Tsvi Korren,
VP of Product Strategy at Aqua Security CISSP, has been an IT security professional for over 25 years. In previous positions at DEC and CA Inc., he consulted with various industry verticals on the process and organizational aspects of security. As the VP of Product Strategy at Aqua, he is tasked with delivering commercial and open source solutions that make Cloud Native workloads the most secure, compliant and resilient application delivery platform.
2. 2
What do we mean by Cloud-Native?
Made to run
in the cloud
(public, private, hybrid)
App payload is
decoupled from
the infrastructure
Orchestrated for
updateability, scaling
and resilience
App is based on
loosely-coupled
microservices
3. 3
The rules still need to apply
l Risk mitigation, vulnerabilities, integrity
l Deployment authorization, visibility, inventory
l Operational administration and change control
l Secrets management and secure configuration
l Network segmentation of microservices
l SOC and incident response
4. 4
The Challenge
Cloud-Native deployments natively lack support
for effective and demonstrable security
required by business-critical applications
Organization:
DevOps ó Security
Process:
Where to secure
Technology:
How to secure
5. 5
Urgent need to bridge the gap
CI/CD
Images
Kubernetes
Cloud
Compliance
Access Controls
Intrusion Prevention
Forensics
7. 7
Diminishing ability to execute controls
Container
Orchestration
Host
Network
Data Center
Serverless
Functions
App Payload
Container
Orchestration
Host
Network
Data Center
Containers
as service
App Payload
Container
Orchestration
Host
Network
Data Center
Managed
Containers
App Payload
Container
Orchestration
Host
Network
Data Center
Cloud VMs
App Payload
Container
Orchestration
Host
Network
Data Center
On Premises
App Payload
Packaging
Development
Packaging
Development
Packaging
Development
Packaging
Development
Packaging
Development
8. 8
Our Goal
Security as a
shared
responsibility
Automate security
as a natural part of
DevOps processes
Protect workloads
with focus on
prevention
Make containers the most secure, predictable
and controlled platform for running critical
applications
9. 9
We have an opportunity to be more precise
Accounting for every vulnerability
and possible threat is untenable
Know what to keep safe,
and how to defend it
10. 10
We have an opportunity to simplify
Too many manual security options
and rules become ineffective
Protect immutable workloads, with
rules generated over the pipeline
11. Stages of Cloud Native security maturity
Image acceptance
Run with least privileges
Network controls
Container immutability
Application context authorization
Immediate incident response
Cluster Hygiene
RBAC
Minimal OS
Compliance Checks
13. 13
l Restrict network access to the Kubernetes API addresses and ports
l Use separate authentication for each authorized user
l Patch and upgrade Kubernetes as needed
l Control access from production Kubernetes to public registries
Kubernetes security checklist
15. Stages of Cloud Native security maturity
Image acceptance
Run with least privileges
Network controls
Container immutability
Application context authorization
Immediate incident response
Image Hygiene
Vulnerability scanning
Compliant configuration
Approved base images
Cluster Hygiene
RBAC
Minimal OS
Compliance Checks
16. 16
l Use the smallest image possible for your project
l Avoid storing keys and other sensitive data in the image
l Add the minimal number of packages required for your application
l Use dedicated users, non-standard ports
l Remove utilities at the end of the build (useradd, chown, curl)
l Scan the finished product
Image security checklist
18. 18
Scanning images
{
"name": "CVE-2016-7444",
"description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and
3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote
attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left
by gnutls_malloc.nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This
could falsely report a certificate as valid under certain circumstances.",
"nvd_score": 5,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"nvd_severity": "medium",
"nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444",
"vendor_score": 4.3,
"vendor_score_version": "CVSS v2",
"vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"vendor_severity": "low",
"vendor_url": "https://access.redhat.com/security/cve/CVE-2016-7444",
"publish_date": "2016-09-27",
"modification_date": "2018-01-04",
"fix_version": "3.3.26-9.el7",
"solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above."
}
Backports and fix
advice
NVD data and score
Maintainer data
and score
Impact statement
24. 24
Incident Response with servers
• Suspicious activity? • Shut down service?
• Requires investigation and triage
• Could be an administrative action
• Limited ability for narrow response
• Risk of service disruption
25. 25
Incident Response with containers
• Unauthorized action • Block specific action
• Container behavior model is known
• Administrative action is not allowed
• Surgical preventive controls
• No disruption of service
26. 26
l Security – Establish the policies that govern:
„ Image acceptance
„ Runtime behavior
l DevOps – Use security advice from scanning in image builds
l SOC – Receive events and respond to incidents
Roles and responsibilities
27. 27
Same standards, escalating enforcement
Sandbox Development Test/Stage Production
Voluntary Mandatory Detection Enforcement
Scanning as a
service
Scanning in the
pipeline with
policies
Application
security modeling
Protecting the
application
28. 28
Continuous discovery, image assurance
Enforce immutability with drift prevention
Limit user and executable use
Secured secrets distribution into container
Workload firewall across all interfaces
Secure workload with application context
Rogue deployment
Malicious code injection
Administration actions
Compromised credentials
Network connections
Unknown vectors (Zero Day)
Top risks addressed
29. 29
Where to start?
n Scans Kubernetes nodes
against the CIS
benchmark checks
n github.com/aquasecurity/
kube-bench
n Scan Docker build for
known vulnerabilities
n Plug-in for Jenkins
n github.com/aquasecurity
/microscanner
CIS benchmark for K8SDocker image scanner K8S penetration-testing
n Tests K8s clusters against
known attack vectors,
both remote and internal
n github.com/aquasecurity/
kube-hunter