SlideShare ist ein Scribd-Unternehmen logo

Cloud Native Security: New Approach for a New Reality

C
Carlos Andrés García

Tsvi Korren, VP of Product Strategy at Aqua Security CISSP, has been an IT security professional for over 25 years. In previous positions at DEC and CA Inc., he consulted with various industry verticals on the process and organizational aspects of security. As the VP of Product Strategy at Aqua, he is tasked with delivering commercial and open source solutions that make Cloud Native workloads the most secure, compliant and resilient application delivery platform.

Software
1 von 30
Downloaden Sie, um offline zu lesen
Cloud-Native Security New approach for a new reality Tsvi Korren, Aqua
2 What do we mean by Cloud-Native? Made to run in the cloud (public, private, hybrid) App payload is decoupled from the infrastructure Orchestrated for updateability, scaling and resilience App is based on loosely-coupled microservices
3 The rules still need to apply l Risk mitigation, vulnerabilities, integrity l Deployment authorization, visibility, inventory l Operational administration and change control l Secrets management and secure configuration l Network segmentation of microservices l SOC and incident response
4 The Challenge Cloud-Native deployments natively lack support for effective and demonstrable security required by business-critical applications Organization: DevOps ó Security Process: Where to secure Technology: How to secure
5 Urgent need to bridge the gap CI/CD Images Kubernetes Cloud Compliance Access Controls Intrusion Prevention Forensics
6 Changes in process Config software Assess Risk Coding Static Analysis Compile package Deploy Get Base Image Using Servers Using Containers Deploy Fix Risks Build Image Fix Risks Scan Server Get Base Image Coding Static Analysis Deploy Build Image Fix Risks Coding Static Analysis Provision Server
7 Diminishing ability to execute controls Container Orchestration Host Network Data Center Serverless Functions App Payload Container Orchestration Host Network Data Center Containers as service App Payload Container Orchestration Host Network Data Center Managed Containers App Payload Container Orchestration Host Network Data Center Cloud VMs App Payload Container Orchestration Host Network Data Center On Premises App Payload Packaging Development Packaging Development Packaging Development Packaging Development Packaging Development
8 Our Goal Security as a shared responsibility Automate security as a natural part of DevOps processes Protect workloads with focus on prevention Make containers the most secure, predictable and controlled platform for running critical applications
9 We have an opportunity to be more precise Accounting for every vulnerability and possible threat is untenable Know what to keep safe, and how to defend it
10 We have an opportunity to simplify Too many manual security options and rules become ineffective Protect immutable workloads, with rules generated over the pipeline
Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Cluster Hygiene RBAC Minimal OS Compliance Checks
12 The Orchestration System Easily misconfigured Handles Secrets Runs Everywhere Operates as root
13 l Restrict network access to the Kubernetes API addresses and ports l Use separate authentication for each authorized user l Patch and upgrade Kubernetes as needed l Control access from production Kubernetes to public registries Kubernetes security checklist
14 Kubernetes assessment
Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
16 l Use the smallest image possible for your project l Avoid storing keys and other sensitive data in the image l Add the minimal number of packages required for your application l Use dedicated users, non-standard ports l Remove utilities at the end of the build (useradd, chown, curl) l Scan the finished product Image security checklist
17 Top base container images 5.28 MB 95.93 MB 84.79 MB 192.44 MB
18 Scanning images { "name": "CVE-2016-7444", "description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This could falsely report a certificate as valid under certain circumstances.", "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "nvd_severity": "medium", "nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444", "vendor_score": 4.3, "vendor_score_version": "CVSS v2", "vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "vendor_severity": "low", "vendor_url": "https://access.redhat.com/security/cve/CVE-2016-7444", "publish_date": "2016-09-27", "modification_date": "2018-01-04", "fix_version": "3.3.26-9.el7", "solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above." } Backports and fix advice NVD data and score Maintainer data and score Impact statement
19 Beyond vulnerabilities: image content
Stages of Cloud Native security maturity Containment Image acceptance Run with least privileges Network controls Prevention Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
21 Specific controls Applying Runtime controls Image authorization Runtime Policies Container profile •Non-Compliant •Unregistered •Drift Prevention •Process Blacklists •Full whitelisting General controls Secrets, Networking, Forensics NodeandKuberentesSecurity
22 Image acceptance
23 Least privilege at runtime
24 Incident Response with servers • Suspicious activity? • Shut down service? • Requires investigation and triage • Could be an administrative action • Limited ability for narrow response • Risk of service disruption
25 Incident Response with containers • Unauthorized action • Block specific action • Container behavior model is known • Administrative action is not allowed • Surgical preventive controls • No disruption of service
26 l Security – Establish the policies that govern: „ Image acceptance „ Runtime behavior l DevOps – Use security advice from scanning in image builds l SOC – Receive events and respond to incidents Roles and responsibilities
27 Same standards, escalating enforcement Sandbox Development Test/Stage Production Voluntary Mandatory Detection Enforcement Scanning as a service Scanning in the pipeline with policies Application security modeling Protecting the application
28 Continuous discovery, image assurance Enforce immutability with drift prevention Limit user and executable use Secured secrets distribution into container Workload firewall across all interfaces Secure workload with application context Rogue deployment Malicious code injection Administration actions Compromised credentials Network connections Unknown vectors (Zero Day) Top risks addressed
29 Where to start? n Scans Kubernetes nodes against the CIS benchmark checks n github.com/aquasecurity/ kube-bench n Scan Docker build for known vulnerabilities n Plug-in for Jenkins n github.com/aquasecurity /microscanner CIS benchmark for K8SDocker image scanner K8S penetration-testing n Tests K8s clusters against known attack vectors, both remote and internal n github.com/aquasecurity/ kube-hunter
www.aquasec.com

Empfohlen

Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and Portworx
VMware Tanzu
 
Virtual Desktop Infrastructure with Novell Endpoint Management Solutions
Virtual Desktop Infrastructure with Novell Endpoint Management SolutionsVirtual Desktop Infrastructure with Novell Endpoint Management Solutions
Virtual Desktop Infrastructure with Novell Endpoint Management Solutions
Novell
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Enterprise Management Associates
 
Cloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryCloud Native Summit 2019 Summary
Cloud Native Summit 2019 Summary
Everett Toews
 
StorageOS - 8 core principles of cloud native storage
StorageOS - 8 core principles of cloud native storageStorageOS - 8 core principles of cloud native storage
StorageOS - 8 core principles of cloud native storage
StorageOS
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with Datadog
DevOps.com
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about security
LibbySchulze
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 

Empfohlen

Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and Portworx
VMware Tanzu
 
Virtual Desktop Infrastructure with Novell Endpoint Management Solutions
Virtual Desktop Infrastructure with Novell Endpoint Management SolutionsVirtual Desktop Infrastructure with Novell Endpoint Management Solutions
Virtual Desktop Infrastructure with Novell Endpoint Management Solutions
Novell
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Enterprise Management Associates
 
Cloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryCloud Native Summit 2019 Summary
Cloud Native Summit 2019 Summary
Everett Toews
 
StorageOS - 8 core principles of cloud native storage
StorageOS - 8 core principles of cloud native storageStorageOS - 8 core principles of cloud native storage
StorageOS - 8 core principles of cloud native storage
StorageOS
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with Datadog
DevOps.com
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about security
LibbySchulze
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
Cisco DevNet
 
Cloud Native Patterns Using AWS - Practical Examples
Cloud Native Patterns Using AWS - Practical ExamplesCloud Native Patterns Using AWS - Practical Examples
Cloud Native Patterns Using AWS - Practical Examples
Anderson Carvalho
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
Cisco Canada
 
Introduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVTIntroduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVT
Cisco DevNet
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
Karthik Gaekwad
 
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioAnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
Roberto Carratala
 
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native StorageAutopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
SF Bay Cloud Native Open Infra Meetup
 
Why modern cloud infrastructure require automation
Why modern cloud infrastructure require automationWhy modern cloud infrastructure require automation
Why modern cloud infrastructure require automation
Gerald Crescione
 
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Josef Adersberger
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 
The good, the bad, and the ugly of migrating hundreds of legacy applications ...
The good, the bad, and the ugly of migrating hundreds of legacy applications ...The good, the bad, and the ugly of migrating hundreds of legacy applications ...
The good, the bad, and the ugly of migrating hundreds of legacy applications ...
Josef Adersberger
 
Migrating to Cloud Native Solutions
Migrating to Cloud Native SolutionsMigrating to Cloud Native Solutions
Migrating to Cloud Native Solutions
inwin stack
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
Docker, Inc.
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
Priyanka Aash
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native world
LibbySchulze
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
Securing Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp VaultSecuring Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp Vault
Mitchell Pronschinske
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
Fibonalabs
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 

Weitere ähnliche Inhalte

Was ist angesagt?

CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
Cisco DevNet
 
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native StorageAutopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
SF Bay Cloud Native Open Infra Meetup
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
Gene Gotimer
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
Docker, Inc.
 

Was ist angesagt? (20)

CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
 
Cloud Native Patterns Using AWS - Practical Examples
Cloud Native Patterns Using AWS - Practical ExamplesCloud Native Patterns Using AWS - Practical Examples
Cloud Native Patterns Using AWS - Practical Examples
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 
Introduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVTIntroduction to the DevNet Sandbox and IVT
Introduction to the DevNet Sandbox and IVT
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioAnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
 
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native StorageAutopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
 
Why modern cloud infrastructure require automation
Why modern cloud infrastructure require automationWhy modern cloud infrastructure require automation
Why modern cloud infrastructure require automation
 
Patterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to KubernetesPatterns and Pains of Migrating Legacy Applications to Kubernetes
Patterns and Pains of Migrating Legacy Applications to Kubernetes
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M users
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
The good, the bad, and the ugly of migrating hundreds of legacy applications ...
The good, the bad, and the ugly of migrating hundreds of legacy applications ...The good, the bad, and the ugly of migrating hundreds of legacy applications ...
The good, the bad, and the ugly of migrating hundreds of legacy applications ...
 
Migrating to Cloud Native Solutions
Migrating to Cloud Native SolutionsMigrating to Cloud Native Solutions
Migrating to Cloud Native Solutions
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
 
Data protection in a kubernetes-native world
Data protection in a kubernetes-native worldData protection in a kubernetes-native world
Data protection in a kubernetes-native world
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
 
Securing Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp VaultSecuring Databases with Dynamic Credentials and HashiCorp Vault
Securing Databases with Dynamic Credentials and HashiCorp Vault
 

Ähnlich wie Cloud Native Security: New Approach for a New Reality

Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
DevOps.com
 
Automating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CDAutomating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CD
Nills Franssens
 

Ähnlich wie Cloud Native Security: New Approach for a New Reality (20)

Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
Best Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes ClusterBest Practices To Secure Kubernetes Cluster
Best Practices To Secure Kubernetes Cluster
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
 
Cloud security introduction
Cloud security introductionCloud security introduction
Cloud security introduction
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
 
Automating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CDAutomating Network Firewall Rule Creation using Powershell and CI/CD
Automating Network Firewall Rule Creation using Powershell and CI/CD
 

Mehr von Carlos Andrés García

Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
Carlos Andrés García
 

Mehr von Carlos Andrés García (8)

Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...
Cloud-Native Streaming Platform: Running Apache Kafka on PKS (Pivotal Contain...
 
PostgreSQL-as-a-Service with Crunchy PostgreSQL for PKS
PostgreSQL-as-a-Service with Crunchy PostgreSQL for PKSPostgreSQL-as-a-Service with Crunchy PostgreSQL for PKS
PostgreSQL-as-a-Service with Crunchy PostgreSQL for PKS
 
High performance Spark distribution on PKS by SnappyData
High performance Spark distribution on PKS by SnappyDataHigh performance Spark distribution on PKS by SnappyData
High performance Spark distribution on PKS by SnappyData
 
PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads PKS - Solving Complexity for Modern Data Workloads
PKS - Solving Complexity for Modern Data Workloads
 
A Planet-Scale Database for Low Latency Transactional Apps by Yugabyte
A Planet-Scale Database for Low Latency Transactional Apps by YugabyteA Planet-Scale Database for Low Latency Transactional Apps by Yugabyte
A Planet-Scale Database for Low Latency Transactional Apps by Yugabyte
 
Orchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and PortworxOrchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and Portworx
 

Kürzlich hochgeladen

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

Kürzlich hochgeladen (20)

Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

Cloud Native Security: New Approach for a New Reality

  • 1. Cloud-Native Security New approach for a new reality Tsvi Korren, Aqua
  • 2. 2 What do we mean by Cloud-Native? Made to run in the cloud (public, private, hybrid) App payload is decoupled from the infrastructure Orchestrated for updateability, scaling and resilience App is based on loosely-coupled microservices
  • 3. 3 The rules still need to apply l Risk mitigation, vulnerabilities, integrity l Deployment authorization, visibility, inventory l Operational administration and change control l Secrets management and secure configuration l Network segmentation of microservices l SOC and incident response
  • 4. 4 The Challenge Cloud-Native deployments natively lack support for effective and demonstrable security required by business-critical applications Organization: DevOps ó Security Process: Where to secure Technology: How to secure
  • 5. 5 Urgent need to bridge the gap CI/CD Images Kubernetes Cloud Compliance Access Controls Intrusion Prevention Forensics
  • 6. 6 Changes in process Config software Assess Risk Coding Static Analysis Compile package Deploy Get Base Image Using Servers Using Containers Deploy Fix Risks Build Image Fix Risks Scan Server Get Base Image Coding Static Analysis Deploy Build Image Fix Risks Coding Static Analysis Provision Server
  • 7. 7 Diminishing ability to execute controls Container Orchestration Host Network Data Center Serverless Functions App Payload Container Orchestration Host Network Data Center Containers as service App Payload Container Orchestration Host Network Data Center Managed Containers App Payload Container Orchestration Host Network Data Center Cloud VMs App Payload Container Orchestration Host Network Data Center On Premises App Payload Packaging Development Packaging Development Packaging Development Packaging Development Packaging Development
  • 8. 8 Our Goal Security as a shared responsibility Automate security as a natural part of DevOps processes Protect workloads with focus on prevention Make containers the most secure, predictable and controlled platform for running critical applications
  • 9. 9 We have an opportunity to be more precise Accounting for every vulnerability and possible threat is untenable Know what to keep safe, and how to defend it
  • 10. 10 We have an opportunity to simplify Too many manual security options and rules become ineffective Protect immutable workloads, with rules generated over the pipeline
  • 11. Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Cluster Hygiene RBAC Minimal OS Compliance Checks
  • 13. 13 l Restrict network access to the Kubernetes API addresses and ports l Use separate authentication for each authorized user l Patch and upgrade Kubernetes as needed l Control access from production Kubernetes to public registries Kubernetes security checklist
  • 15. Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
  • 16. 16 l Use the smallest image possible for your project l Avoid storing keys and other sensitive data in the image l Add the minimal number of packages required for your application l Use dedicated users, non-standard ports l Remove utilities at the end of the build (useradd, chown, curl) l Scan the finished product Image security checklist
  • 17. 17 Top base container images 5.28 MB 95.93 MB 84.79 MB 192.44 MB
  • 18. 18 Scanning images { "name": "CVE-2016-7444", "description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This could falsely report a certificate as valid under certain circumstances.", "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "nvd_severity": "medium", "nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444", "vendor_score": 4.3, "vendor_score_version": "CVSS v2", "vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "vendor_severity": "low", "vendor_url": "https://access.redhat.com/security/cve/CVE-2016-7444", "publish_date": "2016-09-27", "modification_date": "2018-01-04", "fix_version": "3.3.26-9.el7", "solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above." } Backports and fix advice NVD data and score Maintainer data and score Impact statement
  • 20. Stages of Cloud Native security maturity Containment Image acceptance Run with least privileges Network controls Prevention Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
  • 21. 21 Specific controls Applying Runtime controls Image authorization Runtime Policies Container profile •Non-Compliant •Unregistered •Drift Prevention •Process Blacklists •Full whitelisting General controls Secrets, Networking, Forensics NodeandKuberentesSecurity
  • 24. 24 Incident Response with servers • Suspicious activity? • Shut down service? • Requires investigation and triage • Could be an administrative action • Limited ability for narrow response • Risk of service disruption
  • 25. 25 Incident Response with containers • Unauthorized action • Block specific action • Container behavior model is known • Administrative action is not allowed • Surgical preventive controls • No disruption of service
  • 26. 26 l Security – Establish the policies that govern: „ Image acceptance „ Runtime behavior l DevOps – Use security advice from scanning in image builds l SOC – Receive events and respond to incidents Roles and responsibilities
  • 27. 27 Same standards, escalating enforcement Sandbox Development Test/Stage Production Voluntary Mandatory Detection Enforcement Scanning as a service Scanning in the pipeline with policies Application security modeling Protecting the application
  • 28. 28 Continuous discovery, image assurance Enforce immutability with drift prevention Limit user and executable use Secured secrets distribution into container Workload firewall across all interfaces Secure workload with application context Rogue deployment Malicious code injection Administration actions Compromised credentials Network connections Unknown vectors (Zero Day) Top risks addressed
  • 29. 29 Where to start? n Scans Kubernetes nodes against the CIS benchmark checks n github.com/aquasecurity/ kube-bench n Scan Docker build for known vulnerabilities n Plug-in for Jenkins n github.com/aquasecurity /microscanner CIS benchmark for K8SDocker image scanner K8S penetration-testing n Tests K8s clusters against known attack vectors, both remote and internal n github.com/aquasecurity/ kube-hunter