Bridging Security Infrastructure Between the Data Center and AWS Lambda

Presented at Black Hat USA 2021, Aug. 4, 2021, 3:20 p.m. (40 minutes).

<div><span>While serverless is all the rage, creating secure infrastructure that integrates serverless technology with existing Data Center (DC) services remains a challenge. Square's DC uses a microservice architecture. Services communicate over an envoy service mesh with short-lived mTLS certificates using SPIFFE identity for zero-trust based authentication. To achieve higher flexibility and scalability we have been migrating to the cloud, a gradual process that is still in progress.</span></div><div><span><br></span></div><div><span>Why bother? Workloads have different characteristics, while a payment system might be required to be available all the time and have predictable traffic, other applications might have unpredictable bursts of use but otherwise receive no traffic. This flexibility draws developers to Lambda. Applications can scale up immediately, but also scale down when demand is low. However, these characteristics also make security engineering challenging. In this talk we will explain what challenges we were confronted with and how we solved them, bridging security properties we require in the DC to be compatible with AWS Lambda.</span></div><div><span><br></span></div><div><span>How is this challenging? Complications with AWS Lambda fall broadly into two categories. One, operational requirements for Lambda that make developers choose it in the first place, such as near immediate response time. Two, providing parity with our DC security infrastructure so developers can engineer in a fashion they are used to while observing security best practices. Simply reimplementing the systems we use in the DC was not possible, but using native cloud functionality alone wasn't possible either.</span></div><div><span><br></span></div><div><span>How did we solve this? This talk will cover how we architected workload identity in AWS Lambda, sharing identity between DC and the cloud. We built a custom certificate issuance on top of AWS Private CA that is compatible with the SPIFFE standard, but issues certificates ahead of time to not block Lambda startup. To offer application secrets, we built a syncing system that integrates with Keywhiz while using cloud native functionality to accelerate secret access.</span></div><div><span><br></span></div><div><span>Why is this secure? We architected in a way to use the strengths of both our DC and cloud native functionality. We will discuss pros and cons of multiple approaches we considered and explain why we picked the ones we ended up with.</span></div><div><span><br></span></div><div><span>Was this successful? Our CA architecture has subsequently influenced a SPIRE proposal for serverless issuance which will mirror ours, becoming a standard for serverless SPIRE certificate issuance. Both our certificate issuance and Lambda secrets are in use for our production systems, including Square Financial Services, a bank that is a subsidiary of Square.</span></div>

Presenters:

  • Michael Weissbacher - Security Engineer, Square, Inc.
    Michael Weissbacher is a Senior Security Engineer at Square where he develops infrastructure software that makes the business operate more securely. His focus is on providing secrets and identity to workloads in the cloud. He has a PhD from Northeastern University where he was working at the Secure Systems Lab. His main area of research was web security, he also worked on fuzzing for algorithmic slowdowns and integrating humans with automated program exploitation. His work was published in venues such as USENIX Security, ACM CCS, NDSS, and others. He has presented work on detecting privacy invasions of browser extensions at the FTC, which has been covered by various news outlets, such as Le Figaro and Heise. .You can follow Michael on Twitter @MWeissbacher

Links:

Similar Presentations: