Date post: | 06-Jan-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 152 times |
Download: | 1 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HOW NIKE USES A MULTI-LAYER, END-TO-END
SECURITY APPROACH
TO PROTECT MICROSERVICE-BASED SOLUTIONS AT
SCALE
MICROSERVICES, MACRO SECURITY NEEDS
NOVEMBER 29,
2016
ANDREW FLAVELL,
NIKE INC
(SEC307)
WHAT YOU SHOULD LEARN FROM US.
K E Y T A K E A W A Y S
LAYERED SECURITY
COMMUNICATION MODELS
MANAGING SECRETS
SERVE EVERY ATHLETE*PERSONALLY
N I K E D I G I T A L M I S S I O N
*IF YOU HAVE A BODY, YOU’RE AN ATHLETE.
NIKE DIGITAL 5NIKE DIGITAL 5
DELIVER THE MOST CONNECTED
PORTFOLIO OF DIGITAL PRODUCTS AND
SERVICES TO PERSONALLY SERVE
ATHLETES* TO BE THEIR BEST
N I K E D I G I T A L V I S I O N
N I K E R E T A I L N I K E . C O M S N K R S N I K E + N + R C N + T C L I V E E V E N T S
O U R W O R K
NIKE DIGITAL 7
P A S T
DATACENTERS
MONOLITHS
BIG BANG RELEASES
TRUSTED
NETWORK/PERIMETER
SECURITY MODEL
P R E S E N T - F U T U R E
CLOUD
MICROSERVICES
CI/CD/AGILE
ZERO TRUST SECURITY
MODEL
NIKE DIGITAL 7
P A S T - P R E S E N T - F U T U R E
NIKE DIGITAL 8NIKE DIGITAL 8
PRINCIPLE OF LEAST PRIVILEGE
ZERO-TRUST MODEL OVER PERIMETER MODEL
AUTOMATION
SELF-SERVICE
P R I N C I P L E S
NIKE DIGITAL 9NIKE DIGITAL 9
A U T H E N T I C A T I O N A U T H O R I Z A T I O N E N C R Y P T I O N
F O U N D A T I O N A L E L E M E N T S
LAYEREDSECURITY
NIKE DIGITAL 11NIKE DIGITAL 11
P E O P L E / I A M
P H Y S I C A L S E C U R I T Y
N E T W O R K
A W S S E R V I C E S
E C 2 I N S T A N C E S
L A Y E R E D S E C U R I T Y
NIKE DIGITAL 12NIKE DIGITAL 12
L A Y E R E D S E C U R I T Y : P H Y S I C A L S E C U R I T Y
EACH EMPLOYEE HAS A BADGE FOR AUTHENTICATION
NIKE FACILITIES REQUIRE BADGES FOR ENTRY PHYSICAL MFA TOKEN DEVICES
NIKE DIGITAL 13NIKE DIGITAL 13
L A Y E R E D S E C U R I T Y : P E O P L E / I A M
A U T H E N T I C A T I O N A U T H O R I Z A T I O N
NIKE AMAZON
ROLE 1
ROLE 2
ROLE 3
IAM
SSO PROVIDER
SINGLE SIGN ON/
FEDERATION
NIKE DIGITAL 14NIKE DIGITAL 14
ROUTING
VPCS
VPC ACLS
SECURITY GROUPS
ONLY HAVE PUBLIC ENDPOINTS BE ROUTABLE
VPC EDGES LIMIT THE “BLAST RADIUS” OF COMPROMISE
LIMIT INGRESS USING PRINCIPLE OF LEAST
PRIVILEGE
LIMIT COMMUNICATIONS BASED ON PRINCIPLE
OF LEAST PRIVILEGE
L A Y E R E D S E C U R I T Y : N E T W O R K
NIKE DIGITAL 15
SERVICE 2
SERVICE 1 S3 BUCKET
SNS TOPIC
DYNAMO DB
NIKE DIGITAL 15
L A Y E R E D S E C U R I T Y : A W S S E R V I C E S
IAM
NIKE DIGITAL 16NIKE DIGITAL 16
S E C U R I T Y G R O U P S
M U S T U S E A S E C U R I T Y S U I T E T H A T I N C L U D E S A V , I D S , I P S ,
F I M
P A T C H I N G
“ I M M U T A B L E ” A M I S
S E C U R E C E N T R A L C O N F I G U R A T I O N M A N A G E M E N T
L A Y E R E D S E C U R I T Y : E C 2 I N S T A N C E S
COMMUNICATIONMODELS
NIKE DIGITAL 18NIKE DIGITAL 18
C O M M U N I C A T I O N M O D E L S
AP
I G
AT
EW
AY
NIKE
DEVELOPER
CONSUMERNIKE
BUSINESS USER
SERVICE
DISCOVERY
DOMAIN1.NIKECLOUD.COM
AMAZON ELB
EDGE ROUTER
SERVICES
DATA STORE
SERVICE
DISCOVERY
AMAZON ELB
EDGE ROUTER
SERVICES
DATA STORE
DOMAIN2.NIKECLOUD.COM
AWS
NIKE DIGITAL 19NIKE DIGITAL 19
domain.nikecloud.com
EDGE ROUTER
SERVICES EC2
SERVICES EC2
C O N S U M E R A N D I N T E R N A L B U S I N E S S U S E R
SERVICE
DISCOVERY
API.NIKE.COM
API GATEWAY
DOMAIN1.NIKECLOUD.COM
AMAZON ELB
EDGE ROUTER
SERVICES
DATA STORE
CONSUMER
OAUTH SERVICES
R E S T + T L S + A U T H T O K E N ( O A U T H , J W T )
NIKE DIGITAL 20
SERVICE
DISCOVERY
DOMAIN 1
AMAZON ELB
EDGE ROUTER
SERVICE 1
DATA STORE
SERVICE
DISCOVERY
DOMAIN 2
AMAZON ELB
EDGE ROUTER
SERVICE 2
DATA STORE
DOMAIN2.NIKECLOUD.COM
NIKE DIGITAL 20
I N T E R - D O M A I N A P P - T O - A P P
PUBLIC
INTERNET
R E S T + T L S + A U T H T O K E N ( O A U T H , J W T )
NIKE DIGITAL 21NIKE DIGITAL 21
I N T R A - D O M A I N A P P - T O - A P P
SERVICE 1 SERVICE 2
SERVICE 3
SERVICE
DISCOVERY
DOMAIN
SERVICE 1 SECURITY GROUP SERVICE 2 SECURITY GROUP
RULE: ALLOW FROM S1
PRIVATE
NETWORK
R E S T + T L S + S G
NIKE DIGITAL 22NIKE DIGITAL 22
D E V E L O P E R
PROXYPROXY.NIKE.COM
EIP EC2
DOMAIN
NIKE INFRASTRUCTURE SECURITY GROUP
RULE: ALLOW NAT EIP
NAT
AWS
CORPORATE DIRECTORY
DEVELOPER DIRECT CONNECT
SSH
S S H + D I R E C T O R Y S E R V I C E S + S G
NIKE DIGITAL 23NIKE DIGITAL 23
I N T R A D O M A I N A P P - T O - D A T A S T O R E
SERVICE A
SERVICE
DISCOVERY
DOMAIN
DATA STORE SECURITY GROUP
SERVICE A SECURITY GROUP
RULE: ALLOW FROM SERVICE A
DATA STORE
D S P R O T O C O L + P W D S + S G S + E N C R Y P T
MANAGINGSECRETS
CERBERUS
NIKE DIGITAL 25NIKE DIGITAL 25
S E C R E T S S O L U T I O N S : C E R B E R U S
NIKE DIGITAL 26NIKE DIGITAL 26
C E R B E R U S C O M P O N E N T S
HASHICORP VAULT
CERBERUS MANAGEMENT
SERVICE
CLOUD APPLICATIONCERBERUS MANAGEMENT
DASHBOARD ASSETS
ROUTER{REST API}
USER
NIKE DIGITAL 27NIKE DIGITAL 27
IAM ROLE BASED AUTHENTICATION
USER AUTHENTICATION VIA SSO PROVIDER
CLOUD NATIVE OPERATIONS/INFRASTRUCTURE
UI FOR MANAGING ACCESS CONTROL AND SECRETS
W H A T C E R B E R U S A D D S T O V A U L T
NIKE DIGITAL 28NIKE DIGITAL 28
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
NIKE DIGITAL 29NIKE DIGITAL 29
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
GET IAM ROLES
IAM ROLES
NIKE DIGITAL 30NIKE DIGITAL 30
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
GET IAM ROLES
IAM ROLES
AUTHENTICATE (IAM ROLE, REGION)
NIKE DIGITAL 31NIKE DIGITAL 31
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
GET IAM ROLES
IAM ROLES
AUTHENTICATE (IAM ROLE, REGION)
GENERATE AUTHENTICATION
TOKEN
NIKE DIGITAL 32NIKE DIGITAL 32
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
GET IAM ROLES
IAM ROLES
AUTHENTICATE (IAM ROLE, REGION)
GENERATE AUTHENTICATION
TOKEN
CREAT CMK (IAM ROLE, REGION)
CMK ID
NIKE DIGITAL 33NIKE DIGITAL 33
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
GET IAM ROLES
IAM ROLES
AUTHENTICATE (IAM ROLE, REGION)
GENERATE AUTHENTICATION
TOKEN
CREAT CMK (IAM ROLE, REGION)
CMK ID
ENCRYPT (AUTH TOKEN, CMK ID)
ENCRYPTED AUTH TOKEN
NIKE DIGITAL 34NIKE DIGITAL 34
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
GET IAM ROLES
IAM ROLES
AUTHENTICATE (IAM ROLE, REGION)
GENERATE AUTHENTICATION
TOKEN
CREAT CMK (IAM ROLE, REGION)
CMK ID
ENCRYPT (AUTH TOKEN, CMK ID)
ENCRYPTED AUTH TOKEN
AUTH RESPONSE, INCLUDING ENCRYPTED AUTH TOKEN
NIKE DIGITAL 35NIKE DIGITAL 35
I A M R O L E A U T H E N T I C A T I O N
APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS
GET IAM ROLES
IAM ROLES
AUTHENTICATE (IAM ROLE, REGION)
GENERATE AUTHENTICATION
TOKEN
CREAT CMK (IAM ROLE, REGION)
CMK ID
ENCRYPT (AUTH TOKEN, CMK ID)
ENCRYPTED AUTH TOKEN
AUTH RESPONSE, INCLUDING ENCRYPTED AUTH TOKEN
DECRYPT (REGION, CMKid, ENCRYPTED AUTH TOKEN)
DECRYPTED AUTH TOKEN
NIKE DIGITAL 36NIKE DIGITAL 36
MANAGE DATABASE PASSWORDS
MANAGE (STORE, RETRIEVE, ROTATE) API KEYS
STORE/RETRIEVE JWT TOKENS
GENERAL-PURPOSE RUN-TIME CONFIG STORE
H O W W E U S E C E R B E R U S A T N I K E
DEMO
WHAT YOU LEARNTFROM US.
K E Y T A K E A W A Y S
LAYERED SECURITY
COMMUNICATION MODELS
MANAGING SECRETS
NIKE DIGITAL 39NIKE DIGITAL 39
CHECK
OUT
W H E R E T O L E A R N M O R E
CERBERUS ON GITHUB: HTTPS://GITHUB.COM/NIKE-INC/CERBERUS
C E R B E R U S
NIKE DIGITAL 40NIKE DIGITAL 40
N I K E O S S
W I N G T I P SF A S T B R E A K
B A C K S T O P P E R
C E R B E R U S
NIKE GITHUB: HTTP://NIKE-INC.GITHUB.IO/
QUESTIONS?
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!