aws re:invent 2016: microservices, macro security needs: how nike uses a multi-layer, end-to-end...

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.


HOW NIKE USES A MULTI-LAYER, END-TO-END

SECURITY APPROACH

TO PROTECT MICROSERVICE-BASED SOLUTIONS AT

SCALE

MICROSERVICES, MACRO SECURITY NEEDS

NOVEMBER 29,

2016

ANDREW FLAVELL,

NIKE INC

(SEC307)

WHAT YOU SHOULD LEARN FROM US.

K E Y T A K E A W A Y S

LAYERED SECURITY

COMMUNICATION MODELS

MANAGING SECRETS

SERVE EVERY ATHLETE*PERSONALLY

N I K E D I G I T A L M I S S I O N

*IF YOU HAVE A BODY, YOU’RE AN ATHLETE.

NIKE DIGITAL 5NIKE DIGITAL 5

DELIVER THE MOST CONNECTED

PORTFOLIO OF DIGITAL PRODUCTS AND

SERVICES TO PERSONALLY SERVE

ATHLETES* TO BE THEIR BEST

N I K E D I G I T A L V I S I O N

N I K E R E T A I L N I K E . C O M S N K R S N I K E + N + R C N + T C L I V E E V E N T S

O U R W O R K

NIKE DIGITAL 7

P A S T

DATACENTERS

MONOLITHS

BIG BANG RELEASES

TRUSTED

NETWORK/PERIMETER

SECURITY MODEL

P R E S E N T - F U T U R E

CLOUD

MICROSERVICES

CI/CD/AGILE

ZERO TRUST SECURITY

MODEL

NIKE DIGITAL 7

P A S T - P R E S E N T - F U T U R E


PRINCIPLE OF LEAST PRIVILEGE

ZERO-TRUST MODEL OVER PERIMETER MODEL

AUTOMATION

SELF-SERVICE

P R I N C I P L E S


A U T H E N T I C A T I O N A U T H O R I Z A T I O N E N C R Y P T I O N

F O U N D A T I O N A L E L E M E N T S

LAYEREDSECURITY


P E O P L E / I A M

P H Y S I C A L S E C U R I T Y

N E T W O R K

A W S S E R V I C E S

E C 2 I N S T A N C E S

L A Y E R E D S E C U R I T Y


L A Y E R E D S E C U R I T Y : P H Y S I C A L S E C U R I T Y

EACH EMPLOYEE HAS A BADGE FOR AUTHENTICATION

NIKE FACILITIES REQUIRE BADGES FOR ENTRY PHYSICAL MFA TOKEN DEVICES


L A Y E R E D S E C U R I T Y : P E O P L E / I A M

A U T H E N T I C A T I O N A U T H O R I Z A T I O N

NIKE AMAZON

ROLE 1

ROLE 2

ROLE 3

IAM

SSO PROVIDER

SINGLE SIGN ON/

FEDERATION


ROUTING

VPCS

VPC ACLS

SECURITY GROUPS

ONLY HAVE PUBLIC ENDPOINTS BE ROUTABLE

VPC EDGES LIMIT THE “BLAST RADIUS” OF COMPROMISE

LIMIT INGRESS USING PRINCIPLE OF LEAST

PRIVILEGE

LIMIT COMMUNICATIONS BASED ON PRINCIPLE

OF LEAST PRIVILEGE

L A Y E R E D S E C U R I T Y : N E T W O R K

NIKE DIGITAL 15

SERVICE 2

SERVICE 1 S3 BUCKET

SNS TOPIC

DYNAMO DB

NIKE DIGITAL 15

L A Y E R E D S E C U R I T Y : A W S S E R V I C E S

IAM


S E C U R I T Y G R O U P S

M U S T U S E A S E C U R I T Y S U I T E T H A T I N C L U D E S A V , I D S , I P S ,

F I M

P A T C H I N G

“ I M M U T A B L E ” A M I S

S E C U R E C E N T R A L C O N F I G U R A T I O N M A N A G E M E N T

L A Y E R E D S E C U R I T Y : E C 2 I N S T A N C E S

COMMUNICATIONMODELS


C O M M U N I C A T I O N M O D E L S

AP

I G

AT

EW

AY

NIKE

DEVELOPER

CONSUMERNIKE

BUSINESS USER

SERVICE

DISCOVERY

DOMAIN1.NIKECLOUD.COM

AMAZON ELB

EDGE ROUTER

SERVICES

DATA STORE

SERVICE

DISCOVERY

AMAZON ELB

EDGE ROUTER

SERVICES

DATA STORE


AWS


domain.nikecloud.com

EDGE ROUTER

SERVICES EC2

SERVICES EC2

C O N S U M E R A N D I N T E R N A L B U S I N E S S U S E R

SERVICE

DISCOVERY

API.NIKE.COM

API GATEWAY


AMAZON ELB

EDGE ROUTER

SERVICES

DATA STORE

CONSUMER

OAUTH SERVICES

R E S T + T L S + A U T H T O K E N ( O A U T H , J W T )

NIKE DIGITAL 20

SERVICE

DISCOVERY

DOMAIN 1

AMAZON ELB

EDGE ROUTER

SERVICE 1

DATA STORE

SERVICE

DISCOVERY

DOMAIN 2

AMAZON ELB

EDGE ROUTER

SERVICE 2

DATA STORE


NIKE DIGITAL 20

I N T E R - D O M A I N A P P - T O - A P P

PUBLIC

INTERNET

R E S T + T L S + A U T H T O K E N ( O A U T H , J W T )


I N T R A - D O M A I N A P P - T O - A P P

SERVICE 1 SERVICE 2

SERVICE 3

SERVICE

DISCOVERY

DOMAIN

SERVICE 1 SECURITY GROUP SERVICE 2 SECURITY GROUP

RULE: ALLOW FROM S1

PRIVATE

NETWORK

R E S T + T L S + S G


D E V E L O P E R

PROXYPROXY.NIKE.COM

EIP EC2

DOMAIN

NIKE INFRASTRUCTURE SECURITY GROUP

RULE: ALLOW NAT EIP

NAT

AWS

CORPORATE DIRECTORY

DEVELOPER DIRECT CONNECT

SSH

S S H + D I R E C T O R Y S E R V I C E S + S G


I N T R A D O M A I N A P P - T O - D A T A S T O R E

SERVICE A

SERVICE

DISCOVERY

DOMAIN

DATA STORE SECURITY GROUP

SERVICE A SECURITY GROUP

RULE: ALLOW FROM SERVICE A

DATA STORE

D S P R O T O C O L + P W D S + S G S + E N C R Y P T

MANAGINGSECRETS

CERBERUS


S E C R E T S S O L U T I O N S : C E R B E R U S


C E R B E R U S C O M P O N E N T S

HASHICORP VAULT

CERBERUS MANAGEMENT

SERVICE

CLOUD APPLICATIONCERBERUS MANAGEMENT

DASHBOARD ASSETS

ROUTER{REST API}

USER


IAM ROLE BASED AUTHENTICATION

USER AUTHENTICATION VIA SSO PROVIDER

CLOUD NATIVE OPERATIONS/INFRASTRUCTURE

UI FOR MANAGING ACCESS CONTROL AND SECRETS

W H A T C E R B E R U S A D D S T O V A U L T


I A M R O L E A U T H E N T I C A T I O N

APPLICATION EC2 INSTANCE METADATA SERVICE CERBERUS AWS KMS




GET IAM ROLES

IAM ROLES




GET IAM ROLES

IAM ROLES

AUTHENTICATE (IAM ROLE, REGION)




GET IAM ROLES

IAM ROLES


GENERATE AUTHENTICATION

TOKEN




GET IAM ROLES

IAM ROLES



TOKEN

CREAT CMK (IAM ROLE, REGION)

CMK ID




GET IAM ROLES

IAM ROLES



TOKEN


CMK ID

ENCRYPT (AUTH TOKEN, CMK ID)

ENCRYPTED AUTH TOKEN




GET IAM ROLES

IAM ROLES



TOKEN


CMK ID



AUTH RESPONSE, INCLUDING ENCRYPTED AUTH TOKEN




GET IAM ROLES

IAM ROLES



TOKEN


CMK ID



AUTH RESPONSE, INCLUDING ENCRYPTED AUTH TOKEN

DECRYPT (REGION, CMKid, ENCRYPTED AUTH TOKEN)

DECRYPTED AUTH TOKEN


MANAGE DATABASE PASSWORDS

MANAGE (STORE, RETRIEVE, ROTATE) API KEYS

STORE/RETRIEVE JWT TOKENS

GENERAL-PURPOSE RUN-TIME CONFIG STORE

H O W W E U S E C E R B E R U S A T N I K E

WHAT YOU LEARNTFROM US.

K E Y T A K E A W A Y S

LAYERED SECURITY

COMMUNICATION MODELS

MANAGING SECRETS


CHECK

OUT

W H E R E T O L E A R N M O R E

CERBERUS ON GITHUB: HTTPS://GITHUB.COM/NIKE-INC/CERBERUS

C E R B E R U S


N I K E O S S

W I N G T I P SF A S T B R E A K

B A C K S T O P P E R

C E R B E R U S

NIKE GITHUB: HTTP://NIKE-INC.GITHUB.IO/

QUESTIONS?


Thank you!

aws re:invent 2016: microservices, macro security needs: how nike uses a multi-layer, end-to-end...

Technology