Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Securing MicroServices - ConFoo 2017

455 visualizaciones

Publicado el

Here are the slides for the talk, "Securing MicroService".

Publicado en: Software
  • Sé el primero en comentar

Securing MicroServices - ConFoo 2017

  1. 1. SECURINGMICRO-SERVICES
  2. 2. Majid Fatemian R E D V E N T U R E S @majidfn
  3. 3. TECHNOLOGY-DRIVEN CUSTOMER ACQUISITION SALES & MARKETING
  4. 4. TRACKING ANALYTICS BILLING ORDERING CHAT FINE-GRAINED TECHNOLOGY / PROTOCOL AGNOSTIC ELASTIC, RESILIENT
  5. 5. TRACKING GEO ROUTING DATA
 SCIENCE RULES
 ENGINE INTERACTIVE
 VOICE
 RESPONSE ORDER BILLING SERVICE
 ABILITY CHAT COMPLIANCE ANALYTICS PHONE 
 NUMBER
 ASSIGNMENT
  6. 6. 01011 REDVENTURES ✔ ✔ ✘✔ ✘ ✘
  7. 7. VS. AUTHORIZATION AUTHENTICATION
  8. 8. AUTHORIZATION VERIFYING THE IDENTITY OF A USER / PROCESS PERMITTING ACCESS / ACTION TO RESOURCES AUTHENTICATION
  9. 9. AUTHENTICATION
  10. 10. REUSE VS. BUILD
  11. 11. AUTHENTICATION 1 ACTIVE DIRECTORY
  12. 12. ACTIVE DIRECTORY Application
  13. 13. Application External Internal
  14. 14. AUTHENTICATION OKTA 1 2 ACTIVE DIRECTORY
  15. 15. ACTIVE DIRECTORY SAM L Application External Internal
  16. 16. SAML - SECURITY ASSERTION MARKUP LANGUAGE SERVICE PROVIDER USER IDENTITY PROVIDER Request resource Redirects to SSO Identify User SAML Respond with requested Resource SAML
  17. 17. <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22- e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/ SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/ index.php?acs"> <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF…3socPqAi2Qf97E=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQ…….BpspRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>
  18. 18. ACTIVE DIRECTORY SAM L SERVICE
 1 SERVICE
 2 SERVICE
 3 SAML
  19. 19. AUTHENTICATION OKTA 1 2 3 JWT (JSON WEB TOKEN) ACTIVE DIRECTORY
  20. 20. ACTIVE DIRECTORY SAM L + JWT JWT SERVICE
 1 SERVICE
 2 SERVICE
 3
  21. 21. JWT
 Identity
 Provider SERVICE PublicPrivate + JWT
  22. 22. JWT eyJXAiiJKV1Qi.eyJ1c2VySWQi4ZjItOGZhYi1jZWYzOTAjYwYQ.-xHVTCMdoHrcZxH Header Payload Signature
  23. 23. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  24. 24. AUTHORIZATION
  25. 25. Read
  26. 26. AUTHORIZATION CAN USER READ FROM ATT&T IN ANALYTICS? CAN USER READ FROM VERIZON IN ANALYTICS? ✔ ✘
  27. 27. THE PROBLEM AD GROUPS CUSTOM AD GROUPS CUSTOM
  28. 28. ▸Scattered ▸Inconsistent ▸No Monitoring ▸No Centralized control
  29. 29. DESIRED SOLUTION ▸ Centralized ▸ Simple ▸ Scalable ▸ Monitoring ▸ Easily Manageable
  30. 30. EXISTING AUTHZ SOLUTIONS SERVICE
 1 SERVICE
 2 SERVICE
 3 SERVICE
 4 SERVICE
 5 SERVICE
 6 AUTHORIZATION
  31. 31. + JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 SERVICE
 4 SERVICE
 5 SERVICE
 6 AUTHORIZATION 1 ROUND TRIP / ACTION EXISTING AUTHZ SOLUTIONS
  32. 32. ▸ Round-trips ▸ Roles, Groups, etc ▸ Complex
  33. 33. ▸ Round-trips ▸ Roles, Groups, etc ▸ Complex
  34. 34. SIMPLIFIED
 AUTHORIZATION
  35. 35. Read
  36. 36. AREA 1 AREA 2 AREA 3 Action
  37. 37. AREASERVICE ACTION analytics verizon write
  38. 38. SERVICE ACTIONGLOBAL analytics writeglobal
  39. 39. Action GLOBAL
  40. 40. AREA 1 AREA 2 AREA 3 Action GLOBAL
  41. 41. { 
 "analytics": {
 "write": ["verizon", "att"],
 "read": ["global"]
 },
 "data_science": {
 "report": ["att"]
 }
 }
  42. 42. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions":{"analytics": {"write":
 ["verizon","att"],"read": ["global"]},"data_science":
 {"report": ["att"]}},
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  43. 43. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions":{"analytics": {"write":
 ["verizon","att"],"read": ["global"]},"data_science":
 {"report": ["att"]}},
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  44. 44. HTTP 413 - REQUEST ENTITY TOO LARGE Default
 Header
 8K
  45. 45. gzip | base64
  46. 46. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions": "H4sIAAmrs1gAAx3L…qAIBRF0XnLeGN",
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  47. 47. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions": "H4sIAAmrs1gAAx3L…qAIBRF0XnLeGN",
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  48. 48. SAML JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 + JWT
  49. 49. SAML + JWT
 +
 PERMISSIONS JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 AUTHORIZATION PERMISSIONS
  50. 50. + JWT DATASCIENCE
 ATT&T READ Y / N {
  51. 51. ▸ Centralized ▸ Simple ▸ Scalable ▸ Monitoring ▸ Easily Manageable
  52. 52. SAML + JWT
 +
 PERMISSIONS JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 AUTHORIZATION PERMISSIONS
  53. 53. SAML + JWT
 +
 PERMISSIONS JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 AUTHORIZATION PERMISSIONS MANAGEMENT
  54. 54. AUTHORIZATION SERVICE, AUTHORIZES ITSELF + JWT AUTHORIZATION
 DATA SCIENCE ADD USER Y / N {
  55. 55. INTEGRATION
  56. 56. THE PROBLEM AD GROUPS CUSTOM AD GROUPS CUSTOM
  57. 57. CLIENT LIBS }golang C# JavaScript PHP
  58. 58. IsAuthorized(JWT, "data_science", "verizon", "read") True | False
  59. 59. TRACKING ANALYSIS BILLING ORDERING SERVICE
 ABILITY GEO CHAT 01011 R E D V E N T U R E S DATA
 SCIENCE
  60. 60. TRACKING ANALYSIS BILLING ORDERING SERVICE
 ABILITY GEO CHAT 01011 R E D V E N T U R E S DATA
 SCIENCE
  61. 61. MONITORING & ALERTING TRACKING ANALYSIS BILLING ORDERING SERVICE
 ABILITY MONITORING ALERTING DATA
 SCIENCE LOGGING
  62. 62. ▸ Centralized ▸ Simple ▸ Scalable ▸ Monitoring ▸ Easily Manageable
  63. 63. ▸ Open source ▸ Okta dependency FUTURE WORK
  64. 64. REUSE BUILD1 2 TOKEN BASED AUTH 3 SIMPLE ≠ INSECURE >
  65. 65. THANK YOU! QUESTIONS?

×