Hardening Microservices Security: Building a Layered Defense Strategy

•

2 likes•13,605 views

Microservices architecture is forcing developers to not only rethink how they design and develop applications, but also common security assumptions and practices. With the decomposition of traditional applications, each microservice instance represents a unique network endpoint, creating a distributed attack surface that is no longer limited to a few isolated servers or IP addresses. In this presention, we will review: -How microservices differ from SOA or monolithic architectures -Best practices for adopting and deploying secure microservices for production use -Avoiding continuous delivery of new vulnerabilities -Limiting attack vectors on a growing number of API endpoints -Protecting Internet-facing services from resource exhaustion

Technology

Securing Microservices
Threat Modelling and Session Security
Presented by David Hoelzer (SANS) and Matt Silverlock (CloudFlare)

What is a "microservice"?
(and what security challenges do they bring?)

What is a microservice?
● Modular approach to building services.
● Reinvention of the Service Orientated Architecture (SOA)
model.
● Micro-services often declare API contracts, but
development & deployment are self-contained.

What is a microservice?
Benefits
● Less coupling: easier to reason about changes.
● Apply the most appropriate technology to the problem at
hand
● Better suits larger organizations with multiple teams.
● Easier to test when self-contained: less infrastructure to
spin up when iterating.

What is a microservice?
Challenges
● Multiple moving parts: more surface area to secure as
services communicate to each other.
● Can add complexity into smaller organizations: more tech
stacks to maintain, update and patch.
● The need to define formal API contracts so that services
can reliably communicate to each other with different
development cycles.

Threat Modelling
Understand what you're defending against.

Threat Modelling
● Stop thinking about what it’s supposed to do
○ Stand back and try to think about how someone could abuse it
○ Start where you have security mitigations
○ Next, think about where you don’t and the assumptions made

What’s the Point?
● Organizations have many mitigations
○ Firewalls, AV, IDS, etc.
● The threat is not clearly identified by any single activity
○ It’s the behavior rather than a signature

What’s the Point for Microservices?
● Monolithic Web Applications
○ Session issues are a very well known problem
● Microservices
○ We still have sessions, but they are often far more stateless!
○ How do we define an authenticated “session”?
○ Are there behaviors that we can defend against?

Threat Modelling
● Everyone watches for repeated authentication failures
○ Do you currently include anything in the session verification
process?

Threat Modelling
● API keys are a possible approach
○ Issue public/private keypair
○ All requests must be signed with public key
■ more computation, but not awful
● How critical is it that the API keys are protected by end
users or apps?

Threat Modelling
● Session issues are not new
○ Microservices changes the game since these are inherently
non-monolithic applications
○ It is critical that the, “We do one thing well” philosophy include a
thoughtful analysis of potential threats and exposures
● Requires threat-focused defensive coding

Layered Defenses
There are no silver bullets.

Layered Defenses
● Offload work to the network edge: validate traffic
(firewall, reputation, rate limiting) before it reaches your
services.

Layered Defenses
● Protect your resources: prevent outside attackers from
consuming resources (spawning more containers may not
be the solution)

Layered Defenses
● Protect your data: multiple discrete services now
accessing shared datastores. Each service should only
access what it needs, and no more.

Layered Defenses
● Secure containers: authenticate endpoints, support
revocation, and keep images updated.

Layered Defenses
● Know what you're running: always pulling down the latest
image from an image repository or from GitHub may not
be a great idea.

Layered Defenses
● Manage secrets: do your microservices have access to the
secrets they need, and only the secrets they need?

Cyber-attacks on financial institutions of all sizes are on the rise, and community and regional banks face an overproportional cost burden to meet the comprehensive cybersecurity requirements set by the Federal Financial Institutions Examination Council (FFIEC). View this presentation to learn how to keep banks safe and compliant in the face of continuously evolving cyber attacks. We'll cover: -DDoS attacks bringing banks like yours offline -FFIEC regulations posing burdens on community and regional banks -Montecito Bank's story of cost-effectively achieving cybersecurity compliance -Practical ways to mitigate DDoS attacks on your bank and meet FFIEC regulations

Unexpected Impacts of DDoS Attacks and How to Stop Them

Caitlin Magat

With the launch of Cloudflare Rate Limiting, web security expert Troy Hunt, Microsoft Regional Director and Founder of HaveIBeenPwned.com, joins Cloudflare in this security webinar. Webinar topics include evolving global DDoS attack trends, how Have I Been Pwned prevents excessive API requests using DDoS Protection and Rate Limiting, and a quick how-to on enabling Rate limiting in the Cloudflare dashboard.

Latest Trends in Web Application Security

Cloudflare

Hear the talk on YouTube: https://www.youtube.com/watch?v=lp4dQTSH130 Web Application Firewall security is evolving. Join John Graham-Cumming, CTO of CloudFlare, as he shares the latest trends and changes in Web Application Security. This talk will give details of the big trends in web application security seen in 2015, and how to defend against these threats and talk about the evolving web application security landscape.

CloudFlare - The Heartbleed Bug - Webinar

Cloudflare

An encryption flaw, called the Heartbleed bug, is already referred to as one of the biggest security threats on the Internet. The flaw, announced on April 7th, allows an attacker to pull bits of data from a server and potentially access sensitive information. How did the Heartbleed bug happen? How does it affect your website? What can you do protect yourself? CloudFlare security engineer Nick Sullivan answers these and more questions on this CloudFlare webinar. At the last portion of the webinar we have Ben Murphy (one of the winners of the CloudFlare Heartbleed challenge) on a Q&A session. For more information on Heartbleed and the CloudFlare challenge, go to: http://bit.ly/1lVKy4O For more information on CloudFlare, visit www.cloudflare.com or dial 888-99-FLARE.

Overview of SSL: choose the option that's right for you

Cloudflare

Keeping communication between your visitors and your website secure and confidential has never been more important. Data can be vulnerable to theft as it’s transferred to and from your website. One simple solution to this security threat is to encrypt your traffic with SSL (Secure Sockets Layer). SSL encryption ensures the data transferred between your visitors and your site is safe from data theft, and having SSL enabled can also boost your Google search rankings. CloudFlare has made it simple and easy to add SSL to your site: you don’t have to purchase a separate certificate or install anything. In this webinar CloudFlare’s solution engineer Peter Griffin explains the key features of SSL, and walks you through the simple process of getting SSL running on your site.

Application layer attack trends through the lens of Cloudflare data

Cloudflare

The past few months have seen significant changes in how attackers target the application layer—through injection attacks, malicious bots, DDoS, API vulnerability exploits, and more. We can observe these changes by analyzing traffic from Cloudflare’s global network, which blocks an average of 45 billion threats per day for over 27 million Internet properties. Watch this webinar to explore data on: Which attack vectors have become more and less common How those changes vary by region and industry The business and societal trends behind these attacks Strategies for addressing these latest attack tactics

Managing Traffic Spikes This Holiday Season

Cloudflare

The holiday season is just around the corner, and for many websites—especially online retailers—this means huge spikes in web traffic. For many sites, a sudden surge in visitors can overwhelm servers, taking your site offline. Having your site offline during peak season not only affects the business bottom line, but also the brand's reputation. CloudFlare offers a host of services that will keep your site online, and lightning fast, throughout the holiday season no matter the size of the traffic. CloudFlare’s programer John Graham-Cumming explains how to fine tune CloudFlare to make sure your website is ready for traffic spikes this holiday season. For more information, please visit: www.cloudflare.com/overview www.cloudflare.com/support

SSL for SaaS Providers

Cloudflare

Cloudflare’s SSL for SaaS offering provides SaaS providers the opportunity to extend the security, performance, and encryption benefits of Cloudflare’s network to their end customers. This includes management of the entire SSL certificate lifecycle for custom vanity domains. View the slides to learn: -The performance, security, and encryption benefits of Cloudflare for SaaS providers and their end customers. -How SSL for SaaS manages the entire SSL certificate lifecycle for SaaS providers and their end customers, from purchase to renewal. -The hurdles of building and managing an in-house SSL solution for custom domains. -How SSL for SaaS seamlessly delivers encryption to custom domains.

The past few months have seen significant changes in global DDoS tactics. We can observe these changes in detail by analyzing traffic patterns from Cloudflare’s global network, which protects more than 27 million Internet properties and blocks 45 billion cyber threats every day. What approaches are DDoS attackers using right now, and what are forward-thinking organizations doing in response? Cloudflare DDoS product experts Omer Yoachimik, and Vivek Ganti will explore new data on DDoS trends and discuss ways to counter these tactics.

Botconf ppt

Cloudflare

Fadi Abdulwahab

MRA AMA Part 6: Service Mesh Models

NGINX, Inc.

On-demand recording: https://www.nginx.com/resources/webinars/mra-ama-part-6-service-mesh-models/ Speakers: Charles Pretzer Technical Architect NGINX, Inc. Floyd Smith Director of Content Marketing NGINX, Inc. About the webinar: In this webinar, two models of the NGINX Microservices Reference Architecture, the Router Mesh Model and the Fabric Model, are shown as successively more capable implementations of a service mesh architecture. We compare the MRA models to Istio, linkerd, and other service mesh architectures, and show how the NGINX Kubernetes Ingress Controller allows direct use of these other architectures. Attendees of the live webinar will have the opportunity to ask questions. Service mesh models are an emerging standard for microservices development and deployment. Popular architectures such as Istio and linkerd use a service mesh approach, including attributes such as load balancing capability, support for authorization and authentication, and use of the circuit breaker model for resiliency. Watch this webinar to learn: - Key problems solved by using a service mesh model for microservices _ How different service mesh architectures compare to each other - How to use NGINX service mesh models - the Router Mesh Model and Fabric Model of the MRA - How the Kubernetes Ingress Controller enables the use of NGINX in Istio, linkerd, and other service mesh models

Node JS reverse shell

Madhu Akula

Sullivan heartbleed-defcon22 2014

Cloudflare

MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App

NGINX, Inc.

On-demand Link: https://www.nginx.com/resources/webinars/microservices-ingenious-journey-service-mesh-demo-app/ In this webinar, we discuss how Ingenious is (mostly) the same, but also the differences in its code, features, and runtime behavior, as it’s implemented in various architectural models. You then get a chance to ask us, well, anything about microservices, the MRA, and service mesh architectures. Join this webinar to learn" - The reasons for choosing one architecture over others for your app icon - How apps can maximize architecture-independence, giving you maximum flexibility in development and deployment icon - How the features, performance, stability, and reliability of the Ingenious demo app benefit from various microservices architectures icon How to secure the Ingenious app, and your own apps, across different architectures

Microservices Security: dos and don'ts

Minded Security

More and more enterprises are restructuring their development teams to replicate the agility and innovation of startups. In the last few years, microservices have gained popularity for their ability to provide modularity, scalability, high availability, as well as make it easier for smaller development teams to develop in an agile way. But how do they deal with security? what about security contexts? This talk will give insights about the most interesting issues found in the last years while testing the security of multilayered microservices solutions and how they were fixed.

Secure Your Apps with NGINX Plus and the ModSecurity WAF

NGINX, Inc.

On-demand recording: https://nginx.webex.com/nginx/lsr.php?RCID=e62ece89fb21133d312f02af7be8e2c0 The NGINX Plus with ModSecurity WAF (web application firewall) protects your applications from a wide variety of threats, including DDoS and Layer 7 attacks. Improve application uptime, block malicious users, and log crucial data about suspicious transactions with this new offering from NGINX. The NGINX Plus with ModSecurity WAF is built on a new architecture, offered first to NGINX Plus customers. Our new WAF will help you protect your site against top threats and comply with PCI-DSS Requirement 6.6. Join us in this webinar to learn: * The top security attacks against websites * How much attacks are increasing and why * How a WAF adds to your site's security protection * How NGINX Plus with ModSecurity WAF works, in a live demo

Behind the scene of malware operators. Insights and countermeasures. CONFiden...

Marco Balduzzi

Modern cybercrime operates highly-sophisticated campaigns that challenge, or even evade, the state-of-art in defense and protection. On a daily basis, users worldwide are fooled by new techniques and threats that went under the radar, like new 0-days or attack vectors. We passively monitored how these attacks are conducted on real installations, and unveiled the modus operandi of malware operators. In this presentation, we share with the audience our recent findings and trends that we observed in-the-wild from the analysis we conducted on 3 million software downloads, involving hundreds of thousands of Internet connected machines. During the talk, we provide insights on our investigation like the effect of code signing abuse, the compromise of cloud providers' operations, the use of domains generated automatically via social engineering, and the business model behind modern malware campaigns. We also discuss the problem of "unknown threats", showing how the Internet's threats landscape is still largely unexplored and how it badly impacts on million of users. We conclude with a proof-of-concept system that we designed and that uses machine-learning to generate human-readable rules for detection. Our system represents a potential mitigation to the problem of "unknown threats" and an assistance tool for analysts globally.

Network Security in 2016

Qrator Labs

AWS - Como llevar un banco a la nube?

Mauricio Ferreyra

Securing Internal Applications with Cloudflare Access

Cloudflare

Securing internal applications for remote employees and contractors is cumbersome to deploy and maintain, missing granular access controls, and slow for users on mobile devices. Join this live webinar to learn how Cloudflare Access protects internal resources by securing, authenticating and monitoring access per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are able to access specific resources behind the Cloudflare edge. Support for existing identity providers such as GSuite and Okta ensures the right users have easy and instant access regardless of physical location. By enforcing access rules at the edge, Cloudflare reduces latency for users.

Security in microservices architectures

inovia

Running a Robust DNS Infrastructure with CloudFlare Virtual DNS

Cloudflare

Windows Azure Security & Compliance

Nuno Godinho

What You Should Know Before The Next DDoS Attack

Cloudflare

Last month, the world’s largest-ever distributed denial of service (DDOS) attack — 1.35 Tbps — hit GitHub and raised the stakes for every commercial website. These increasingly larger and more distributed attacks challenge security practitioners to better anticipate potential attacks on their own applications and infrastructure. In this live webinar, Cloudflare security experts will discuss the new DDoS landscape and mitigation techniques.

Attacking VPN's

n|u - The Open Security Community

CSA Presentation - Software Defined Perimeter

Vishwas Manral

Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare

Cloudflare

Getting Started With SlideShare

SlideShare

What's hot

What's New at Cloudflare

Cloudflare

Recent DDoS attack trends, and how you should respond

Cloudflare

Botconf ppt

Cloudflare

Fadi Abdulwahab

MRA AMA Part 6: Service Mesh Models

NGINX, Inc.

Node JS reverse shell

Madhu Akula

Sullivan heartbleed-defcon22 2014

Cloudflare

MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App

NGINX, Inc.

Microservices Security: dos and don'ts

Minded Security

Secure Your Apps with NGINX Plus and the ModSecurity WAF

NGINX, Inc.

Behind the scene of malware operators. Insights and countermeasures. CONFiden...

Marco Balduzzi

Network Security in 2016

Qrator Labs

AWS - Como llevar un banco a la nube?

Mauricio Ferreyra

Securing Internal Applications with Cloudflare Access

Cloudflare

Security in microservices architectures

inovia

Running a Robust DNS Infrastructure with CloudFlare Virtual DNS

Cloudflare

Windows Azure Security & Compliance

Nuno Godinho

What You Should Know Before The Next DDoS Attack

Cloudflare

Attacking VPN's

n|u - The Open Security Community

CSA Presentation - Software Defined Perimeter

Vishwas Manral

What's hot (20)

What's New at Cloudflare

Recent DDoS attack trends, and how you should respond

Botconf ppt

Cloudflare

MRA AMA Part 6: Service Mesh Models

Node JS reverse shell

Sullivan heartbleed-defcon22 2014

MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App

Microservices Security: dos and don'ts

Secure Your Apps with NGINX Plus and the ModSecurity WAF

Behind the scene of malware operators. Insights and countermeasures. CONFiden...

Network Security in 2016

AWS - Como llevar un banco a la nube?

Securing Internal Applications with Cloudflare Access

Security in microservices architectures

Running a Robust DNS Infrastructure with CloudFlare Virtual DNS

Windows Azure Security & Compliance

What You Should Know Before The Next DDoS Attack

Attacking VPN's

CSA Presentation - Software Defined Perimeter

Viewers also liked

Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare

Cloudflare

Getting Started With SlideShare

SlideShare

2015 Upload Campaigns Calendar - SlideShare

SlideShare

What to Upload to SlideShare

SlideShare

Go Containers

Cloudflare

Running Secure Server Software on Insecure Hardware Without Parachute

Cloudflare

In today’s world, you may not know if the hardware you are running software on is secure or not. How can you ensure that, regardless of the hardware security, the software stays protected? CloudFlare’s systems engineer, Nick Sullivan shares advanced techniques on how to protect your server software. These techniques include anti-reverse engineering methods, secure key management and designing a system for renewal.

Sullivan red october-oscon-2014

Cloudflare

This talk is about the creation of a new security tool, Red October. Red October can be used to enforce the two-person rule for access to critical data, helping keep company data protected from insider threats. The security industry tends to be less open about the details of how their software works than other parts of the software industry. This project was created to tackle the practical challenges of traditional security compliance, but inspired by an open source mentality. By taking a vague set of regulatory requirements we devised a user-friendly tool that solves a broader problem that is an issue for many small organizations. This talk will teach people about cryptography and division of responsibility in key management, a very important consideration when moving a business to the cloud. It will also help show where to draw the line between using existing cryptographic and security mechanisms, and building your own.

Secure 2013 PolandCloudflare

SortaSQL

Cloudflare

WordPress London Meetup January 2012Cloudflare

A Channel Compendium

Cloudflare

Go Profiling - John Graham-Cumming Cloudflare

Sullivan randomness-infiltrate 2014

Cloudflare

Many information security systems rely on cryptographic schemes that need truly random numbers be secure. In recent months there have been several high profile news stories about weaknesses or potential compromises in both software and hardware random number generators. A compromised random number generator is difficult to catch because it can output random looking data that is predictable to an attacker only. In this talk I describe how to go from knowledge of a weakness in a random number generator to a full security compromise. We will look at examples including how to fully decrypt a TLS stream, how to compromise a bitcoin wallet by looking at the ECDSA signatures on the public block chain, how to factor improperly generated RSA keys, and more. There will be live demos and discussions of interesting ways to pull off these attacks.

A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...SlideShare

How to Make Awesome SlideShares: Tips & Tricks

SlideShare

Virus Bulletin 2012Cloudflare

Secure Your APIs with Amazon API Gateway

Mohammed Badran

Viewers also liked (17)

Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare

Getting Started With SlideShare

2015 Upload Campaigns Calendar - SlideShare

What to Upload to SlideShare

Go Containers

Running Secure Server Software on Insecure Hardware Without Parachute

Sullivan red october-oscon-2014

Secure 2013 Poland

SortaSQL

WordPress London Meetup January 2012

A Channel Compendium

Go Profiling - John Graham-Cumming

Sullivan randomness-infiltrate 2014

A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...

How to Make Awesome SlideShares: Tips & Tricks

Virus Bulletin 2012

Secure Your APIs with Amazon API Gateway

Similar to Hardening Microservices Security: Building a Layered Defense Strategy

Protecting microservices using secure design patterns 1.0

Trupti Shiralkar, CISSP

Presentation copy

Adel Zalok

Zerotrusting serverless applications protecting microservices using secure d...

Trupti Shiralkar, CISSP

Security overview of cloud computing.pptx

NeyaShree1

Security in cloud computing kashyap kunalKashyap Kunal

SC-900 Concepts of Security, Compliance, and Identity

FredBrandonAuthorMCP

Microservices: Where do they fit within a rapidly evolving integration archit...

Kim Clark

Do microservices force us to look differently at the way we lay down and evolve our integration architecture, or are they purely about how we build applications? Are microservices a new concept, or an evolution of the many ideas that came before them? What is the relationship between microservices and other key initiatives such as APIs, SOA, and Agile. In this session, we will unpick what microservices really are, and indeed what they are not. We will consider whether there is something unique about this particular point time in technology that has enables microservice concepts to take hold. Finally, we will look at if, when, where and how an enterprise can take on the benefits of microservices, and what products and technologies are applicable for that journey.

Surviving microservices

Francesco Degrassi

With microservices gone mainstream a few years ago, many organizations have now adopted them; even though all are paying the price in terms of training, solution complexity and operational costs, few are reaping the promised benefits. Lower velocity, quality and performance issues, along with an overall lack of visibility are what we hear about most often. In this session, working from our experience as advisors to software development teams, we’ll walk you through some of the symptoms you might experience, their possible causes and some potential solutions.

Single Sign-on Authentication Model for Cloud Computing using Kerberos

Deepak Bagga

ABSTRACT In today’s organizations need for several new resources and storage requirements for terabytes of data is generated every day. Cloud computing provides solution for this in a cost effective and efficient manner. Cloud computing provides on demand resources as services to clients. Cloud is highly scalable and flexible. Although it is benefiting the clients in several ways but as data is stored remotely it has many security loopholes like attacks, data lose, other security and authentication issues. In this paper we are proposing an authentication model for cloud computing based on the Kerberos protocol to provide single sign-on and to prevent against DDOS attacks. This model can benefit by filtering against unauthorized access and to reduce the burden, computation and memory usage of cloud against authentication checks for each client. It acts as a third party between cloud servers and clients to allow secure access to cloud services. In this paper we will see some of the related work for cloud security issues and attacks. Then in next section we will discuss the proposed architecture, its working and sequential process of message transmission. Next we will see how it can prevent against DDOS attacks, some benefits and how it provides single sign-on.

Blackhat 2014 Conference and Defcon 22

dandb-technology

اساليب البرمجيات الحديثة Modern Software Development

Mohamed Galal

في الفيديوهات دي بيتم توضيح بعض التطورات اللي حصلت في صناعة البرمجيات من حيث ال Software Life Cycle و ال Architecture الجديد زي ال Micro-services و طرق تخزين البيانات الجديدة و طرق ال Deployment الجديدة وكمان المهام الذكية اللي بقت بتطلب من الSoftware. يمكنكم متابعة مقالاتي التقنية على الرابط التالي http://galaldev.blogspot.com.eg/ ويمكنكم متابعتي على Facebook على الرابط التالي https://www.facebook.com/galaldev رابط فيديو المحاضرة https://www.youtube.com/playlist?list=PLLFqEKhpE3ZVDzWCiJzmfiBmeB-ZnaAyX

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Mark Simos

APIs from the Edge to the Mesh

Nordic APIs

For a long time APIs have largely been an exercise at the edge of complexity. They provide an engaging interface to attract developers, perhaps an underlying platform to monitor their consumption, and a means for those interested in whatever drives our backend to manage that success. That type interaction demands a certain type of interaction. But what happens in a backend world of microservices? Do we really have the same API needs and flexibility concerns at the mesh that we do at the edge and how might we best address these two worlds going forward? I will present the case for edge, the case for the mesh and try to bridge whatever space we have between them: chasm or ditch.

Azure Fundamentals Part 3

CCG

Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...

Priyanka Aash

Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise. Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage. But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization? Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.

[배포용_최종] CISSP협회 제72회 정보보호리더십세미나_Cybersecurity Mesh, Identity First_v1.0.pdf

james yoo

CWIN17 Utrecht / cg u services - frank van der wal

Capgemini

Multilevel Security and Authentication System

paperpublications3

Abstract: In an online security, authentication plays a crucial role in shielding resources against unauthorized and illegal use of information. Authentication processes may differ from simple password based authentication system to complex, costly and computation strengthened authentication systems. In recent days, increasing security has always been an important issue since Internet and Web Development came into actuality. Text based password is not enough to counter such problems, which is also an obsolete approach now. Consequently, this demands the need for something more secure along with being more user-friendly. Therefore, we have strained to rise the security by involving a multiple level security tactic, involving Text based using Cryptography, Grid Authentication and Image Based Password. The cryptography technique is very essential for the text based password while encrypting it with the principle of substitution method like Caesar Cipher. Session passwords are also necessary for eliminating the time factor attacks such as Brute Force attack. Grid Authentication makes the system more dynamic due ever changing nature. Image based authentication makes the system more user friendly, reliable and secure.Keywords: Cryptography, Grid Authentication, Image Based Password, Shoulder Attack. Title: Multilevel Security and Authentication System Author: Pratik Anap, Sanjay Gholap, Prasad Anpat, Abhijit Bhapkar International Journal of Recent Research in Mathematics Computer Science and Information Technology ISSN 2350-1022 Paper Publications

SSL VPN Evaluation Guide

Array Networks

Remote connectivity is crucial for enterprise productivity and SSL has gained fast popularity as a remote access tool. In fact, SSL VPNs as a technology have shown promise in eliminating many of the client side issues associated with IPSec, and other forms of remote access. Furthermore, SSL VPNs offer a smooth migration to a more costeffective, easier to deploy remote access solution than IPSec. SSL VPN’s combination of flexibility and functionality makes it competitive with IPSec even when deployed for enterprise’s “power users.” In today’s crowded SSL VPN market, it’s easy to become overwhelmed by the wide range of solutions available. Obviously, there are many factors to consider when purchasing an SSL VPN product, and you want to make the best choice possible. This SSL VPN Evaluation Guide serves as an important resource in identifying, describing, and prioritizing the criteria you should consider when selecting an SSL VPN provider that best fits the needs of your organization. Selection Criteria In coming up with a selection criteria, the functions offered by SSL VPNs have to be evaluated against two key aspects: security and user experience. A truly successful deployment of a secure access solution cannot be achieved without taking both aspects into consideration. Look for an SSL VPN that can also serve the organization’s longterm needs, integrates seamlessly with the network architecture, and provides powerful management tools. The optimal provider will exceed in these key areas: n Performance and scalability n Security n Ease of use n Company reputation n Technology leadership

A Gentle introduction to microservices

Gianluca Padovani

Cosa sono i microservizi? Perché li devo usare? Sono una moda? In alcuni dicono che siano una soluzione "standard", altri dicono che non si dovrebbero usare, altri ne negano l'esistenza... Ma chi sviluppa software e deve portare a casa un po' di software che funziona... cosa deve fare? Proviamo a vedere e a capire da dove arrivano, cosa sono e quali caratteristiche hanno, in modo da fare in ogni contesto una scelta una consapevole.

Similar to Hardening Microservices Security: Building a Layered Defense Strategy (20)

Protecting microservices using secure design patterns 1.0

Presentation copy

Zerotrusting serverless applications protecting microservices using secure d...

Security overview of cloud computing.pptx

Security in cloud computing kashyap kunal

SC-900 Concepts of Security, Compliance, and Identity

Microservices: Where do they fit within a rapidly evolving integration archit...

Surviving microservices

Single Sign-on Authentication Model for Cloud Computing using Kerberos

Blackhat 2014 Conference and Defcon 22

اساليب البرمجيات الحديثة Modern Software Development

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

APIs from the Edge to the Mesh

Azure Fundamentals Part 3

Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...

[배포용_최종] CISSP협회 제72회 정보보호리더십세미나_Cybersecurity Mesh, Identity First_v1.0.pdf

CWIN17 Utrecht / cg u services - frank van der wal

Multilevel Security and Authentication System

SSL VPN Evaluation Guide

A Gentle introduction to microservices

More from Cloudflare

Succeeding with Secure Access Service Edge (SASE)

Cloudflare

With the emergence of the Secure Access Service Edge (SASE), network and security professionals are struggling to build a migration plan for this new platform that adapts to the distributed nature of users and data. SASE promises to reduce complexity and cost, improve performance, increase accessibility and enhance security. The question is: How do you gain these benefits as you work towards implementing a SASE architecture? View to learn: -Why SASE should be less complicated than many vendors are making it -What to look for when evaluating a migration to a SASE platform -A 3 month, 6 month, and 12 month roadmap for implementation -How Cloudflare One, a purpose-built SASE platform, delivers on these promised benefits

Close your security gaps and get 100% of your traffic protected with Cloudflare

Cloudflare

The Gaming & Gambling industry has been the target of increasingly sophisticated cyber attacks in recent years, ranging from automated bots carrying out credential stuffing and intellectual property scraping to Layer 3 DDoS attacks, which can result in reduced network speed and performance, and in some cases loss of business when such incidents occur. View this presentation from Cloudflare security experts Stephane Nouvellon, Principal Solutions Engineer and Philip Björkman, Strategic Vertical Account Executive (EMEA Gaming & Gambling) to learn about: -How you can protect your business and improve the performance and reliability of your infrastructure, globally -Solutions to secure your organization's online traffic (all OSI layers) against bots and cyber attacks whilst improving the performance of your applications.

Why you should replace your d do s hardware appliance

Cloudflare

Don't Let Bots Ruin Your Holiday Business - Snackable Webinar

Cloudflare

Why Zero Trust Architecture Will Become the New Normal in 2021

Cloudflare

The COVID-19 pandemic brought changes no IT team was ready for: employees were sent home, customer interaction models changed, and cloud transformation efforts abruptly accelerated. Cloudflare recently commissioned Forrester Consulting to explore the impact of 2020 disruptions on security strategy and operations among companies of all sizes. To do so, they surveyed 317 global security decision makers from around the world. Join our guest Forrester VP, Principal Analyst, Chase Cunningham, and Cloudflare Go-To-Market Leader, Brian Parks, for an in-depth discussion of the survey results, followed by practical guidance for next year’s planning.

HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...

Cloudflare

Zero trust for everybody: 3 ways to get there fast

Cloudflare

The COVID-19 pandemic has exposed the weaknesses of the traditional ‘castle-and-moat’ security model. Remote work has expanded attack surfaces infinitely outwards, and more than ever, organizations need to start from the assumption that their ‘castle’ is already compromised. Zero Trust has emerged as a compelling security framework to address the failures of existing perimeter-based security approaches. It’s aspirational, but not unachievable. At Cloudflare, we’re making complicated security challenges easier to solve. Since 2018, Cloudflare Access has helped thousands of organizations big and small take their first steps toward Zero Trust. In this presentation, Cloudflare will share their perspective on what the most successful organizations do first on their journey to Zero Trust. We’ll cover: -The Zero Trust framework, and our recommended ZT security model -How 3 organizations of differing size and security maturity have implemented Zero Trust access -Cloudflare’s Zero Trust implementation and lessons learned

LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...

Cloudflare

Maintaining the right balance between security and customer experience is always challenging for online businesses. This challenge becomes even more relevant during this crisis as businesses face unprecedented levels of traffic and attacks. Tune in to learn how LendingTree leverages Cloudflare to strengthen their security posture while ensuring a superior online experience for their customers. Listen to security experts from LendingTree and Cloudflare as they discuss: Emerging attack vectors and tactics impacting online platforms Best practices for online businesses to overcome these threats How LendingTree leverages Cloudflare to maintain the right balance between security and business objectives

Network Transformation: What it is, and how it’s helping companies stay secur...

Cloudflare

Scaling service provider business with DDoS-mitigation-as-a-service

Cloudflare

Cybersecurity 2020 threat landscape and its implications (AMER)

Cloudflare

Cybersecurity decisions have direct implications to individuals, enterprises and organizations but also have broader societal implications than ever before. In 2020 and beyond, technology promises to change our own experience and enhance our way of life, and those of our customers, significantly. This reliance and targeting have been magnified during COVID19, where the cybercriminals have sunk to new lows at the same time as that reliance on tech has increased. This session will explore how these technologies are going to change the experiences of our lives for the better and for the worse. It will explore the most recent cybersecurity breaches, predict the key security issues for 2020 and discuss current security priorities.

Strengthening security posture for modern-age SaaS providers

Cloudflare

Businesses become more resilient in times of crises. This is especially true for SaaS businesses that are facing unprecedented challenges in this environment. While some are catering to a surge in traffic, others are figuring out innovative solutions to retain their customers. In addition, increasing malicious attacks are straining the resources of these SaaS businesses. Now more than ever, it is important for SaaS providers to deliver an uninterrupted experience. One that is fast, secure, and reliable to their customers in a cost effective manner. Join this webcast to learn more about how ActiveCampaign leverages Cloudflare to deliver meaningful services to their end users.

Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks

Cloudflare

Stopping DDoS Attacks in North America

Cloudflare

In this webinar, learn from Cloudflare’s DDoS Protection Product Manager, Omer Yoachimik, about the recent attacks (both large and small) and how Cloudflare is uniquely positioned to help protect Internet properties on its network from DDoS attacks and cyber threats. In this webinar, you will learn: - DDoS attack trends to watch out for in 2020 - How Cloudflare detects & mitigates DDoS attacks - How can you protect your website and networks against DDoS attacks

It’s 9AM... Do you know what’s happening on your network?

Cloudflare

If you manage a corporate network, you’re responsible for protecting users from risky and malicious content online. Doing that well requires insight into the requests on your network, and the power to block risky content before it impacts your users. Legacy solutions have addressed this challenge by forcing the Internet through hardware onsite. Cloudflare has a better way. The all-new Cloudflare Gateway (part of the Cloudflare for Teams family), provides secure, intelligent DNS powered by the world’s fastest public DNS resolver. With Gateway, you can visualize your Internet traffic in one place. And with 100+ security and content filters at your fingertips, you can apply comprehensive Internet intelligence to protect global office networks in a matter of minutes. Join Irtefa, Product Manager for Cloudflare Gateway and AJ Gerstenhaber, Go to Market for Cloudflare for Teams, to discover a new way to protect your offices and teams from malware - no legacy firewalls required.

Cyber security fundamentals (simplified chinese)

Cloudflare

Bring speed and security to the intranet with cloudflare for teams

Cloudflare

Cloudflare was started to solve one half of every IT organization's challenge: how do you ensure the resources and infrastructure that you expose to the Internet are safe from attack, fast, and reliable? To deliver that, we built one of the world's largest networks. Today our network spans more than 200 cities worldwide and is within milliseconds of nearly everyone connected to the Intranet. Cloudflare for Teams is a new platform designed to solve the other half of every IT organization's challenge: ensuring the people and teams within an organization can safely access the tools they need to do their job. Now you can extend Cloudflare’s speed, reliability and protection to everything your team does on the Intranet. In this webinar, you’ll learn: - Common challenges of scaling security for your growing business - How to extend Zero Trust security principles to your internally managed applications - How to make Intranet access faster and safer for your employees

Accelerate your digital transformation

Cloudflare

In a highly competitive digital culture, businesses are intensifying their digital transformation efforts to expand their hybrid and multi-cloud cloud initiatives. As dependencies on legacy point solutions and architectures begin to diminish, developers are becoming increasingly influential in newly digitally transformed organizations. The need for increased agility, and speed is paramount. While CDNs have been a key fixture for many enterprise businesses to remediate global network latencies, new challenges have arisen with these solutions that are inhibiting agile workstyles. Join this webinar to learn the following: - The foundations of improving web performance - How the web performance market is evolving and the challenges faced by CDN providers - How Cloudflare supports your digital transformation

Cyber security fundamentals (Cantonese)

Cloudflare

Cloudflareのソリューションを使用して悪意のあるBot対策

Cloudflare

クラウドフレアはより良いインターネットの構築をミッションとした、ウェブパフォーマンス及びセキュリティのリーディングカンパニーです。現在、クラウドフレアでは約2,200万以上のWebサイト、API、SaaSサービスなどの高速化サービスおよび様々な脅威な攻撃をネットワークのエッジで防御を行っています。クラウドフレアのネットワークでは毎月10兆件以上のインターネットリクエストが送信され、その数は全世界28億人以上のインターネットリクエストのほぼ10%を占めています。このセッションでは、世界最大規模のネットワークを運用するクラウドフレアだからこそ可能な、パフォーマンスに影響ないDDoS攻撃防御、アプリケーションセキュリティ、ゼロトラスト・セキュリティをご紹介いたします。 - クラウドフレアのサービス概要 - 多重セキュリティによるレイヤー７攻撃の対策 - Bot managementの導入方法及び導入事例 - ダッシュボードデモ - Q&Aセッション

More from Cloudflare (20)

Succeeding with Secure Access Service Edge (SASE)

Close your security gaps and get 100% of your traffic protected with Cloudflare

Why you should replace your d do s hardware appliance

Don't Let Bots Ruin Your Holiday Business - Snackable Webinar

Why Zero Trust Architecture Will Become the New Normal in 2021

HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...

Zero trust for everybody: 3 ways to get there fast

LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...

Network Transformation: What it is, and how it’s helping companies stay secur...

Scaling service provider business with DDoS-mitigation-as-a-service

Cybersecurity 2020 threat landscape and its implications (AMER)

Strengthening security posture for modern-age SaaS providers

Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks

Stopping DDoS Attacks in North America

It’s 9AM... Do you know what’s happening on your network?

Cyber security fundamentals (simplified chinese)

Bring speed and security to the intranet with cloudflare for teams

Accelerate your digital transformation

Cyber security fundamentals (Cantonese)

Cloudflareのソリューションを使用して悪意のあるBot対策

Recently uploaded

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

The Future of Platform Engineering

Jemma Hussein Allen

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Free Complete Python - A step towards Data Science

RinaMondal9

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

Quantum Computing: Current Landscape and the Future Role of APIs

Vlad Stirbu

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

The Metaverse and AI: how can decision-makers harness the Metaverse for their...

Jen Stirrup

The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives? How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.

Recently uploaded (20)

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Video Streaming: Then, Now, and in the Future

Climate Impact of Software Testing at Nordic Testing Days

By Design, not by Accident - Agile Venture Bolzano 2024

Elevating Tactical DDD Patterns Through Object Calisthenics

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

The Future of Platform Engineering

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Free Complete Python - A step towards Data Science

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Quantum Computing: Current Landscape and the Future Role of APIs

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

GraphRAG is All You need? LLM & Knowledge Graph

The Art of the Pitch: WordPress Relationships and Sales

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

The Metaverse and AI: how can decision-makers harness the Metaverse for their...

Hardening Microservices Security: Building a Layered Defense Strategy

1. Securing Microservices Threat Modelling and Session Security Presented by David Hoelzer (SANS) and Matt Silverlock (CloudFlare)

2. What is a "microservice"? (and what security challenges do they bring?)

3. What is a microservice? ● Modular approach to building services. ● Reinvention of the Service Orientated Architecture (SOA) model. ● Micro-services often declare API contracts, but development & deployment are self-contained.

4. What is a microservice? Benefits ● Less coupling: easier to reason about changes. ● Apply the most appropriate technology to the problem at hand ● Better suits larger organizations with multiple teams. ● Easier to test when self-contained: less infrastructure to spin up when iterating.

5. What is a microservice? Challenges ● Multiple moving parts: more surface area to secure as services communicate to each other. ● Can add complexity into smaller organizations: more tech stacks to maintain, update and patch. ● The need to define formal API contracts so that services can reliably communicate to each other with different development cycles.

6. Threat Modelling Understand what you're defending against.

7. Threat Modelling ● Stop thinking about what it’s supposed to do ○ Stand back and try to think about how someone could abuse it ○ Start where you have security mitigations ○ Next, think about where you don’t and the assumptions made

8. Threat Modelling

9. Threat Modelling

10. Threat Modelling

11. What’s the Point? ● Organizations have many mitigations ○ Firewalls, AV, IDS, etc. ● The threat is not clearly identified by any single activity ○ It’s the behavior rather than a signature

12. What’s the Point for Microservices? ● Monolithic Web Applications ○ Session issues are a very well known problem ● Microservices ○ We still have sessions, but they are often far more stateless! ○ How do we define an authenticated “session”? ○ Are there behaviors that we can defend against?

13. Microservices Session Threat

14. Microservices Session Impersonation

15. Threat Modelling ● Everyone watches for repeated authentication failures ○ Do you currently include anything in the session verification process?

16. Threat Modelling ● API keys are a possible approach ○ Issue public/private keypair ○ All requests must be signed with public key ■ more computation, but not awful ● How critical is it that the API keys are protected by end users or apps?

17. Threat Modelling ● Session issues are not new ○ Microservices changes the game since these are inherently non-monolithic applications ○ It is critical that the, “We do one thing well” philosophy include a thoughtful analysis of potential threats and exposures ● Requires threat-focused defensive coding

18. Layered Defenses There are no silver bullets.

19. Layered Defenses ● Offload work to the network edge: validate traffic (firewall, reputation, rate limiting) before it reaches your services.

20. Layered Defenses ● Protect your resources: prevent outside attackers from consuming resources (spawning more containers may not be the solution)

21. Layered Defenses ● Protect your data: multiple discrete services now accessing shared datastores. Each service should only access what it needs, and no more.

22. Layered Defenses ● Secure containers: authenticate endpoints, support revocation, and keep images updated.

23. Layered Defenses ● Know what you're running: always pulling down the latest image from an image repository or from GitHub may not be a great idea.

24. Layered Defenses ● Manage secrets: do your microservices have access to the secrets they need, and only the secrets they need?

25. Questions & Answers

Hardening Microservices Security: Building a Layered Defense Strategy

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to Hardening Microservices Security: Building a Layered Defense Strategy

Similar to Hardening Microservices Security: Building a Layered Defense Strategy (20)

More from Cloudflare

More from Cloudflare (20)

Recently uploaded

Recently uploaded (20)

Hardening Microservices Security: Building a Layered Defense Strategy