37
Powering Flexible Payments in the Cloud with Kubernetes

Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

  • Upload
    others

  • View
    12

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Powering Flexible Payments in the Cloud with Kubernetes

Page 2: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s
Page 3: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

whoami

3

Ana Calin

Systems Engineer @Paybase

Twitter: @AnaMariaCalin

Page 4: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Table of Contents

01 whoami

02 About Paybase

03 Things we’ve achieved so far

04 Our tech stack

05 Anatomy of a compromise

06 A few notes on security and resilience

07 Challenges we’ve encountered

08 Challenges we’ve circumvented

09 Summary

4

Page 5: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

> API driven Payments Provider Platform

> B2B - marketplace, gig/sharing economies, cryptocurrency

> We make regulation easier for our customers

Page 6: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Things we’ve achieved so far

✓ We are ~ 2 years old

✓ Built our own processing platform from scratch

✓ We are currently onboarding our first 7 clients

✓ FCA authorised

✓ We have an EMI license

✓ Innovate UK grant worth £700k

✓ PCI DSS (The Payment Card Industry Data Security Standard) Level 1

compliant

6

Page 7: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Some of our tech stack

7

Page 8: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Anatomy of a compromise

8

Page 9: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Details about the compromise

✓ in the scope of an internal infrastructure penetration test

✓ in our production cluster

✓ pen tester had access to a privileged container

9

Page 10: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

The weak link : GKE

● Compute engine scope ● Compute engine

default service account

● Legacy metadata endpoints

10

Page 11: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Metadata endpoints

11

Page 12: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Mitigations

12

OR

Page 13: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Result

13

Page 14: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

The weak link : Tiller

● comes with mTLS disabled

● is able to create any K8S API resource in a cluster

● performs no authentication by default

14

Page 15: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Tiller

15

Page 16: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Mitigations

16

RESULTS IN

Page 17: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Security and resilience

17

Page 18: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

A secure K8S cluster should● use a dedicated SA with minimal permissions● use minimal scopes - least privilege principle● use Network Policies or Istio with authorization rules set up● use Pod Security Policies● use scanned images● have RBAC enabled

18

Page 19: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

A resilient Kubernetes cluster should● be architected with failure and elasticity in mind by default● have a stable observability stack● be tested with a tool such as Chaos Engineering

19

Page 20: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenges we’ve encountered on our road to

compliance

20

Page 21: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenge 1: The What

As a PCI compliant PSP with many types of dbs, I am want to be able to query data-sets in a secure and db agnostic manner so that engineers and customers can use it easily and we are not prone to injections.(req. 6.5.1)

21

Page 22: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Meet PQL

01 Inspired by SQL02 Injection resistant03 Used for querying data-sets04 Database agnostic05 Adheres to logical operator precedence

Challenge 1: The How

22

Page 23: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

01 Lexical analysis (tokenize input)02 Syntactical analysis (parse tokenized input to AST)

03 Abstract Syntax Tree to specific database query

Challenge 1: The How

23

Page 24: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenge 2: The What

As a PCI compliant PSP, I am required to implement only one primary function per server to prevent functions that require different security levels from coexisting on the same server.(req. 2.2.1)

24

Page 25: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

01 Server = Deployable Unit02 Network Policies03 Pod Security Policies04 Only using trusted and approved images

Challenge 2: The How

25

Page 26: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenges we’ve circumvented on our road to

compliance

26

Page 27: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenge 3: The What

As a PCI compliant PSP, I am required to remove all test data and accounts from system components before the system becomes active/goes into production (req.6.4.4)

27

Page 28: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

28

VPC A

PAYBASE PJT

GCR - IMAGE REPO

GCS - TF STATE

CDE

PAYBASE GCP ORGANIZATION

PROD NS QA NS

Common way of splitting environments

GKE

STAGING NS

GCS - BACKUPS

Page 29: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

29

GKE

VPC A

PROD PJT

GKE

VPC B

QA PJT

GKE

VPC C

STAGING PJT

GCR

VPC D VPC E

GCS

IMAGE REPO PJT TF STATE PJT

CDE

PAYBASE GCP ORGANIZATION

Paybase’s way of splitting environments

VPC F

GCS

BACKUPS PJT

Page 30: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

01 Security

02 Separation of concerns

03 Reduction of PCI DSS scope

04 Easier to organize RBAC

Challenge 3: Benefit

30

Page 31: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenge 3: The What

As a PCI compliant PSP, I am required to remove all test data and accounts from system components before the system becomes active/goes into production (req.6.4.4)

31

Page 32: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenge 4: The What

As a PCI compliant PSP, I am required to perform quarterly internal vulnerability scans,address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.(req.11.2.1)

32

Page 33: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Challenge 4: The How

Image scanning

33

Page 34: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Here’s a diagram

34

Page 35: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Summary

● security is not a point in time but an ongoing journey

● you can use OSS and achieve a good level of security

● we need to challenge the PCI DSS status quo

35

Page 37: Powering Flexible Payments in the Cloud with Kubernetes · GKE VPC B QA PJT GKE VPC C STAGING PJT GCR VPC D VPC E GCS IMAGE REPO PJT TF STATE PJT CDE PAYBASE GCP ORGANIZATION Paybase’s

Thank you<call to action here>