SpringOne Platform 2017 Tom Gillis, Bracket Computing "Bracket Computing has been working closely with the Cloud Foundry community to create new tools to harden a PCF foundation and make it truly immutable. Bracket has developed a unique architecture that applies security and immutability controls via a virtualization layer that Bracket calls a Metavisor. The Metavisor is a hypervisor that sits between the guest OS or runtime and the hypervisor of the cloud underneath. The Stem Cell image is wrapped with a Metavisor, allowing the Metavisor to boot first, and then chain­load the Stem Cell on top of the Metavisor. This approach means that the Metavisor remains resident in a separate memory space from the Stem Cell VM, effectively attached to but isolated from the Stem Cell. Enforcing immutability at this layer means that the controls can not be bypassed even if an attacker gains root access to the Stem Cell VM. This talk will focus on five areas required to achieve infrastructure immutability for PCF: Kernel immutability. Protecting critical aspects of the kernel such as the system call tables. File immutability. Locking down critical parts of the file system. Executable code should be read but not written to. Config files should be read but not executed. And log files should be written to but not executed. Memory immutability. Many attacks will use applciation vulnerabilities to escalate privileges of a process in memory. This should never happen and can be dis­allowed. Process immutability. Critical processes can be monitored to ensure they are properly functioning. Certain processes, say a web server, should never spawn a new process such as a root shell. This is a very common attack technique that can be dis­allowed with truly immutable infrastructure. Network immutability. Random network connections should not be allowed. A network whitelist model where only approved connections to authenticated hosts are allowed is a very effective technique to prevent the lateral spread of malware."

1. Immutability for PCF: Security in a Cloud
Native World
By Tom Gillis
Bracket Computing

2. Bracket Security Software

3. GHOST
DIRTY COW
STACK CLASH
MALWARE
KBEAST
LATERAL SPREAD
If even .01% gets in, it will
burrow and persist…
3

4. GHOST
DIRTY COW
STACK CLASH
MALWARE
KBEAST
LATERAL SPREAD
APP
OS
Embedded in
the OS where
security can
be fooled
4

5. If even .01% gets in, it will
burrow and persist…
GHOST
DIRTY COW
STACK CLASH
MALWARE
KBEAST
LATERAL SPREAD
5

6. GHOST
DIRTY COW
STACK CLASH
MALWARE
KBEAST
LATERAL SPREAD
Equifax, Sony, DNC have one thing in
common… PERSISTENCE.
6

7. SERVERSERVER
7
Attack Process
APP
OS
APP
OS

8. SERVERSERVER
8
Attack Process
APP
OS
APP
OS

9. SERVERSERVER
9
Attack Process
APP
OS
APP
OS

10. The OS Cannot Protect Itself…
CSP OR ON PREM HYPERVISOR
10

11. …So Move the Security Outside.
CSP OR ON PREM HYPERVISOR
METAVISOR Security Layer
11

12. METAVISOR
CSP OR ON PREM HYPERVISOR
Server
Guard
Network
Guard
Data
Guard
Optimized for…
12

13. 13
Consistent Controls with Separation of Duties
 Single set of controls across
hybrid cloud environments
 Seamless experience for
users, granular controls for
IT security
Security

14. SERVER
2551
METAVISOR
Kernel
NETWORKPREOCESS TABLES
SHELL SHELL
APACHE
SYSCALL TABLES
Root
Processes
User
Processes
Net
Ports
44380
SHELL
SHELLSEC AGENT
FILE SYSTEM
X
14
Server Guard for Stem and Diego Cells

15. SERVER
2551
METAVISOR
Kernel
NETWORKPREOCESS TABLES
SHELL SHELL
APACHE
SYSCALL TABLES
Root
Processes
User
Processes
Net
Ports
44380
SHELL
80
SHELLSEC AGENT
FILE SYSTEM
APACHE
X
FILE SYSTEM
15
Server Guard for Stem and Diego Cells

16. SERVER
2551
METAVISOR
Kernel
NETWORKPREOCESS TABLES
SHELL SHELL
APACHE
SYSCALL TABLES
Root
Processes
User
Processes
Net
Ports
44380
SHELL
80
SHELLSEC AGENT
FILE SYSTEM
APACHE
X
FILE SYSTEM
16
Server Guard for Stem and Diego Cells
51

17. Server Guard for Stem and Diego Cells
2551
METAVISOR
Kernel
NETWORKPREOCESS TABLES
SHELL SHELL
SERVER
APACHE
SYSCALL TABLES
Root
Processes
User
Processes
Net
Ports
44380
SHELL
80
SHELLSEC AGENT
FILE SYSTEM
APACHE
X
FILE SYSTEM
51
17

18. 18
Network Guard Dynamic Policies
Web Tier
App Tier
Data Tier
Dev Policy Can Be:
 Allow any:any network flows
 Server Guard in logging
mode
 No Data Encryption
BlockS3
METAVISOR METAVISOR
METAVISOR
“env”=“dev”
METAVISOR

19. 19
Network Guard Dynamic Policies
Web Tier
App Tier
Data Tier
Prod Policy Can Be:
 Block unused ports
 Server Guard in enforcement
mode
 Quarantine suspect
workloads
 Admin changes only via
Metavisor API
BlockS3
METAVISOR METAVISOR
METAVISOR
“env”=“dev”
METAVISOR
BlockS3
METAVISOR METAVISOR
METAVISOR
“env”=“prod”
METAVISOR

20. 20
Data Guard
Web Tier
App Tier
Data Tier
 Backed by HSM
 On-prem or hosted key
management
 Enable separation of duties
 Prevent S3 leaks
BlockS3RootEphemeral
HSM
ON
PREM
METAVISOR METAVISOR METAVISOR
METAVISOR METAVISOR

21. 21
Data Guard–Data Protection and Policy
 Enforce data residency
 Comply with GDRS
 Policy follows data volumes
BlockS3
METAVISOR
Data access
request

22. 22
Data Guard–Data Protection and Policy
 Enforce data residency
 Comply with GDRS
 Policy follows data volumes
BlockS3
METAVISOR
”region”=“us-west”
“class”=“red”
“env”=“dev”
Policy VerificationPolicy Match

23. 23
Data Guard–Data Protection and Policy
 Enforce data residency
 Comply with GDRS
 Policy follows data volumes
BlockS3
METAVISOR
Key released,
data decrypted

24. 24
Multi-cloud Security with Pivotal Cloud Foundry
APPLICATION APPLICATION
OS
BRACKET METAVISOR
Server Guard Data Guard Network Guard
APPLICATION APPLICATION
OS
APPLICATION APPLICATION
OS
APPLICATION APPLICATION
OS
ON-PREM PHYSICAL INFRASTRUCTURE AWS PHYSICAL INFRASTRUCTURE GOOGLE PHYSICAL INFRASTRUCTURE
ON-PREM HYPERVISOR AWS HYPERVISOR GOOGLE HYPERVISOR AZURE HYPERVISOR
AZURE PHYSICAL INFRASTRUCTURE
BRACKET METAVISOR
Server Guard Data Guard Network Guard
BRACKET METAVISOR
Server Guard Data Guard Network Guard
BRACKET METAVISOR
Server Guard Data Guard Network Guard

25. Visibility
 Tagging allows for easy
visualization of complex
data centers
 See actual flow data,
allowed by policy and
blocked flows
 Interactive display -
clickable, searchable

26. Visibility
 Tagging allows for easy
visualization of complex
data centers
 See actual flow data,
allowed by policy and
blocked flows
 Interactive display -
clickable, searchable

27. Visibility
 Tagging allows for easy
visualization of complex
data centers
 See actual flow data,
allowed by policy and
blocked flows
 Interactive display -
clickable, searchable

28. 28
Compliance Reporting and Forensics
 Full high-resolution
audit logs
 Event-driven memory
captures
 Real-time network

29. 29
Bracket PCF Security
SHARED FOUNDATION
“PCI” Segment
BRACKET METAVISOR
Diego Cell
Container
“Non PCI” Segment
BRACKET METAVISOR
Diego Cell
Container
“Management” Segment
BRACKET METAVISOR
PCF Router
BRACKET METAVISOR
Ops Manager
Bracket
MCP
Ops Manager
Image +

30. Bracket Is…
 Immutable Security
- Can’t be turned off even
with root access
- Transparent to dev
and ops teams
- Aligned with PCF cloud
native ops
 Unique Security
- Protects the OS when the
OS can’t protect itself
- Tag based segmentation
and encryption built to
auto-scale
- Transparent crypto for PCF
 Multi-cloud Security
- One set of server, network
and data controls on every
major cloud
- Central policy administration
for separation of security
duties
- Goes where PCF goes

31. 31