ACME Root
CA
ACME
Internal CA
NC: *.internal
passwordreset
.acme.internal
✓
ACME Root
CA
ACME
Internal CA
NC: *.internal
bankofamerica
.com
×
24. Let’s Test! Thoroughly!
● Put the server name in both CN and SAN
● Use both DNS names and IP names
○ Use both valid and invalid names
● Use both NC whitelisting and blacklisting
○ Use both passing and non-passing
whitelists/blacklists
● Mix and match all of these
○ Computers are really good at brute forcing all
combinations of things
● Let’s contact vendors about any issues we find
● And let’s make it public!
26. Making TLS Better
● Chrome now has 100% pass on Windows and Linux
○ Chrome on OSX still has some blacklist failures
because of unfixed bugs in Apple’s proprietary TLS
implementation. :(
● Go found a bug in their NC verification
○ They’ve fixed it and included a bettertls certificate in
their own test suite!
● Java has fixed bugs in their NC verification
○ Release including the fix is pending
27. What Should I Do?
● If you use TLS in your project, consider utilizing the
bettertls.com test suite.
● Contribute!
○ Help us extend BetterTLS with other (e.g. more
specific) Name Constraints tests
○ Submit additional client test results
○ Invent another TLS extension suite (HPKP, HSTS, …)
● If you manage any sort of CA, use name constraints to
reduce risk to your users, to reduce your own liability, and
to increase transparency!
30. Background - Definitions
Transfer $1000 from Account X to Account Y
Me My Bank
1. Verify the Identity of the Requester (Authentication or AuthN)
2. Verify that the Requestor is authorized to perform
the requested operation (Authorization or AuthZ)
These 2 steps do not need to be tied together !!
32. AuthZ Problem
A way to define and enforce rules that read
Identity I
can/cannot perform
Operation O
on
Resource R
For ALL combinations of I, O, and R in the ecosystem.
33. Design Considerations
● Resource types
● Identity types
● Underlying Protocols
● Implementation Languages
● Latency
● Flexibility of Rules
● Company Culture
● Capture Intent
35. Zooming In
AuthZ Agent
API Stager
Open Policy Agent Engine
Updater
Periodic updates on policies
and associated data
36. Did it work?
Resource types REST, SSH, Keys, Kafka Topics
Identity types VM/Container Services, Batch Jobs, FTEs, Contractors
Underlying Protocols HTTP, gRPC, Kafka Protocol
Implementation Languages Java, Node JS, Ruby, Python
Latency < 0.5 ms for basic policies
Flexibility of Rules OPA Policy Engine
Company Culture Policy Portal
Capture Intent Policy Portal UI hides Policy text for most use cases
37. Take Away
● AuthZ is a fundamental security problem
● Seek comprehensive solution for better Control and Visibility
● Get there faster with Open Source Tools (e.g. OPA)
● Get involved in communities (e.g. PADME)
44. The Policy Problem
ratings
details
commentslanding_page
master
nodes nodes
instance-976
elb-east
bucket-acme
lambda-xyz
keypair-foo
Which cluster should this
workload be deployed on?
Which resources are not
tagged correctly?
Can user X do operation Y
on resource Z?
Application Platform Infrastructure
49. OPA: Unified, Declarative, Context-aware
Application: “Employees can access
their own salary data. Managers can
access their subordinates salary
data.”
Platform: “Workloads that require
EU jurisdiction must be deployed on
clusters in European zones.”
Infrastructure: “Allow plans without
deletes unless the number of new
resources exceeds 100.” Data
(JSON)
Policy
(Rego)
Service
Policy
Query
Policy
Decision
50. OPA: Unified, Declarative, Context-aware
“Employees can access their own salary data. Managers
can access their subordinates salary data.”
allow {
input.path = [“salary”, employee_id]
input.user = employee_id
}
allow {
input.path = [“salary”, employee_id]
input.user = data.manager_of[employee_id]
}
51. OPA: Unified, Declarative, Context-aware
“Employees can access their own salary data. Managers
can access their subordinates salary data.”
allow {
input.path = [“salary”, employee_id]
input.user = employee_id
}
allow {
input.path = [“salary”, employee_id]
input.user = data.manager_of[employee_id]
}
Context
Pattern Matching
52. OPA: Unified, Declarative, Context-aware
“Workloads that require EU jurisdiction must be deployed on
clusters in European zones.”
placement[cluster.name] {
input.metadata.labels[“requires-eu-jurisdiction”]
cluster = data.clusters[_]
startswith(cluster.status.region, “eu-”)
}
53. OPA: Unified, Declarative, Context-aware
“Workloads that require EU jurisdiction must be deployed on
clusters in European zones.”
placement[cluster.name] {
input.metadata.labels[“requires-eu-jurisdiction”]
cluster = data.clusters[_]
startswith(cluster.status.region, “eu-”)
}
References Search
54. OPA: Unified, Declarative, Context-aware
“Allow plans without deletes unless the number of new
resources exceeds 100.”
deny { score > 100 }
weights = {“create”: 1, “modify”: 0, “delete”: 1000}
score = s {
sum([weights[op] | input.plan[_] = [op, _]], s)
}
AggregationComposition
55. The Open Policy Agent Project
● Declarative Language
● Document-oriented
● Daemon, Library
● Policy, Query, Data APIs
● Tooling (REPL, Tracing, Testing)
● Apache License 2.0
Data
(JSON)
Policy
(Rego)
58. Goals
• Provable, Composable, Security
• Simplicity (ease of use)
• Well Defined Behavior in a Distributed Environment
59. The Problem
Configuring Access Policies is Hard
• Every component is different (heterogeneity)
• Web servers, networking gear, etc
• Services evolve, and policies need to change with them (temporality)
• Policies don’t understand the CAP Theorem (temporality)