SlideShare a Scribd company logo

Transforming Security: Containers, Virtualization and Softwarization

Priyanka Aash
Priyanka Aash

This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven. (Source: RSA USA 2016-San Francisco)

Technology
1 of 50
Download to read offline
SESSION ID: #RSAC Dennis R Moreau Transforming Security: Containers, Virtualization and the Softwarization of Controls ASD-W03 Senior Engineering Architect VMware Office of the CTSO @DoctorMoreau
#RSAC The Security Problem 2 Security breach rates and losses continue to outpace security spend in “the year of the breach”. IT Spend Security Spend Security Breaches
#RSAC Complexity: Complex Attack Behavior HW & FW OS Application Operatin g Applicati on MMUs SMM UEFI Controllers Supply Chain… Overflows Insertion Malformation … dll injection SVC Vulns ROP … OS Application Recon & Lateral Movement ……… … HW & FW IaaS SaaS
#RSAC Complexity: Many Required Security Controls Source: SANS 20 Critical Cyber Controls – Fall 2014 https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf !
#RSAC Complexity: Many Security Control Standards 5https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf NIST 800-53, ISO 27002, NSA Top 10, GCHQ 10 Steps, PCI DSS, HIPAA, NERC, CSA, FISMA, ITIL KPIs, …
#RSAC Complexity: The Balkanization of Security Security Controls Rules, Lang & Logic Control Boundary Object Type Consoles Agents Placement Constraints SNORT, FW 5-tuples, OWASP, YARA, XACML… End Point, Network, VLAN, Domain, Process, OU … User, Application, Data Class, Service, DB… Consoles Logs, Alerts, Rules, Workflow… DB, App, OS, NAT, LB, L4, L3 …
#RSAC Complexity: No Finish Line Change!Evolving Standards Control Technology Growth Scale Agility++ New Bus. Need New Regulation New Threats New Governance
#RSAC Complexity: IT Architecture Highly Connected Complex Service Protocols EP controls with weak isolation NW controls with weak context EP <-> NW mismatch V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 FW IPS
#RSAC Complexity is the Problem! Misconfiguration is very common (Gartner: 95%* of FW breaches attributable to misconfiguration) *Gartner, Inc. “One Brand of Firewall Is a Best Practice for Most Enterprises”. November 28, 2012. *Gartner, Inc. “ …75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration” http://www.gartner.com/newsroom/id/2846017 We need architecturally simplified security provisioning, operation, response and analytics.
#RSAC Virtualization and the Softwarization of Security Controls: Enabling Policy Simplification 10
#RSAC Visibility: Micro-segmentation and SW • Understand Traffic • Here, > 80% is East-West • Largely uninspected and unprotected • Ops: Clearly not optimized Source: Networking data from Arkin.net deployments
#RSAC V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW IPS FW IPS Enabled by: Network Virtualization Containment & Protection
#RSAC Network Virtualization GuestvSwitch Guest vSwitch Compute Isolation Network Isolation V Network Ctrl V Server Ctrl Provisioning Protection Introspection … IP Address Space Routing Firewall …
#RSAC Transport Network Network Virtualization: Overlays L2 L2 Tenant B L2 L2 L2 Tenant C L2 L2 L2 VM VM VM VM VM VM VM VM L2 IP UDP VXLAN PayloadL2 IP PayloadL2 IP PayloadL2 IP PayloadL2 IP Overlays Controller
#RSAC Micro-segments: A new policy primitive App/Svc Segment GuestvSwitch Guest vSwitch Guest vSwitch Aligned Isolation: • Routing • NAT • dFW Policy Boundary Invariant
#RSAC Simplify: Smaller more aligned policy V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Policy here crosses many apps … App1 – App4 Policy here can align on one App/Svc  Much smaller policy sets  Much more coherent policy Policy ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- … ---------- ---------- ---------- ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ----------
#RSAC Simplify: Change with less side effect V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW FW FW FW FW Policy change here is coupled across apps Policy change here is far safer  Much simpler mitigation  Much safer rule deletion Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- … ---------- ---------- ---------- ---------- ----------
#RSAC Simplify: Policy that follows the workload V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Only traffic steering determines protection/visibility Classification (SG) determines protection & visibility  Protection scales with hypervisors
#RSAC Simplify: Default deny posture V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Default deny policy here is blunt, coupled across apps, partial and weakly scale-able Default deny policy here is precise, efficient, scale-able, …  Recon and lateral in the DC is much more visible and difficult
#RSAC Simplify: Intrinsic E/W visibility/control V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW E/W traffic hair-pinned for visibility at the DC edge All E/W traffic is visible and filtered according to policy  Complete E/W visibility & control  No hairpin management
#RSAC Control Placement and Segments V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW SC … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW SC FW SC FW SC FW SC FW SC Enabled by: Network Virtualization + Sofwarization of Security Controls
#RSAC Virtualization and the Softwarization of Security Controls: Improved Alignment 22
#RSAC ≢ Align: NW/EP Control Aligned on Segments V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW IPS … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW IPS FW IPS FW IPS FW IPS FW IPS EPEP EP EPEP EP EPEP EP EPEP EP EP EP EP EP EPEP EP EPEP EP EP EP EPEP EP EPEP EP EP EP NW Policy(IF, Subnet, DHCP Scope, …) EP Policy(Asset, HostID, SID, Svr Role, TPM…)EP Identifiers EP Boundaries NW Identifiers NW Boundaries App Seg EP Identifiers EP Boundaries NW Identifiers NW Boundaries ≡ ≡ EP MS NW VMID MSID EP NW NW P1(MSID) PN(MSID) …
#RSAC Align: Coordinated Controls 24 Segment dFW WAF Detect Here OWASP Rules vFW Block Here FW Rules Then … Expensive detection, so …
#RSAC Align: Coordinated Controls 25 Segment dFW WAF OWASP Rules vFW FW Rules IPS SNORT Rules Rule N+1 Rule N+2 …Emergent Vulnerability Observed Anomaly
#RSAC Align: Controls Context 26 Segment dFW WAF IPS AA OWASP Rules SNORT Rules vFW FW Rules Protocol Defn Resultant Protection Policy Access Rules Order Matters: So topological context is required for many security use cases. Visibility & Semantics here … … depends on policy and filtering here
#RSAC Containers and Operationally Plausible Default Deny Policy 27
#RSAC Sources of Plausible Micro-segment Policy 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
#RSAC Namespace Volume Service Containers: App/Svc Focused Context 29 Ex. Authoritative Context App Configuration & Resources Resource Sharing Across Apps Colocation of Containers Service Components Services within a Namespace Network Dynamics (LB, HA, …) Example Contextual Structure RC Volume Service Pod Container App Env App Pod Container App Env App … LB
#RSAC Containers: EP Compliance 30 Compliance scan of Docker image Usage: docker-oscap image IMAGE_NAME [OSCAP_ARGUMENTS] Compliance scan of Docker container Usage: docker-oscap container CONTAINER_NAME [OSCAP_ARGUMENTS] "Vulnerability scan of Docker image" Usage: docker-oscap image-cve IMAGE_NAME [--results oval-results- file.xml [--report report.html]] "Vulnerability scap of Docker container" Usage: oscap-docker container-cve CONTAINER_NAME [--results oval- results-file.xml [--report report.html]] Ref: https://github.com/OpenSCAP/container-compliance
#RSAC Alignment: Network Context Hosted Protection Premise Protection LB SVC SVC SVC SVC SVC SVC Web Service Web Cont Web Cart SAP MT SAP DB DB Control placement determines: • Meaning of Log and Alert signals • Up/Down stream interference • Affected assets • Mitigation options
#RSAC But “containers don’t contain” 32 Provider Attest:  -----  -----  ----- Tenant Tenant Tenant Audit:  -----  -----  ---- Docker Engine Operating System instance App 1 Bins/Libs App 2 Bins/Libs App 2 Bins/Libs Shared: IDs, filesystem, services, resources … Process and Name Space Isolation Audit:  -----  -----  ---- Process/Namespace Isolation … but could be much better Better Isolation Isolated Controls (independent) Mature Security Mgmt (Gartner) Normalized Policy Locus Between WL and Hosting (hybrid/multi-cloud) Mis-alignment https://opensource.com/business/14/7/docker-security-selinux http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/ http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ Gartner: Security Properties of Containers Managed by Docker
#RSAC Directional: Containers + Virtualization FW (app) IPS (app) WAF (app) NGFW (app) … WAF IPS NGFW FW Logs Alerts Behavior Analytics Where else might this behavior be expressed?... Registry Labels, Provenance, Testing Containers Docker Daemon Images Policy Same App IDs Same Boundaries Shared Context … Aligned: Apps Server Network More actionable context, so response is more efficient & accurate, reduced dwell time
#RSAC Containers + Virtualization 34 VMworld 2015: NET6639 - Next Horizon for Cloud Networking and Security: https://www.youtube.com/watch?v=RBJ-KoAM-OQ&feature=youtu.be Provider Attest:  -----  -----  ----- Tenant Tenant Tenant Audit:  -----  -----  ---- Consistent boundary X Stack Same identifier (msid, vmid) Alignment … in any state Independent verification Authoritative context (OOB) Control Boundary & Controls Alignment VM vServer & vSwitch Docker Engine Operating System instance App 1 Bins/Libs App 2 Bins/Libs App 2 Bins/Libs vSwitch vSwitch vSwitch Audit:  -----  -----  ---- Audit:  -----  -----  ----
#RSAC Application Blueprint Example - vRealize 35 Application structure and external connectivity are completely exposed to inform operationally plausible security policy
#RSAC Enterprise Infrastructure & Containers 36 Infrastructural Context Leveraging of PBS, PBN, Infrastructural Services Legacy apps to cloud native apps, on the same infrastructure Integration of governance, CJA, context (for logs, alerts, response RCA, …) … ESX Photon OS ESX Photon OS ESX Photon OS KubernetesMESOS Photon Cont 1 Photon Cont 2 Photon Cont 3 Create Get pods Create Kubernetes Cluster Photon Machine
#RSAC App Behavior Analysis: Arkin Example 37 Insight into application network behavior drives 1st order operationally plausible default deny posture.
#RSAC Container 38 Intrinsically Captures Application Structure, Provenance, and Classification (pre-launch) Always Current Configuration (immutability) No “intended” vs. “actual” gap Operations & Security perspectives Immutability accommodates “moving target” defense techniques Expose implicit network requirements in App context context. Expose implicit app deployment requirements Level of req’d awareness of virtual network topology Req’d SVCs
#RSAC Refining Micro-Segmentation Using Analytics 39
#RSAC Sources of Plausible Micro-segment Policy 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
#RSAC Micro-Segmentation: Model & Secure • Model apps, app tiers, regulatory scopes, network, org boundaries, etc. • Default Deny: Only allow what’s necessary, Deny everything else. Source: Arkin.net Screenshot
#RSAC Micro-Segmentation in Action: Modeling Security Groups Source: Arkin.net Screenshot Segment by applications, app tiers, security zones, L2/L3 network boundaries, virtual- physical boundaries, organizational levels, etc
#RSAC Micro-Segmentation in Action: Modeling Security Policies Source: Arkin.net Screenshot Inter and Intra Segment (VM to VM) Communication Some services require internet access. “Deny All” to these segments (…and confirm it) Allowed access to shared services
#RSAC Micro-Segmentation in Action: Validate Compliance Source: Arkin.net Screenshot Runtime Effective Policy between any two points in the Datacenter
#RSAC Summary 45
#RSAC Summary 46 Complexity is at the heart of today’s security challenge Virtualization and Softwarization allows app focused placement and policy alignment Containerization provides the essential context for realizing an operationally plausible default deny policy This resulting in transformationally simpler policy and more effective protection.
#RSAC Apply: Assess 47 When you return to work: Evaluate your current policy complexity Policy set size Policy testing workflow Estimate its effect on security policy management Latency in security policy updates Estimate the degree of your “default deny” posture Identify related instances of policy misconfiguration
#RSAC Apply: Dev Ops 48 As move forward in DevOps: For selected applications determine Operationally plausible default deny posture by observed logs Application policy requirements from container blueprints/manifests Application component dynamics: continuity, scaling, … For important and cross application cutting services Document discovery, election, failover, … protocol dynamics
#RSAC Apply: Plausible Micro-segment Policy Plausible Policy Information Sources 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
#RSAC Thank You! Questions? Dennis R Moreau: dmoreau@vmware.com

Recommended

Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptographyShivam Singh
 
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICESRMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICESijcisjournal
 
INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Network security cs9 10
Network security cs9 10Network security cs9 10
Network security cs9 10Infinity Tech Solutions
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 

Recommended

Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptographyShivam Singh
 
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICESRMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICESijcisjournal
 
INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Network security cs9 10
Network security cs9 10Network security cs9 10
Network security cs9 10Infinity Tech Solutions
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
Kerberos IV inductive analisys
Kerberos IV inductive analisysKerberos IV inductive analisys
Kerberos IV inductive analisysGiacomo De Liberali
 
State of the art parallel approaches for
State of the art parallel approaches forState of the art parallel approaches for
State of the art parallel approaches forijcsa
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
Java Crypto
Java CryptoJava Crypto
Java Cryptophanleson
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsSeddiq Q. Abd Al-Rahman
 
Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...TELKOMNIKA JOURNAL
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherGopal Sakarkar
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationDiogo Mónica
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
spins
spinsspins
spinsbhumikashah22111990
 
Unit 5
Unit 5Unit 5
Unit 5Vinod Kumar Gorrepati
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecurityProgreso Training
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocolsphanleson
 
015 spins
015 spins015 spins
015 spinsSam Ram
 
Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional DronePriyanka Aash
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecuritySynopsys Software Integrity Group
 

More Related Content

What's hot

Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
State of the art parallel approaches for
State of the art parallel approaches forState of the art parallel approaches for
State of the art parallel approaches forijcsa
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsSeddiq Q. Abd Al-Rahman
 
Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...TELKOMNIKA JOURNAL
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherGopal Sakarkar
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationDiogo Mónica
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocolsphanleson
 
015 spins
015 spins015 spins
015 spinsSam Ram
 

What's hot (20)

Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Kerberos IV inductive analisys
Kerberos IV inductive analisysKerberos IV inductive analisys
Kerberos IV inductive analisys
 
State of the art parallel approaches for
State of the art parallel approaches forState of the art parallel approaches for
State of the art parallel approaches for
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Java Crypto
Java CryptoJava Crypto
Java Crypto
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
 
Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar Cipher
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit Presentation
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
spins
spinsspins
spins
 
Unit 5
Unit 5Unit 5
Unit 5
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
015 spins
015 spins015 spins
015 spins
 

Similar to Transforming Security: Containers, Virtualization and Softwarization

Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional DronePriyanka Aash
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksPriyanka Aash
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsSecuring NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsTrinath Somanchi
 
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...OPNFV
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005FNian
 
Derived Unique Token per Transaction
Derived Unique Token per TransactionDerived Unique Token per Transaction
Derived Unique Token per TransactionPriyanka Aash
 
Which command flushes the level 1 data cache from every VM entry in .pdf
Which command flushes the level 1 data cache from every VM entry in .pdfWhich command flushes the level 1 data cache from every VM entry in .pdf
Which command flushes the level 1 data cache from every VM entry in .pdfamitmalik531
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXPriyanka Aash
 
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat ProtectionThe Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat ProtectionPriyanka Aash
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersPriyanka Aash
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android BotPriyanka Aash
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
The State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesThe State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesPriyanka Aash
 

Similar to Transforming Security: Containers, Virtualization and Softwarization (20)

Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional Drone
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsSecuring NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
 
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 
Derived Unique Token per Transaction
Derived Unique Token per TransactionDerived Unique Token per Transaction
Derived Unique Token per Transaction
 
Which command flushes the level 1 data cache from every VM entry in .pdf
Which command flushes the level 1 data cache from every VM entry in .pdfWhich command flushes the level 1 data cache from every VM entry in .pdf
Which command flushes the level 1 data cache from every VM entry in .pdf
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPX
 
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat ProtectionThe Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
The State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesThe State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ Websites
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Transforming Security: Containers, Virtualization and Softwarization

  • 1. SESSION ID: #RSAC Dennis R Moreau Transforming Security: Containers, Virtualization and the Softwarization of Controls ASD-W03 Senior Engineering Architect VMware Office of the CTSO @DoctorMoreau
  • 2. #RSAC The Security Problem 2 Security breach rates and losses continue to outpace security spend in “the year of the breach”. IT Spend Security Spend Security Breaches
  • 3. #RSAC Complexity: Complex Attack Behavior HW & FW OS Application Operatin g Applicati on MMUs SMM UEFI Controllers Supply Chain… Overflows Insertion Malformation … dll injection SVC Vulns ROP … OS Application Recon & Lateral Movement ……… … HW & FW IaaS SaaS
  • 4. #RSAC Complexity: Many Required Security Controls Source: SANS 20 Critical Cyber Controls – Fall 2014 https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf !
  • 5. #RSAC Complexity: Many Security Control Standards 5https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf NIST 800-53, ISO 27002, NSA Top 10, GCHQ 10 Steps, PCI DSS, HIPAA, NERC, CSA, FISMA, ITIL KPIs, …
  • 6. #RSAC Complexity: The Balkanization of Security Security Controls Rules, Lang & Logic Control Boundary Object Type Consoles Agents Placement Constraints SNORT, FW 5-tuples, OWASP, YARA, XACML… End Point, Network, VLAN, Domain, Process, OU … User, Application, Data Class, Service, DB… Consoles Logs, Alerts, Rules, Workflow… DB, App, OS, NAT, LB, L4, L3 …
  • 7. #RSAC Complexity: No Finish Line Change!Evolving Standards Control Technology Growth Scale Agility++ New Bus. Need New Regulation New Threats New Governance
  • 8. #RSAC Complexity: IT Architecture Highly Connected Complex Service Protocols EP controls with weak isolation NW controls with weak context EP <-> NW mismatch V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 FW IPS
  • 9. #RSAC Complexity is the Problem! Misconfiguration is very common (Gartner: 95%* of FW breaches attributable to misconfiguration) *Gartner, Inc. “One Brand of Firewall Is a Best Practice for Most Enterprises”. November 28, 2012. *Gartner, Inc. “ …75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration” http://www.gartner.com/newsroom/id/2846017 We need architecturally simplified security provisioning, operation, response and analytics.
  • 10. #RSAC Virtualization and the Softwarization of Security Controls: Enabling Policy Simplification 10
  • 11. #RSAC Visibility: Micro-segmentation and SW • Understand Traffic • Here, > 80% is East-West • Largely uninspected and unprotected • Ops: Clearly not optimized Source: Networking data from Arkin.net deployments
  • 13. #RSAC Network Virtualization GuestvSwitch Guest vSwitch Compute Isolation Network Isolation V Network Ctrl V Server Ctrl Provisioning Protection Introspection … IP Address Space Routing Firewall …
  • 14. #RSAC Transport Network Network Virtualization: Overlays L2 L2 Tenant B L2 L2 L2 Tenant C L2 L2 L2 VM VM VM VM VM VM VM VM L2 IP UDP VXLAN PayloadL2 IP PayloadL2 IP PayloadL2 IP PayloadL2 IP Overlays Controller
  • 15. #RSAC Micro-segments: A new policy primitive App/Svc Segment GuestvSwitch Guest vSwitch Guest vSwitch Aligned Isolation: • Routing • NAT • dFW Policy Boundary Invariant
  • 16. #RSAC Simplify: Smaller more aligned policy V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Policy here crosses many apps … App1 – App4 Policy here can align on one App/Svc  Much smaller policy sets  Much more coherent policy Policy ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- … ---------- ---------- ---------- ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ----------
  • 17. #RSAC Simplify: Change with less side effect V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW FW FW FW FW Policy change here is coupled across apps Policy change here is far safer  Much simpler mitigation  Much safer rule deletion Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- … ---------- ---------- ---------- ---------- ----------
  • 18. #RSAC Simplify: Policy that follows the workload V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Only traffic steering determines protection/visibility Classification (SG) determines protection & visibility  Protection scales with hypervisors
  • 19. #RSAC Simplify: Default deny posture V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Default deny policy here is blunt, coupled across apps, partial and weakly scale-able Default deny policy here is precise, efficient, scale-able, …  Recon and lateral in the DC is much more visible and difficult
  • 20. #RSAC Simplify: Intrinsic E/W visibility/control V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW E/W traffic hair-pinned for visibility at the DC edge All E/W traffic is visible and filtered according to policy  Complete E/W visibility & control  No hairpin management
  • 21. #RSAC Control Placement and Segments V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW SC … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW SC FW SC FW SC FW SC FW SC Enabled by: Network Virtualization + Sofwarization of Security Controls
  • 22. #RSAC Virtualization and the Softwarization of Security Controls: Improved Alignment 22
  • 23. #RSAC ≢ Align: NW/EP Control Aligned on Segments V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW IPS … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW IPS FW IPS FW IPS FW IPS FW IPS EPEP EP EPEP EP EPEP EP EPEP EP EP EP EP EP EPEP EP EPEP EP EP EP EPEP EP EPEP EP EP EP NW Policy(IF, Subnet, DHCP Scope, …) EP Policy(Asset, HostID, SID, Svr Role, TPM…)EP Identifiers EP Boundaries NW Identifiers NW Boundaries App Seg EP Identifiers EP Boundaries NW Identifiers NW Boundaries ≡ ≡ EP MS NW VMID MSID EP NW NW P1(MSID) PN(MSID) …
  • 24. #RSAC Align: Coordinated Controls 24 Segment dFW WAF Detect Here OWASP Rules vFW Block Here FW Rules Then … Expensive detection, so …
  • 25. #RSAC Align: Coordinated Controls 25 Segment dFW WAF OWASP Rules vFW FW Rules IPS SNORT Rules Rule N+1 Rule N+2 …Emergent Vulnerability Observed Anomaly
  • 26. #RSAC Align: Controls Context 26 Segment dFW WAF IPS AA OWASP Rules SNORT Rules vFW FW Rules Protocol Defn Resultant Protection Policy Access Rules Order Matters: So topological context is required for many security use cases. Visibility & Semantics here … … depends on policy and filtering here
  • 27. #RSAC Containers and Operationally Plausible Default Deny Policy 27
  • 28. #RSAC Sources of Plausible Micro-segment Policy 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
  • 29. #RSAC Namespace Volume Service Containers: App/Svc Focused Context 29 Ex. Authoritative Context App Configuration & Resources Resource Sharing Across Apps Colocation of Containers Service Components Services within a Namespace Network Dynamics (LB, HA, …) Example Contextual Structure RC Volume Service Pod Container App Env App Pod Container App Env App … LB
  • 30. #RSAC Containers: EP Compliance 30 Compliance scan of Docker image Usage: docker-oscap image IMAGE_NAME [OSCAP_ARGUMENTS] Compliance scan of Docker container Usage: docker-oscap container CONTAINER_NAME [OSCAP_ARGUMENTS] "Vulnerability scan of Docker image" Usage: docker-oscap image-cve IMAGE_NAME [--results oval-results- file.xml [--report report.html]] "Vulnerability scap of Docker container" Usage: oscap-docker container-cve CONTAINER_NAME [--results oval- results-file.xml [--report report.html]] Ref: https://github.com/OpenSCAP/container-compliance
  • 31. #RSAC Alignment: Network Context Hosted Protection Premise Protection LB SVC SVC SVC SVC SVC SVC Web Service Web Cont Web Cart SAP MT SAP DB DB Control placement determines: • Meaning of Log and Alert signals • Up/Down stream interference • Affected assets • Mitigation options
  • 32. #RSAC But “containers don’t contain” 32 Provider Attest:  -----  -----  ----- Tenant Tenant Tenant Audit:  -----  -----  ---- Docker Engine Operating System instance App 1 Bins/Libs App 2 Bins/Libs App 2 Bins/Libs Shared: IDs, filesystem, services, resources … Process and Name Space Isolation Audit:  -----  -----  ---- Process/Namespace Isolation … but could be much better Better Isolation Isolated Controls (independent) Mature Security Mgmt (Gartner) Normalized Policy Locus Between WL and Hosting (hybrid/multi-cloud) Mis-alignment https://opensource.com/business/14/7/docker-security-selinux http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/ http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ Gartner: Security Properties of Containers Managed by Docker
  • 33. #RSAC Directional: Containers + Virtualization FW (app) IPS (app) WAF (app) NGFW (app) … WAF IPS NGFW FW Logs Alerts Behavior Analytics Where else might this behavior be expressed?... Registry Labels, Provenance, Testing Containers Docker Daemon Images Policy Same App IDs Same Boundaries Shared Context … Aligned: Apps Server Network More actionable context, so response is more efficient & accurate, reduced dwell time
  • 34. #RSAC Containers + Virtualization 34 VMworld 2015: NET6639 - Next Horizon for Cloud Networking and Security: https://www.youtube.com/watch?v=RBJ-KoAM-OQ&feature=youtu.be Provider Attest:  -----  -----  ----- Tenant Tenant Tenant Audit:  -----  -----  ---- Consistent boundary X Stack Same identifier (msid, vmid) Alignment … in any state Independent verification Authoritative context (OOB) Control Boundary & Controls Alignment VM vServer & vSwitch Docker Engine Operating System instance App 1 Bins/Libs App 2 Bins/Libs App 2 Bins/Libs vSwitch vSwitch vSwitch Audit:  -----  -----  ---- Audit:  -----  -----  ----
  • 35. #RSAC Application Blueprint Example - vRealize 35 Application structure and external connectivity are completely exposed to inform operationally plausible security policy
  • 36. #RSAC Enterprise Infrastructure & Containers 36 Infrastructural Context Leveraging of PBS, PBN, Infrastructural Services Legacy apps to cloud native apps, on the same infrastructure Integration of governance, CJA, context (for logs, alerts, response RCA, …) … ESX Photon OS ESX Photon OS ESX Photon OS KubernetesMESOS Photon Cont 1 Photon Cont 2 Photon Cont 3 Create Get pods Create Kubernetes Cluster Photon Machine
  • 37. #RSAC App Behavior Analysis: Arkin Example 37 Insight into application network behavior drives 1st order operationally plausible default deny posture.
  • 38. #RSAC Container 38 Intrinsically Captures Application Structure, Provenance, and Classification (pre-launch) Always Current Configuration (immutability) No “intended” vs. “actual” gap Operations & Security perspectives Immutability accommodates “moving target” defense techniques Expose implicit network requirements in App context context. Expose implicit app deployment requirements Level of req’d awareness of virtual network topology Req’d SVCs
  • 40. #RSAC Sources of Plausible Micro-segment Policy 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
  • 41. #RSAC Micro-Segmentation: Model & Secure • Model apps, app tiers, regulatory scopes, network, org boundaries, etc. • Default Deny: Only allow what’s necessary, Deny everything else. Source: Arkin.net Screenshot
  • 42. #RSAC Micro-Segmentation in Action: Modeling Security Groups Source: Arkin.net Screenshot Segment by applications, app tiers, security zones, L2/L3 network boundaries, virtual- physical boundaries, organizational levels, etc
  • 43. #RSAC Micro-Segmentation in Action: Modeling Security Policies Source: Arkin.net Screenshot Inter and Intra Segment (VM to VM) Communication Some services require internet access. “Deny All” to these segments (…and confirm it) Allowed access to shared services
  • 44. #RSAC Micro-Segmentation in Action: Validate Compliance Source: Arkin.net Screenshot Runtime Effective Policy between any two points in the Datacenter
  • 46. #RSAC Summary 46 Complexity is at the heart of today’s security challenge Virtualization and Softwarization allows app focused placement and policy alignment Containerization provides the essential context for realizing an operationally plausible default deny policy This resulting in transformationally simpler policy and more effective protection.
  • 47. #RSAC Apply: Assess 47 When you return to work: Evaluate your current policy complexity Policy set size Policy testing workflow Estimate its effect on security policy management Latency in security policy updates Estimate the degree of your “default deny” posture Identify related instances of policy misconfiguration
  • 48. #RSAC Apply: Dev Ops 48 As move forward in DevOps: For selected applications determine Operationally plausible default deny posture by observed logs Application policy requirements from container blueprints/manifests Application component dynamics: continuity, scaling, … For important and cross application cutting services Document discovery, election, failover, … protocol dynamics
  • 49. #RSAC Apply: Plausible Micro-segment Policy Plausible Policy Information Sources 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
  • 50. #RSAC Thank You! Questions? Dennis R Moreau: dmoreau@vmware.com