Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Securing MicroServices - ConFoo 2017

400 Aufrufe

Veröffentlicht am

Here are the slides for the talk, "Securing MicroService".

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

Securing MicroServices - ConFoo 2017

  1. 1. SECURINGMICRO-SERVICES
  2. 2. Majid Fatemian R E D V E N T U R E S @majidfn
  3. 3. TECHNOLOGY-DRIVEN CUSTOMER ACQUISITION SALES & MARKETING
  4. 4. TRACKING ANALYTICS BILLING ORDERING CHAT FINE-GRAINED TECHNOLOGY / PROTOCOL AGNOSTIC ELASTIC, RESILIENT
  5. 5. TRACKING GEO ROUTING DATA
 SCIENCE RULES
 ENGINE INTERACTIVE
 VOICE
 RESPONSE ORDER BILLING SERVICE
 ABILITY CHAT COMPLIANCE ANALYTICS PHONE 
 NUMBER
 ASSIGNMENT
  6. 6. 01011 REDVENTURES ✔ ✔ ✘✔ ✘ ✘
  7. 7. VS. AUTHORIZATION AUTHENTICATION
  8. 8. AUTHORIZATION VERIFYING THE IDENTITY OF A USER / PROCESS PERMITTING ACCESS / ACTION TO RESOURCES AUTHENTICATION
  9. 9. AUTHENTICATION
  10. 10. REUSE VS. BUILD
  11. 11. AUTHENTICATION 1 ACTIVE DIRECTORY
  12. 12. ACTIVE DIRECTORY Application
  13. 13. Application External Internal
  14. 14. AUTHENTICATION OKTA 1 2 ACTIVE DIRECTORY
  15. 15. ACTIVE DIRECTORY SAM L Application External Internal
  16. 16. SAML - SECURITY ASSERTION MARKUP LANGUAGE SERVICE PROVIDER USER IDENTITY PROVIDER Request resource Redirects to SSO Identify User SAML Respond with requested Resource SAML
  17. 17. <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22- e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/ SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/ index.php?acs"> <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF…3socPqAi2Qf97E=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQ…….BpspRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>
  18. 18. ACTIVE DIRECTORY SAM L SERVICE
 1 SERVICE
 2 SERVICE
 3 SAML
  19. 19. AUTHENTICATION OKTA 1 2 3 JWT (JSON WEB TOKEN) ACTIVE DIRECTORY
  20. 20. ACTIVE DIRECTORY SAM L + JWT JWT SERVICE
 1 SERVICE
 2 SERVICE
 3
  21. 21. JWT
 Identity
 Provider SERVICE PublicPrivate + JWT
  22. 22. JWT eyJXAiiJKV1Qi.eyJ1c2VySWQi4ZjItOGZhYi1jZWYzOTAjYwYQ.-xHVTCMdoHrcZxH Header Payload Signature
  23. 23. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  24. 24. AUTHORIZATION
  25. 25. Read
  26. 26. AUTHORIZATION CAN USER READ FROM ATT&T IN ANALYTICS? CAN USER READ FROM VERIZON IN ANALYTICS? ✔ ✘
  27. 27. THE PROBLEM AD GROUPS CUSTOM AD GROUPS CUSTOM
  28. 28. ▸Scattered ▸Inconsistent ▸No Monitoring ▸No Centralized control
  29. 29. DESIRED SOLUTION ▸ Centralized ▸ Simple ▸ Scalable ▸ Monitoring ▸ Easily Manageable
  30. 30. EXISTING AUTHZ SOLUTIONS SERVICE
 1 SERVICE
 2 SERVICE
 3 SERVICE
 4 SERVICE
 5 SERVICE
 6 AUTHORIZATION
  31. 31. + JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 SERVICE
 4 SERVICE
 5 SERVICE
 6 AUTHORIZATION 1 ROUND TRIP / ACTION EXISTING AUTHZ SOLUTIONS
  32. 32. ▸ Round-trips ▸ Roles, Groups, etc ▸ Complex
  33. 33. ▸ Round-trips ▸ Roles, Groups, etc ▸ Complex
  34. 34. SIMPLIFIED
 AUTHORIZATION
  35. 35. Read
  36. 36. AREA 1 AREA 2 AREA 3 Action
  37. 37. AREASERVICE ACTION analytics verizon write
  38. 38. SERVICE ACTIONGLOBAL analytics writeglobal
  39. 39. Action GLOBAL
  40. 40. AREA 1 AREA 2 AREA 3 Action GLOBAL
  41. 41. { 
 "analytics": {
 "write": ["verizon", "att"],
 "read": ["global"]
 },
 "data_science": {
 "report": ["att"]
 }
 }
  42. 42. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions":{"analytics": {"write":
 ["verizon","att"],"read": ["global"]},"data_science":
 {"report": ["att"]}},
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  43. 43. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions":{"analytics": {"write":
 ["verizon","att"],"read": ["global"]},"data_science":
 {"report": ["att"]}},
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  44. 44. HTTP 413 - REQUEST ENTITY TOO LARGE Default
 Header
 8K
  45. 45. gzip | base64
  46. 46. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions": "H4sIAAmrs1gAAx3L…qAIBRF0XnLeGN",
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  47. 47. JWT - PAYLOAD { "email": "mfatemian@redventures.com",
 "userName": "mfatemian",
 "firstName": "Majid",
 "lastName": "Fatemian",
 "employeeID": "11520",
 "permissions": "H4sIAAmrs1gAAx3L…qAIBRF0XnLeGN",
 "jti": "7bc4561ab-b6c8e2-76b1-31a3-a9bb90fb67c",
 "iat": 1487910598,
 "exp": 1487953798
 }
  48. 48. SAML JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 + JWT
  49. 49. SAML + JWT
 +
 PERMISSIONS JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 AUTHORIZATION PERMISSIONS
  50. 50. + JWT DATASCIENCE
 ATT&T READ Y / N {
  51. 51. ▸ Centralized ▸ Simple ▸ Scalable ▸ Monitoring ▸ Easily Manageable
  52. 52. SAML + JWT
 +
 PERMISSIONS JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 AUTHORIZATION PERMISSIONS
  53. 53. SAML + JWT
 +
 PERMISSIONS JWT SERVICE
 1 SERVICE
 2 SERVICE
 3 AUTHORIZATION PERMISSIONS MANAGEMENT
  54. 54. AUTHORIZATION SERVICE, AUTHORIZES ITSELF + JWT AUTHORIZATION
 DATA SCIENCE ADD USER Y / N {
  55. 55. INTEGRATION
  56. 56. THE PROBLEM AD GROUPS CUSTOM AD GROUPS CUSTOM
  57. 57. CLIENT LIBS }golang C# JavaScript PHP
  58. 58. IsAuthorized(JWT, "data_science", "verizon", "read") True | False
  59. 59. TRACKING ANALYSIS BILLING ORDERING SERVICE
 ABILITY GEO CHAT 01011 R E D V E N T U R E S DATA
 SCIENCE
  60. 60. TRACKING ANALYSIS BILLING ORDERING SERVICE
 ABILITY GEO CHAT 01011 R E D V E N T U R E S DATA
 SCIENCE
  61. 61. MONITORING & ALERTING TRACKING ANALYSIS BILLING ORDERING SERVICE
 ABILITY MONITORING ALERTING DATA
 SCIENCE LOGGING
  62. 62. ▸ Centralized ▸ Simple ▸ Scalable ▸ Monitoring ▸ Easily Manageable
  63. 63. ▸ Open source ▸ Okta dependency FUTURE WORK
  64. 64. REUSE BUILD1 2 TOKEN BASED AUTH 3 SIMPLE ≠ INSECURE >
  65. 65. THANK YOU! QUESTIONS?

×