Datenschutz in der Cloud mit Spring Cloud Vault

25.4.2018

Präsentation und Demos: https://github.com/andifalk/jax-2018-spring-vault

Andreas Falk (@andifalk)

NovaTec Consulting GmbH (Stuttgart/Germany)

EU Datenschutz Grundverordnung

(DSGVO / GDPR)

Ab 25.Mai 2018 geltendes Recht!


Quelle: GDPR’s Missing Link Report (senzing.com/gdpr)

Artikel 32

(Sicherheit der Verarbeitung)

“ Unter Berücksichtigung des Stands der Technik, ... treffen der Verantwortliche ...geeignete technische und organisatorische Maßnahmen, um ein dem Risiko angemessenes Schutzniveau zu gewährleisten; diese Maßnahmen schließen unter anderem Folgendes ein: a) die Pseudonymisierung und Verschlüsselung personenbezogener Daten... ”

Quelle: eur-lex.europa.eu

A3: Sensitive Data Exposure

https://github.com/OWASP/Top10

Typical Sensitive Data

Passwords

Service credentials (DB, Messaging, ...)

OAuth2 client secrets

Encryption keys

Credit card numbers

Personal data

application.yaml

Database access credentials


                            spring:
                                datasource:
                                    url: jdbc:postgresql://localhost/test
                                    username: root
                                    password: mysupersecretpassword

Key Management

How to protect the key encrypting key?

“There is no alien technology
to mitigate all the risks”

Justin Smith (CSO @ Pivotal)

https://youtu.be/MvPIthr4kXA

Key Management

Authentication

Data Security Evolution

Introduction

https://www.vaultproject.io

“A Security Swiss Army Knife”

Jeff Mitchell, Vault Lead, HashiCorp

A Tool for Managing Secrets like...

  • Tokens
  • Passwords
  • MFA
  • X.509 Certificates
  • API keys
  • DB credentials

Key Features

Secure Secret Storage

Dynamic Secrets

Data Encryption (AES cypher)

Leasing, Renewal & Revocation

Operational Features

Authentication

Authorization (ACL)

Audit Logs

High Availability Mode (HA)

Web UI (since V.0.10)

Authorization (ACL)

my-policy.json 

                            path "secret/*" {
                              capabilities = [
                                "create", "read", "update",
                                "delete", "list"
                              ]
                            }

                            path "secret/super-secret" {
                              capabilities = ["deny"]
                            }
                        

                            $ vault write sys/policy/my-policy policy=@my-policy.json
                        

                            $ vault token create -policy=my-policy ...

Architecture I

Architecture II

Key Shares


https://www.cs.tau.ac.il/~bchor/Shamir.html

Spring Vault

https://projects.spring.io/spring-vault

Encryption as a service

Spring Cloud Vault

https://cloud.spring.io/spring-cloud-vault

Secret vault mapping

bootstrap.properties


                            spring.cloud.vault.generic.application-name =
                                    application1,additional/keys
                            #spring.cloud.vault.application-name = ...
                            #spring.application.name = ...

Mapped secret paths in vault


                            /secret/application1
                            /secret/application1/myprofile
                            /secret/additional/keys
                            /secret/application
                            /secret/application/myprofile

Spring Cloud Config Vault Environment Repository

application.properties (Config Server)


                            spring.profiles.active=git,vault
                            spring.cloud.config.server.vault.host=127.0.0.1
                            spring.cloud.config.server.vault.port=8200
                            spring.cloud.config.server.vault.scheme=https

bootstrap.properties (Client)


                            spring.cloud.config.token = YourVaultToken

Alternatives

Azure Key Vault

CredHub (Pivotal)

Hardware Security Modules (HSM)

But HSM...

...not Cloud Friendly or...

...quite expensive (AWS ~ 18000 $/year)

...and not 100% secure (“Confused Deputy”)

No Silver Bullets!!

Q&A

http://blog.novatec-gmbh.de

andreas.falk@novatec-gmbh.de

@andifalk


@Spring I/O (Barcelona)
24.5.2018
Spring Security 5.0 Hands-On Workshop

References

All images used are from Pixabay and are published under Creative Commons CC0 license.

All used logos are trademarks of corresponding companies