SlideShare ist ein Scribd-Unternehmen logo

Shifting security left simplifying security for k8s open shift environments

L
LibbySchulze

Shifting security left simplifying security for k8s open shift environments

Internet
1 von 22
Downloaden Sie, um offline zu lesen
KUBERNETES SECRETS MANAGEMENT Build Secure Apps Faster Without Secrets 1
Tesla Cloud Account Data Breach Attackers used credentials stored in Kubernetes to hijack cloud resources to mine cryptocurrency ATTACKERS TARGET APPLICATION SECRETS Attacker finds unprotected Kubernetes console and copies the keys DevOps engineer places AWS access keys in Kubernetes Attacker uses keys to install cryptocurrency mining software in cloud Kubernetes is configured to not require a password for console access
EVERYBODY WANTS A SECURE DEVOPS FLOW, BUT…
SHIFTING SECURITY LEFT INTO DEVELOPMENT WORKFLOWS 4 Developer s DevOps Security Empower security team • Highlight the app & tool risk • Leverage single platform – human/non-human solution serves all • Security focus • Manage security budget Enable Developer/DevOps • Easy to use (consume secrets) • Prebuilt integrations • Conjur Open Source and Secretless Broker Free developers from security burden • Compliance, audit requests, human creds • Security budget Plan Code Create Test Release Deploy Operate
APP ID Create Auditable Identity for Apps Authorized Access that is MFA Enforce Strong Authn for Apps, Remove Secrets Zero Establish Identity to Applications BEST PRACTICES FOR SECURING SECRETS Limit Secret Leaks & Reduce Attack Surface Enables Compliance with Audit & Best Practices Remove Security Islands Regularly Perform Secrets Rotation Limit Updates to Files, Code or DBs when Secrets Rotated Limit Application Downtime Required to Rotate Secrets Removal of Hard-Coded Credentials Credential Rotation Authn
THE PROBLEMS WITH SECURITY ISLANDS There are many ways to vault secrets, But: • Developers must learn multiple solutions • Hard to establish & share best-practices • Short-cuts often taken • SoD not enforced • GRC reporting is impossible Islands of Security Hiera Databags Vault IAM / KMS IAM / KMS Home Grown Solutions Secrets Secrets IAM / KMS
• Build on a chain of trust • Authenticate all requests • Authorize w/ least amount of privilege • Audit everything • ...and do it with code! • The Secret-Zero Problem… • Humans use their built-in vault for passwords or, failing that, answers to security questions. • Non-humans need a way to bootstrap identity that doesn’t put credentials at risk • But how to manage that initial secret required by apps to bootstrap identity? IF IT CAN BE IDENTIFIED, ITS ACCESS CAN BE MANAGED Human Identity
WAYS TO ESTABLISH & AUTHENTICATE IDENTITY Use-Case Means Strengths Weaknesses Credential Based Human identity Passport, Password • Very familiar • Humans have built-in vaults • Social engineering • Insecure persistent storage Pre-Configure d Identity API Key Analogous to human uname/pwd model • Key distribution is subject to compromise • Requestor can’t initiate Bootstrapped Identity Token-based • Can provide extra control factors, e.g. time, CIDR, one-time use, etc. • Secret to get a secret • Stateful - requires active entropy mgmt Attribute Based Human Identity Biometrics •Hard to spoof •Convenient • Context dependent Pre-Configure d Identity Various Factors • Multi-factor (selectable) •OS user, path, MD5 hash, IP/Hostname • No trusted 3rd party • Requires authn agent running local to applications • Not scalable to container use-cases Bootstrapped Identity Trusted 3rd Party • Ideal for container orchestration • Platform dependencies • Hard to implement for legacy technologies
SECRETS ACCESS WORKFLOW Authenticate Access Token Requestor Target Access per Policy Retrieve secrets Use secrets Access Token expires after 8 mins
K8S ATTRIBUTE AUTHENTICATION IN 1) Admin whitelists app identity with Conjur Three options for identity granularity: • Identity = Cluster/Namespace • Identity = Cluster/Namespace/Service Account 2) Authenticator client in app pod submits CSR w/ platform attributes to Conjur 3) Conjur verifies attributes w/ platform service 4) Conjur issues cert & key creds to authenticator client in app pod 5) Authenticator client in app pod uses creds to authenticate, get Conjur access token and shares via shared memory volume. Conjur policy 1 2 cs r identity 5 acces s token 3 verify 4
11 AUTHENTICATE WORKLOADS, NOT INFRASTRUCTURE Secure Production Identity Framework for Everyone Inspired by the production infrastructure of Google and others, SPIFFE is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments.
IDENTITY VERIFIED USING K8S PLATFORM ATTRIBUTES Attribute Verifying Authority (K8s API) 3) Validate Attributes 4) Legit Credential Issuing Authority /access/ token Authenticator client container Application container(s ) Pod 2) CSR w/ attributes 6) Authn 5) Write Cert & Key Conjur policy 1) Alllow-list identity 7) Share
• Lab 1: • Authenticator runs as a Sidecar • App pulls DB creds with REST API • App connects to DB • Lab 2: Secrets Injection w/ Summon • Authenticator runs as an Init container • Summon pulls DB creds & calls app w/ creds in env vars • App connects to DB • Lab 3: K8s Secrets • Authenticator runs as an Init Container • K8s secret manifest names DB cred names • Authenticator retrieves DB creds & dynamically patches K8s secret w/ DB cred values • App connects to DB • Lab 4: Secretless Broker • Authenticator runs as a Sidecar Container listening on DB port • App attempts to connect to DB on local port • Authenticator retrieves DB creds, connects to DB, proxies connection for app • App connects to DB CONJUR DEMO USE-CASES
3 Summon for secrets injection 1 2 1 2 3 Summon invoked with authenticated identity Summon fetches secrets using identity Processes launched with secrets in environment Learn more at: https://cyberark.github.io/summon/
THE SECRETS LIFECYCLE TODAY Secrets Storage Secrets Delivery Application s
INTRODUCING “SECRETLESS” Establishes proxied connections to resources w/o direct access to secrets. • Frees developers and applications from responsibility of managing secrets. • Reduces the threat surface of secrets • Handles rotation transparently • Does not change how clients connect to services • Allows use of standard libraries and tools. Uses an extensible driver model to connect to backend resources. • For example: • HTTP • SSH (MITM and ssh-agent approaches) • SQL and NoSQL Databases • New drivers in development, inquire within to join the effort.
Secretless Billing Service Database User (Simulated) 1 Service connects to Secretless proxy HTTP Request Secretless proxy requests database credentials to remote database 2 Conjur seamlessly rotates database credentials used by Secretless 4 Secretless establishes a connection to the remote database and transparently brokers the connection 3 1 2 3 4 “SECRETLESS” CONCEPT: APPS CAN’T LEAK SECRETS LDAP, htpasswd, etc. User authn K8s Pod
Stolen secrets? Inconceivable!
BENEFITS ✔ Simple, context free, secure method for retrieving credentials in containers ✔ End-to-end encryption of secrets through mutual TLS (Transport Layer Security) using SPIFFE-compliant resource identifiers. ✔ Robust authentication and authorization incorporating Conjur policy, signed certificates, and an internal Kubernetes APIs. ✔ Conjur running inside Kubernetes ✔ SoD between applications ✔ SoD also between the Kubernetes security operator and the development teams using Conjur policy ✔ Credentials are not exposed to any 3rd party, reside only in memory ✔ Full central audit trail
DEPLOY CONJUR INTEGRATION IN KUBERNETES IN JUST A FEW CLICKS! KUBERNETES – CONJUR INTEGRATION IN GOOGLE MARKETPLACE 20
CyberArk Commons OSS Community: • Conjur.org • APIs, documents, tutorials, code • New technical content each month: blogs, newsletter • Streamlined user experience to get started and get hands on • Discuss.CyberArkCommons.org • Discussions and community support for open source • Hands-on Workshops, developer community events and forums • Secretless Broker: Conjur.org/api/secretless-broker • Summon: CyberArk.GitHub.io/Summon CONJUR OPEN SOURCE AND THE CYBERARK OPEN SOURCE COMMUNITY
THANK YOU CONJUR.ORG DISCUSS.CYBERARKCOMMONS.ORG

Empfohlen

Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementDevOps.com
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackjarito030506
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging LibbySchulze
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveCisco DevNet
 
Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelOdinot Stanislas
 
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioAnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioRoberto Carratala
 

Empfohlen

Simplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes ManagementDevOps.com
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackjarito030506
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging LibbySchulze
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
Monitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogMonitoring Your AWS EKS Environment with Datadog
Monitoring Your AWS EKS Environment with DatadogDevOps.com
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveCisco DevNet
 
Améliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelAméliorer OpenStack avec les technologies Intel
Améliorer OpenStack avec les technologies IntelOdinot Stanislas
 
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioAnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenario
AnsibleFest 2020 - Automate cybersecurity solutions in a cloud native scenarioRoberto Carratala
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
The user s identities
The user s identitiesThe user s identities
The user s identitiesGiuliano Latini
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataMirantis
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...DevOps.com
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
CyberArk Impact 2017 - REST for the Rest of Us
CyberArk Impact 2017 - REST for the Rest of UsCyberArk Impact 2017 - REST for the Rest of Us
CyberArk Impact 2017 - REST for the Rest of UsJoe Garcia
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesKangaroot
 
EasyStack True Private Cloud | Quek Keng Oei
EasyStack True Private Cloud | Quek Keng OeiEasyStack True Private Cloud | Quek Keng Oei
EasyStack True Private Cloud | Quek Keng OeiVietnam Open Infrastructure User Group
 
Introduction to Spring Cloud Kubernetes
Introduction to Spring Cloud Kubernetes Introduction to Spring Cloud Kubernetes
Introduction to Spring Cloud KubernetesVMware Tanzu
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesMirantis
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementationsedukull
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformKiratech
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform VaultShrivatsa Upadhye
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataMirantis
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...DevOps.com
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
CyberArk Impact 2017 - REST for the Rest of Us
CyberArk Impact 2017 - REST for the Rest of UsCyberArk Impact 2017 - REST for the Rest of Us
CyberArk Impact 2017 - REST for the Rest of UsJoe Garcia
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesKangaroot
 
Introduction to Spring Cloud Kubernetes
Introduction to Spring Cloud Kubernetes Introduction to Spring Cloud Kubernetes
Introduction to Spring Cloud KubernetesVMware Tanzu
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesMirantis
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementationsedukull
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformKiratech
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 

Was ist angesagt? (20)

Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
The user s identities
The user s identitiesThe user s identities
The user s identities
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge Cloud
 
CyberArk Impact 2017 - REST for the Rest of Us
CyberArk Impact 2017 - REST for the Rest of UsCyberArk Impact 2017 - REST for the Rest of Us
CyberArk Impact 2017 - REST for the Rest of Us
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native Kubernetes
 
EasyStack True Private Cloud | Quek Keng Oei
EasyStack True Private Cloud | Quek Keng OeiEasyStack True Private Cloud | Quek Keng Oei
EasyStack True Private Cloud | Quek Keng Oei
 
Introduction to Spring Cloud Kubernetes
Introduction to Spring Cloud Kubernetes Introduction to Spring Cloud Kubernetes
Introduction to Spring Cloud Kubernetes
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
 
Webinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins PlatformWebinar: Introduction to CloudBees Jenkins Platform
Webinar: Introduction to CloudBees Jenkins Platform
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply Chains
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 

Ähnlich wie Shifting security left simplifying security for k8s open shift environments

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil Saldanha
 
Self-Service x Hashicorp Vault
Self-Service x Hashicorp VaultSelf-Service x Hashicorp Vault
Self-Service x Hashicorp VaultMartin Conraux
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...DevOps.com
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22WesComer2
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?conjur_inc
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesShikha Srivastava
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proKarl Ots
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesJoonas Westlin
 

Ähnlich wie Shifting security left simplifying security for k8s open shift environments (20)

Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpractices
 
Self-Service x Hashicorp Vault
Self-Service x Hashicorp VaultSelf-Service x Hashicorp Vault
Self-Service x Hashicorp Vault
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22Indianapolis Splunk User Group Dec 22
Indianapolis Splunk User Group Dec 22
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
Is DevOps Braking Your Company?
Is DevOps Braking Your Company?Is DevOps Braking Your Company?
Is DevOps Braking Your Company?
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resources
 

Mehr von LibbySchulze

Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdfLibbySchulze
 
Extending Kubectl.pptx
Extending Kubectl.pptxExtending Kubectl.pptx
Extending Kubectl.pptxLibbySchulze
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsLibbySchulze
 
Fallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfFallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfLibbySchulze
 
Intro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfIntro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfLibbySchulze
 
Enhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxEnhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxLibbySchulze
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfCNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfLibbySchulze
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfLibbySchulze
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxLibbySchulze
 
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxvFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxLibbySchulze
 
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMCNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMLibbySchulze
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfLibbySchulze
 
AirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfAirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfLibbySchulze
 
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...LibbySchulze
 
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...LibbySchulze
 
CNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfCNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfLibbySchulze
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfLibbySchulze
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdfLibbySchulze
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdfLibbySchulze
 
Advancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureAdvancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureLibbySchulze
 

Mehr von LibbySchulze (20)

Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdf
 
Extending Kubectl.pptx
Extending Kubectl.pptxExtending Kubectl.pptx
Extending Kubectl.pptx
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo Workflows
 
Fallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfFallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdf
 
Intro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfIntro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdf
 
Enhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxEnhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptx
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfCNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdf
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptx
 
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxvFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
 
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMCNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdf
 
AirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfAirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdf
 
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
 
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
 
CNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfCNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdf
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdf
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdf
 
Advancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureAdvancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for Azure
 

Kürzlich hochgeladen

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 

Kürzlich hochgeladen (20)

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 

Shifting security left simplifying security for k8s open shift environments

  • 1. KUBERNETES SECRETS MANAGEMENT Build Secure Apps Faster Without Secrets 1
  • 2. Tesla Cloud Account Data Breach Attackers used credentials stored in Kubernetes to hijack cloud resources to mine cryptocurrency ATTACKERS TARGET APPLICATION SECRETS Attacker finds unprotected Kubernetes console and copies the keys DevOps engineer places AWS access keys in Kubernetes Attacker uses keys to install cryptocurrency mining software in cloud Kubernetes is configured to not require a password for console access
  • 3. EVERYBODY WANTS A SECURE DEVOPS FLOW, BUT…
  • 4. SHIFTING SECURITY LEFT INTO DEVELOPMENT WORKFLOWS 4 Developer s DevOps Security Empower security team • Highlight the app & tool risk • Leverage single platform – human/non-human solution serves all • Security focus • Manage security budget Enable Developer/DevOps • Easy to use (consume secrets) • Prebuilt integrations • Conjur Open Source and Secretless Broker Free developers from security burden • Compliance, audit requests, human creds • Security budget Plan Code Create Test Release Deploy Operate
  • 5. APP ID Create Auditable Identity for Apps Authorized Access that is MFA Enforce Strong Authn for Apps, Remove Secrets Zero Establish Identity to Applications BEST PRACTICES FOR SECURING SECRETS Limit Secret Leaks & Reduce Attack Surface Enables Compliance with Audit & Best Practices Remove Security Islands Regularly Perform Secrets Rotation Limit Updates to Files, Code or DBs when Secrets Rotated Limit Application Downtime Required to Rotate Secrets Removal of Hard-Coded Credentials Credential Rotation Authn
  • 6. THE PROBLEMS WITH SECURITY ISLANDS There are many ways to vault secrets, But: • Developers must learn multiple solutions • Hard to establish & share best-practices • Short-cuts often taken • SoD not enforced • GRC reporting is impossible Islands of Security Hiera Databags Vault IAM / KMS IAM / KMS Home Grown Solutions Secrets Secrets IAM / KMS
  • 7. • Build on a chain of trust • Authenticate all requests • Authorize w/ least amount of privilege • Audit everything • ...and do it with code! • The Secret-Zero Problem… • Humans use their built-in vault for passwords or, failing that, answers to security questions. • Non-humans need a way to bootstrap identity that doesn’t put credentials at risk • But how to manage that initial secret required by apps to bootstrap identity? IF IT CAN BE IDENTIFIED, ITS ACCESS CAN BE MANAGED Human Identity
  • 8. WAYS TO ESTABLISH & AUTHENTICATE IDENTITY Use-Case Means Strengths Weaknesses Credential Based Human identity Passport, Password • Very familiar • Humans have built-in vaults • Social engineering • Insecure persistent storage Pre-Configure d Identity API Key Analogous to human uname/pwd model • Key distribution is subject to compromise • Requestor can’t initiate Bootstrapped Identity Token-based • Can provide extra control factors, e.g. time, CIDR, one-time use, etc. • Secret to get a secret • Stateful - requires active entropy mgmt Attribute Based Human Identity Biometrics •Hard to spoof •Convenient • Context dependent Pre-Configure d Identity Various Factors • Multi-factor (selectable) •OS user, path, MD5 hash, IP/Hostname • No trusted 3rd party • Requires authn agent running local to applications • Not scalable to container use-cases Bootstrapped Identity Trusted 3rd Party • Ideal for container orchestration • Platform dependencies • Hard to implement for legacy technologies
  • 9. SECRETS ACCESS WORKFLOW Authenticate Access Token Requestor Target Access per Policy Retrieve secrets Use secrets Access Token expires after 8 mins
  • 10. K8S ATTRIBUTE AUTHENTICATION IN 1) Admin whitelists app identity with Conjur Three options for identity granularity: • Identity = Cluster/Namespace • Identity = Cluster/Namespace/Service Account 2) Authenticator client in app pod submits CSR w/ platform attributes to Conjur 3) Conjur verifies attributes w/ platform service 4) Conjur issues cert & key creds to authenticator client in app pod 5) Authenticator client in app pod uses creds to authenticate, get Conjur access token and shares via shared memory volume. Conjur policy 1 2 cs r identity 5 acces s token 3 verify 4
  • 11. 11 AUTHENTICATE WORKLOADS, NOT INFRASTRUCTURE Secure Production Identity Framework for Everyone Inspired by the production infrastructure of Google and others, SPIFFE is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments.
  • 12. IDENTITY VERIFIED USING K8S PLATFORM ATTRIBUTES Attribute Verifying Authority (K8s API) 3) Validate Attributes 4) Legit Credential Issuing Authority /access/ token Authenticator client container Application container(s ) Pod 2) CSR w/ attributes 6) Authn 5) Write Cert & Key Conjur policy 1) Alllow-list identity 7) Share
  • 13. • Lab 1: • Authenticator runs as a Sidecar • App pulls DB creds with REST API • App connects to DB • Lab 2: Secrets Injection w/ Summon • Authenticator runs as an Init container • Summon pulls DB creds & calls app w/ creds in env vars • App connects to DB • Lab 3: K8s Secrets • Authenticator runs as an Init Container • K8s secret manifest names DB cred names • Authenticator retrieves DB creds & dynamically patches K8s secret w/ DB cred values • App connects to DB • Lab 4: Secretless Broker • Authenticator runs as a Sidecar Container listening on DB port • App attempts to connect to DB on local port • Authenticator retrieves DB creds, connects to DB, proxies connection for app • App connects to DB CONJUR DEMO USE-CASES
  • 14. 3 Summon for secrets injection 1 2 1 2 3 Summon invoked with authenticated identity Summon fetches secrets using identity Processes launched with secrets in environment Learn more at: https://cyberark.github.io/summon/
  • 15. THE SECRETS LIFECYCLE TODAY Secrets Storage Secrets Delivery Application s
  • 16. INTRODUCING “SECRETLESS” Establishes proxied connections to resources w/o direct access to secrets. • Frees developers and applications from responsibility of managing secrets. • Reduces the threat surface of secrets • Handles rotation transparently • Does not change how clients connect to services • Allows use of standard libraries and tools. Uses an extensible driver model to connect to backend resources. • For example: • HTTP • SSH (MITM and ssh-agent approaches) • SQL and NoSQL Databases • New drivers in development, inquire within to join the effort.
  • 17. Secretless Billing Service Database User (Simulated) 1 Service connects to Secretless proxy HTTP Request Secretless proxy requests database credentials to remote database 2 Conjur seamlessly rotates database credentials used by Secretless 4 Secretless establishes a connection to the remote database and transparently brokers the connection 3 1 2 3 4 “SECRETLESS” CONCEPT: APPS CAN’T LEAK SECRETS LDAP, htpasswd, etc. User authn K8s Pod
  • 19. BENEFITS ✔ Simple, context free, secure method for retrieving credentials in containers ✔ End-to-end encryption of secrets through mutual TLS (Transport Layer Security) using SPIFFE-compliant resource identifiers. ✔ Robust authentication and authorization incorporating Conjur policy, signed certificates, and an internal Kubernetes APIs. ✔ Conjur running inside Kubernetes ✔ SoD between applications ✔ SoD also between the Kubernetes security operator and the development teams using Conjur policy ✔ Credentials are not exposed to any 3rd party, reside only in memory ✔ Full central audit trail
  • 20. DEPLOY CONJUR INTEGRATION IN KUBERNETES IN JUST A FEW CLICKS! KUBERNETES – CONJUR INTEGRATION IN GOOGLE MARKETPLACE 20
  • 21. CyberArk Commons OSS Community: • Conjur.org • APIs, documents, tutorials, code • New technical content each month: blogs, newsletter • Streamlined user experience to get started and get hands on • Discuss.CyberArkCommons.org • Discussions and community support for open source • Hands-on Workshops, developer community events and forums • Secretless Broker: Conjur.org/api/secretless-broker • Summon: CyberArk.GitHub.io/Summon CONJUR OPEN SOURCE AND THE CYBERARK OPEN SOURCE COMMUNITY