SpringOne Platform 2017
Tom Gillis, Bracket Computing
"Bracket Computing has been working closely with the Cloud Foundry community to create new tools to harden a PCF foundation and make it truly immutable. Bracket has developed a unique architecture that applies security and immutability controls via a virtualization layer that Bracket calls a Metavisor. The Metavisor is a hypervisor that sits between the guest OS or runtime and the hypervisor of the cloud underneath. The Stem Cell image is wrapped with a Metavisor, allowing the Metavisor to boot first, and then chainload the Stem Cell on top of the Metavisor. This approach means that the Metavisor remains resident in a separate memory space from the Stem Cell VM, effectively attached to but isolated from the Stem Cell. Enforcing immutability at this layer means that the controls can not be bypassed even if an attacker gains root access to the Stem Cell VM.
This talk will focus on five areas required to achieve infrastructure immutability for PCF:
Kernel immutability. Protecting critical aspects of the kernel such as the system call tables.
File immutability. Locking down critical parts of the file system. Executable code should be read but not written to. Config files should be read but not executed. And log files should be written to but not executed.
Memory immutability. Many attacks will use applciation vulnerabilities to escalate privileges of a process in memory. This should never happen and can be disallowed.
Process immutability. Critical processes can be monitored to ensure they are properly functioning. Certain processes, say a web server, should never spawn a new process such as a root shell. This is a very common attack technique that can be disallowed with truly immutable infrastructure.
Network immutability. Random network connections should not be allowed. A network whitelist model where only approved connections to authenticated hosts are allowed is a very effective technique to prevent the lateral spread of malware."
10. The OS Cannot Protect Itself…
CSP OR ON PREM HYPERVISOR
10
11. …So Move the Security Outside.
CSP OR ON PREM HYPERVISOR
METAVISOR Security Layer
11
12. METAVISOR
CSP OR ON PREM HYPERVISOR
Server
Guard
Network
Guard
Data
Guard
Optimized for…
12
13. 13
Consistent Controls with Separation of Duties
Single set of controls across
hybrid cloud environments
Seamless experience for
users, granular controls for
IT security
Security
17. Server Guard for Stem and Diego Cells
2551
METAVISOR
Kernel
NETWORKPREOCESS TABLES
SHELL SHELL
SERVER
APACHE
SYSCALL TABLES
Root
Processes
User
Processes
Net
Ports
44380
SHELL
80
SHELLSEC AGENT
FILE SYSTEM
APACHE
X
FILE SYSTEM
51
17
18. 18
Network Guard Dynamic Policies
Web Tier
App Tier
Data Tier
Dev Policy Can Be:
Allow any:any network flows
Server Guard in logging
mode
No Data Encryption
BlockS3
METAVISOR METAVISOR
METAVISOR
“env”=“dev”
METAVISOR
19. 19
Network Guard Dynamic Policies
Web Tier
App Tier
Data Tier
Prod Policy Can Be:
Block unused ports
Server Guard in enforcement
mode
Quarantine suspect
workloads
Admin changes only via
Metavisor API
BlockS3
METAVISOR METAVISOR
METAVISOR
“env”=“dev”
METAVISOR
BlockS3
METAVISOR METAVISOR
METAVISOR
“env”=“prod”
METAVISOR
20. 20
Data Guard
Web Tier
App Tier
Data Tier
Backed by HSM
On-prem or hosted key
management
Enable separation of duties
Prevent S3 leaks
BlockS3RootEphemeral
HSM
ON
PREM
METAVISOR METAVISOR METAVISOR
METAVISOR METAVISOR
21. 21
Data Guard–Data Protection and Policy
Enforce data residency
Comply with GDRS
Policy follows data volumes
BlockS3
METAVISOR
Data access
request
22. 22
Data Guard–Data Protection and Policy
Enforce data residency
Comply with GDRS
Policy follows data volumes
BlockS3
METAVISOR
”region”=“us-west”
“class”=“red”
“env”=“dev”
Policy VerificationPolicy Match
23. 23
Data Guard–Data Protection and Policy
Enforce data residency
Comply with GDRS
Policy follows data volumes
BlockS3
METAVISOR
Key released,
data decrypted
24. 24
Multi-cloud Security with Pivotal Cloud Foundry
APPLICATION APPLICATION
OS
BRACKET METAVISOR
Server Guard Data Guard Network Guard
APPLICATION APPLICATION
OS
APPLICATION APPLICATION
OS
APPLICATION APPLICATION
OS
ON-PREM PHYSICAL INFRASTRUCTURE AWS PHYSICAL INFRASTRUCTURE GOOGLE PHYSICAL INFRASTRUCTURE
ON-PREM HYPERVISOR AWS HYPERVISOR GOOGLE HYPERVISOR AZURE HYPERVISOR
AZURE PHYSICAL INFRASTRUCTURE
BRACKET METAVISOR
Server Guard Data Guard Network Guard
BRACKET METAVISOR
Server Guard Data Guard Network Guard
BRACKET METAVISOR
Server Guard Data Guard Network Guard
25. Visibility
Tagging allows for easy
visualization of complex
data centers
See actual flow data,
allowed by policy and
blocked flows
Interactive display -
clickable, searchable
26. Visibility
Tagging allows for easy
visualization of complex
data centers
See actual flow data,
allowed by policy and
blocked flows
Interactive display -
clickable, searchable
27. Visibility
Tagging allows for easy
visualization of complex
data centers
See actual flow data,
allowed by policy and
blocked flows
Interactive display -
clickable, searchable
28. 28
Compliance Reporting and Forensics
Full high-resolution
audit logs
Event-driven memory
captures
Real-time network
30. Bracket Is…
Immutable Security
- Can’t be turned off even
with root access
- Transparent to dev
and ops teams
- Aligned with PCF cloud
native ops
Unique Security
- Protects the OS when the
OS can’t protect itself
- Tag based segmentation
and encryption built to
auto-scale
- Transparent crypto for PCF
Multi-cloud Security
- One set of server, network
and data controls on every
major cloud
- Central policy administration
for separation of security
duties
- Goes where PCF goes
Today’s security solutions are focused on keeping malware out, but that’s impossible to do 100%. Some attacks will get through and once in they will persist and snoop everything. Impossible to keep malware out completely.
Today’s security solutions are focused on keeping malware out, but that’s impossible to do 100%. Some attacks will get through and once in they will persist and snoop everything. Impossible to keep malware out completely.
Today’s security solutions are focused on keeping malware out, but that’s impossible to do 100%. Some attacks will get through and once in they will persist and snoop everything. Impossible to keep malware out completely.
Today’s security solutions are focused on keeping malware out, but that’s impossible to do 100%. Some attacks will get through and once in they will persist and snoop everything. Impossible to keep malware out completely.
Lockheed Martin
And what of course this means is that Malware typically follows these steps
Lockheed Martin
And what of course this means is that Malware typically follows these steps
Lockheed Martin
And what of course this means is that Malware typically follows these steps
Lockheed Martin
And what of course this means is that Malware typically follows these steps
Lockheed Martin
And what of course this means is that Malware typically follows these steps
Lockheed Martin
And what of course this means is that Malware typically follows these steps
Lockheed Martin
And what of course this means is that Malware typically follows these steps