So, how do we think about security when building Canary?
We’re acutely aware that customers are trusting our code in their networks. We go to great lengths to ensure that a Canary does not introduce additional risk to our customers. The obvious solution here is to make it “more secure” (i.e. that it’s a harder target to compromise than other hosts on the network). But that’s not sufficient, a harder target is not an impossible target given enough time.
So the second part of “not introducing additional risk” is to ensure that there’s nothing of value on the Canaries themselves that attackers might want.
tl;dr: Canaries should be harder to compromise than other targets and should leave an attacker no better off for compromising them.
What follows are some examples of our thinking. We’ve left out some bits (where prudent), but we (strongly) feel that customers should be asking vendors how they reduce their threat profile, and figure we should demonstrate it ourselves.
During their initial setup, Canaries create and exchange crypto keys with your console. From that point on, all communication between the Canary and your console is encrypted using these keys.
Our birds are remotely updated to make sure they stay current, and that’s a common subject of questions from potential customers. To maintain the integrity of our updates, your Canary will only accept an update that’s been signed by our offline signing infrastructure. Furthermore, each update file is further signed (and encrypted) by your Console so your bird won’t accept an update from another Console (even if it’s a legitimate one). Lastly, the update is delivered via our custom DNS transport overlay which is also encrypted. An attacker wishing to push code to your Canary would need to compromise both your cloud Console, as well as the physical offline update-signing infrastructure.
Your Console is a dedicated instance running on EC2. This simple architectural decision means that even if one customer-console was breached, there’s no other customer data present. This single-tenant model also removes the risk of web-app bugs yielding data from other customers.
|(Password “masked” in email alert)|
|(CS access to a Canary Console)|
So, is Canary an impossible target? Of course not, it’s why we wrote “safer designs” above, not “safe designs”.
Go to Source of this post
Author Of this post: