Presenters

Source

🛡️ Beyond Zero Trust: How ING Achieves Zero Breaches with Zero Privilege Architecture

Imagine a world where production environments run autonomously, human error is designed out of the system, and security breaches simply don’t happen. For the team at ING, this isn’t a pipe dream—it is their daily reality.

In a recent deep dive, Thijs Ebbers (Architect) and Tadeo Sanchez (Lead Engineer) shared the secrets behind their container hosting platform’s success. The numbers speak for themselves: zero security breaches and 100% uptime. 🚀

How do they do it? By moving beyond standard security to a Zero Privilege Architecture.

📊 The Proof is in the Numbers

Before diving into the “how,” let’s look at the “what.” ING manages a massive namespace-as-a-service offering with impressive reliability metrics:

  • 0 security breaches.
  • 100% uptime.
  • 0 to 30 days: The maximum age of most container images in their non-production clusters, ensuring constant sanitization.
  • 9.6: The internal CVSS rating they assigned to the Node Proxy vulnerability, which their architecture neutralized by design.

🤖 What is Zero Privilege?

Thijs Ebbers draws a powerful analogy from the automotive industry: no natural persons on the production floor during production runs. In modern car manufacturing, robots handle the assembly with surgical precision, leading to consistent quality and zero human injuries. 🦾

ING applies this same logic to IT. They define Zero Privilege through two outcome-based principles:

  1. Controlled Process (Desired State): Any change to the system must result from a controlled, automated process. No single natural person can manually alter the state. 🎯
  2. Immutable & Ephemeral: Every component runs in an immutable state. If a component deviates from the desired state, the system kills it and redeploys it via the controlled process. 🔄

As Thijs puts it: Security is achieved not when there is nothing more to add, but when there is no credential left to take away.

🗺️ Mapping the Defense: Real-World Battle Tests

To prove the effectiveness of Zero Privilege, Tadeo Sanchez plotted their defenses against the Top Level Cyber Threat Clusters (TLC). Here is how they handled the biggest threats of the last few years:

🔓 1. Ransomware and Overprivileged Access

Ransomware thrives on elevated user access. At ING, they’ve effectively removed the “user” from the equation.

  • The Strategy: Mutating permissions (create, update, delete) for natural users—even admins—are set to zero.
  • The Impact: All mutations happen via a peer-reviewed pipeline that complies with strict risk and security standards. 🛡️

🧊 2. Citrix Bleed & React4Shell (Zero-Day Vulnerabilities)

Many companies fail because they don’t patch fast enough.

  • The Strategy: Instead of traditional “patching rounds,” ING enforces regular redeployments.
  • The Tooling: Using OpenShift and Kubernetes, they ensure the environment stays sanitized by constantly cycling workloads. 💾

❌ 3. The CrowdStrike Incident

The 2024 Windows outage affected 8.5 million machines due to a faulty update.

  • The Strategy: ING warns against overprivileged software. They use a GitOps approach where every version is pinned.
  • The Impact: They do not connect to upstream automated triggers. They decide and enforce the exact behavior of their platform, preventing “magic” updates from breaking the system. 📡

🔑 4. Token Theft (Salesloft & NPM)

Supply chain attacks often target tokens.

  • The Strategy: ING mandates short-lived tokens and utilizes anomaly detection engines.
  • The Tooling: They use Falco to monitor runtime and check for connection attempts to non-reputable domains. If a bot behaves strangely, the system kills it immediately. 👾

🕸️ 5. Misconfigured Software (n8n & Webhooks)

Misconfigured webhooks can lead to unauthorized file access.

  • The Strategy: They use Security Context Constraints (SCC) to ensure no high-privilege pods run on the platform.
  • The Tradeoff: They implement default-deny network policies. If a connection isn’t explicitly required, it doesn’t exist. This increases initial configuration effort but drastically reduces the attack surface. 🌐

🛠️ The “Nightmare” Case: Node Proxy

The most recent challenge was the Node Proxy case. Because it is considered intended behavior by some, it doesn’t always receive a CVE, meaning many scanning tools miss it.

  • The Challenge: An attacker with nodes/proxy permissions could compromise a cluster by executing code in other pods.
  • The Solution:
    1. Permission Removal: No user in the platform is allowed the nodes/proxy get permission.
    2. Layered Defense: They introduced an Admin Network Policy to block the specific port where the Kubelet API is vulnerable. 🎯

💡 Lessons for the Industry

The journey to Zero Privilege isn’t just about installing a tool; it’s about a fundamental shift in mindset.

  • Stop managing servers; manage processes.
  • Remove the human element from production.
  • Embrace ephemerality.

Thijs and Tadeo concluded their session by encouraging the community to look beyond their own walls. While ING uses a private cloud setup to mitigate risks from external providers like AWS, Azure, or Cloudflare, they emphasize that the tech community must work together to improve open-source security.

❓ Q&A Insights

While a technical glitch cut the live Q&A short, the speakers left the audience with a final thought: Perfection in security is about subtraction. If you can remove a credential, remove it. If you can automate a manual task, automate it.

Are you ready to move toward a Zero Privilege future? 🚀🌐✨

Appendix