SlideShare a Scribd company logo

Presentation ING for ISC2 Secure Summits EMEA

T
Thijs Ebbers

Sharing ING's Cloud Native Journey by introducing ING's Cloud Native Ecosystem Kube and mapping this to the ISC2 CISSP CBK

Technology
1 of 33
Download to read offline
15 -16 April 2019 | The Hague
ING’s Cloud Native Journey No questions during the presentation please 15 -16 April 2019 | The Hague
Introduction » Thijs Ebbers, CISSP » ING Enterprise Architect, Infrastructure Domain » Currently working on: • ING’s Cloud Native Journey - Container Hosting (“Kubernetes”) - Data Services (Object (“S3”) & File Services (“NFS”)) - and all the Risk/Security topics touched by this innovation 3
About ING » ING is a global financial institution with a strong European base, offering retail and wholesale banking services to customers in over 40 countries. The purpose of ING is empowering people to stay a step ahead in life and in business. » ING Bank has more than 52,000 employees. As at the end of 2018, we had 38.4 million retail customers, with 12.5 million considered primary customers.
Just a little example… » “A critical CVE (+patch) for a commonly used Java library has just become known which allows for remotely exploitable privilege escalations. Your IT department tells you 26 images in your repositories (which amount to around 200 active containers in your production clusters) are vulnerable. Your CEO has heard rumours and anxiously asked you for your plan to resolve the situation.” » You respond to him that: • your developer just tested the patch successfully • the IT operations department will apply the patch in production starting immediately • after the patches have been applied you will use your state of the art Vulnerability Scanning capability to scan your production environments • he will have the report proving the company is safe on his desk within 48 hours » Raise your hands please if this is the right approach 5
For those of you who raised their hands: » You failed since: • Containers cannot be patched (they should be immutable…) - A new build process to create a higher version of the image including the patch must be started. - This build process should use a pipeline which should include all relevant (automated!) tests and deliver the new version to a repository. - Then all environments must be redeployed with this version. • Containers should not be scanned in runtime - You scan the images in your build pipeline and enforce the immutability of the containers into the production environment. • Having implemented a proper cloud native ecosystem your CEO should at latest have confirmation his company is secure (again) by the next morning » Let’s start with giving you some insights in this new Cloud Native world: 6
The Cloud Native ecosystem Kube 7 » A model of a Cloud Native ecosystem without local persistency (“12 Factor”) and fit for a regulated Enterprise » Purpose: To make you familiar with the concepts & terminology » Not to be confused with the CNCF’s Cloud Native landscape (https://landscape.cncf.io/)
Side 0 – The DevOps Team’s input: 8 » Container Image • Immutable, Stateless, Short Living • Base Image (the “operating system”) - Where was it obtained ? - Is it vulnerability free ? - Who will provide patched versions (in time…) ? • Code (standard SDLC) » Deployment Config • YAML file containing all information needed to deploy an image successfully » Network Config • All information needed to have communication paths outside the cluster to/from your application in place
Side 1 – The Data Services: 9 » Defined by Bindings • Data Service instance location + secrets to connect it + driver (optional) » Purposes: • To persist your state outside the cluster • To push out logs & events
Side 2 – The Security Services: 10 » Purpose: Externalizing your users / certificates / passwords (Directories, PKI solutions, Password Vaults, …) » No interfaces for SIEM and VS/TSCM in Runtime ! • SIEM listens on Topics • VS/TSCM is performed during Build (& enforce immutability in Runtime)
Side 3a – The Container Hosting Platform: 11 » Kubernetes (“k8s”): “Distributed Linux Kernel” • Use a (Managed) k8s Distribution* (OpenShift/Rancher/PKS/GKE/EKS/AKS/…) * https://www.cncf.io/certification/software-conformance/ » Node: (Physical/Virtual) machine hosting k8s code supplying resources to the Cluster » Cluster: Namespace manager • Production – Non Production • (virtual) Data Center 1 – (virtual) Data Center 2 – (virtual) Data Center n • Payload specific Clusters » Namespace: • SLA on resources (CPU/Memory) • Unit of isolation (no access by default) » Platform: The collection of Clusters
Side 3b – The Container Hosting Platform: 12 Power failure kills 2 nodes
Side 3b – The Container Hosting Platform: 13 Power failure kills 2 nodes
Side 3b – The Container Hosting Platform: 14 Chaos Monkey kills the container
Side 3b – The Container Hosting Platform: 15 Your app is effectively hosted like this temporarily » Very Dynamic behaviour • App stays online ! • New container instances will be spun up • K8s scheduler will eventually return the situation to “normal” » Replica’s • Enforce a minimum safe number in your production clusters !
Side 3c – The Container Hosting Platform: 16 » Services make your app available for 1 or more namespaces in the cluster » Ingress/Routes make your app available for 1 or more sources outside the cluster (e.g. the cluster in the other DC) » Internal Firewalling (“network policies”) open network ports for other namespaces or external IP adresses
Side 4 – The CI/CD Platform: 17 » The CI/CD platform supports/manages the creation of deployable artifacts, either via a pipeline or via legacy methods (portals,…) » The Scanning engines here provide your VS/TSCM evidence (in combination with immutability of your nodes & containers…) as well as detecting license violations and unwanted configuration settings
Side 5 – The Network Platform: 18 » Load Balancing provides the capabilities to balance load over multiple clusters (and hence enables HA/DR/LCM of clusters) » The DMZ’s provide capabilities to securely connect the applications hosted on the Container platform to the Internet or other insecure networks (e.g. the Workplace area’s) » Firewalling enables access to/from other networks e.g. Data Services, Security Services, CD/CI, legacy application landscapes, ...
Where is ING now on its Journey ? » Everything described earlier is/will be achieved one step at a time… » Throughout 2018 multiple ING DevOps teams enjoyed learning and experimenting in ING’s Non-Production container environments. » In Asia as of last November ING went live with its fully digital, mobile-only bank in the Phillipines: https://www.ing.com.ph/ The front-end of this bank is hosted on ING’s container hosting platform. » In Europe multiple ING application landscapes will start onboarding ING’s container hosting platform in 2019.
Summary / Lessons Learned / Best Practices » Plotted on the ISC2 CISSP CBK so you can tick that nice “Group A : Multiple Domains” box ;-) 20
Asset Security » Do not register individual containers (as they are short living processes). • Register the application(s), the namespace(s), the cluster(s) with their nodes and the relations between them in your CMDB. » Separate Production and non-Production workloads in separate immutable clusters (Workloads share kernel & memory space ! / CVE-2019-5736). • Only allow verified (scanned & signed, vulnerability free) workloads on your production cluster. • Do not allow any valuable data to be hosted/accessible from your non-production cluster. » Limit your consumers resource utilization • Enforce CPU and Memory limits on name spaces to prevent malbehaving consumers “eating” all resources in your clusters (thereby stealing other tenants resources). » Only host suitable workloads (Silver Bullets do not exist…) • Do not allow local persistency within your stateless cluster -> Use external Data Services. 21
Communication and Network Security » Automate everything! • Data Service connectivity • Firewall configuration » Least privilege is key. Do not: • Give unnecessary access to your master nodes/etcd/API server (CVE- 2018-1002105). For metrics use scrapers instead (push, not pull access) • Open up your entire cluster to/from Data Services. Instead use fine grained access / enforced path / endpoint isolation (e.g. Namespace -> Tablespace / S3 bucket / Topic) • Connect your clusters directly to untrusted networks (e.g. the Internet or the Workplace area). Use a proper DMZ in between 22
Identity and Access Management » Easy ☺ : Nobody (no exceptions!) should be allowed to log on to your immutable (Production) infrastructure (not on nodes, not into container runtimes) • The only access is via your Deploy Pipeline or Cloud Automation • Events/Logging/Metrics should be pushed outside your cluster for observability • Hosted applications must use an external user access repository (no local persistency…) • In case of issues in production you re-deploy the last known good version • (You can be a bit more lenient on your non-Production cluster…) 23
Security and Risk Management » CIA • C – same as always (least privilege) • I – run your images immutable, persist your state externally • A – Resilience by replicating your runtimes over multiple nodes / clusters / locations » Vendor/Contractor Security • make sure they are capable to timely provide a higher version of their software(-image) in case of vulnerabilities, and pay attention to the origin of the base images used… (no more patching ! -> redeploy a version without the vulnerability) 24
Security Architecture and Engineering » Design for failure. Your Nodes/Containers will fail ! • Disperse nodes over local/remote availability zones • Small/More is beautiful (The impact of 1 node/container instance out of 8 failing is better to digest then 1 out of 2…) • The Node is the unit of failure (hence local raid, dual power supplies, dual NIC’s could be reconsidered… (use the budget to buy more nodes…)) • Enforce a minimum replica setting for your production clusters » Design for short lifecycles/immutability. Your Nodes/Containers will develop vulnerabilities! • Cycle your nodes and containers regularly. Interval should be shorter than the maximum response time for low and medium vulnerabilities in your organisations security policy (Because you won’t need to scan your runtime estate in this case…) • Have the automation & procedures in place for an immediate emergency cycle in the case of unmitigated high- or critical vulnerabilities 25
Security Assessment and Testing » Automate everything! • Code Scanning • Scanning for Vulnerabilities, License Violations and unwanted configuration settings • Compliance testing / Evidence generation » As you no longer can/should have controls in runtime by definition you must implement all controls & tests in your build/development pipeline (“Shift Left”) 26
Security Operations » Automate everything! • Secrets Management • Customer onboarding/Cloud provisioning • Data Service connectivity • Compliance testing / Evidence generation » Logging & Monitoring is key ! (and persisted OUTSIDE your cluster !) » Patching is no longer possible -> Redeploy » Disaster Recovery (-testing) -> Redeploy • either your External LoadBalancer config • or your containers with a purposely faulty image on 1 location » No Backups, no Restores (data is persisted OUTSIDE your clusters !) 27
Software Development Security » Automate everything! • Secrets Management • Scanning for Vulnerabilities, License Violations and unwanted configuration settings • Image Signing • Customer onboarding/Cloud provisioning • Compliance testing / Evidence generation » As you no longer can/should have controls in runtime by definition you must implement all controls & tests in your build/development pipeline (“Shift Left”) 28
And in general (1/2): » Properly implemented Cloud Native landscapes are at least as secure (and probably more secure, time will tell…) as traditional IT landscapes, because: • Immutability and short lifespan of both your hosted application instances and your cluster components • Inherent availability due to “defined state” enforced by the kubernetes scheduler • Removing the interfaces for interactive access, patching, scanning and backup/restore will dramatically reduce the available attack surface • The risk of sharing kernel and memory space can be adequately mitigated 29
And in general (2/2): » Container hosting/Kubernetes deployment is only a small part of the ecosystem you need to implement to transform to a cloud native enterprise » There is no Big Bang here. Take incremental steps to improve and consciously accept remaining risks until they can be mitigated » Technology is only part of your challenge… (eventually technology will work…) » People and Process will cost you the most effort/energy/time spend… In order to successfully complete your cloud-native journey you need: • An Agile mindset throughout your organization (not just the developers…) • Risk and Governance processes suitable for this new world… - Trying to prove compliancy using a traditional risk/control framework is a wasted effort… 30
Questions ? 31
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEA

Recommended

Running containers in production, the ING story
Running containers in production, the ING storyRunning containers in production, the ING story
Running containers in production, the ING storyThijs Ebbers
 
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfThijs Ebbers
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
 
IBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxIBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxssuser666667
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container PlatformDLT Solutions
 
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
KubeCon EU 2022: From Kubernetes to PaaS to Err What's NextKubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
KubeCon EU 2022: From Kubernetes to PaaS to Err What's NextDaniel Bryant
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsAraf Karsh Hamid
 

Recommended

Running containers in production, the ING story
Running containers in production, the ING storyRunning containers in production, the ING story
Running containers in production, the ING storyThijs Ebbers
 
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfThijs Ebbers
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
 
IBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxIBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxssuser666667
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container PlatformDLT Solutions
 
KubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
KubeCon EU 2022: From Kubernetes to PaaS to Err What's NextKubeCon EU 2022: From Kubernetes to PaaS to Err What's Next
KubeCon EU 2022: From Kubernetes to PaaS to Err What's NextDaniel Bryant
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsAraf Karsh Hamid
 
CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton Araf Karsh Hamid
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon Web Services
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Kubernates vs Openshift: What is the difference and comparison between Opensh...
Kubernates vs Openshift: What is the difference and comparison between Opensh...Kubernates vs Openshift: What is the difference and comparison between Opensh...
Kubernates vs Openshift: What is the difference and comparison between Opensh...jeetendra mandal
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveLINE Corporation
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplanesparkfabrik
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformKangaroot
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesGerryJamisola1
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes IstioAraf Karsh Hamid
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Janusz Nowak
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
Micro services Architecture
Micro services ArchitectureMicro services Architecture
Micro services ArchitectureAraf Karsh Hamid
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-EngineeringAraf Karsh Hamid
 
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023Vadym Kazulkin
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioAraf Karsh Hamid
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformMauricio (Salaboy) Salatino
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingAraf Karsh Hamid
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands OnBrice Fernandes
 
GitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesGitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesVolodymyr Shynkar
 
Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptxssuser0fc2211
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud ComputingBharat Kalia
 

More Related Content

What's hot

CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton Araf Karsh Hamid
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon Web Services
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Kubernates vs Openshift: What is the difference and comparison between Opensh...
Kubernates vs Openshift: What is the difference and comparison between Opensh...Kubernates vs Openshift: What is the difference and comparison between Opensh...
Kubernates vs Openshift: What is the difference and comparison between Opensh...jeetendra mandal
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveLINE Corporation
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplanesparkfabrik
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformKangaroot
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesGerryJamisola1
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Janusz Nowak
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
Micro services Architecture
Micro services ArchitectureMicro services Architecture
Micro services ArchitectureAraf Karsh Hamid
 
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023Vadym Kazulkin
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioAraf Karsh Hamid
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingAraf Karsh Hamid
 
GitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesGitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesVolodymyr Shynkar
 

What's hot (20)

CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton CI-CD Jenkins, GitHub Actions, Tekton
CI-CD Jenkins, GitHub Actions, Tekton
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Kubernates vs Openshift: What is the difference and comparison between Opensh...
Kubernates vs Openshift: What is the difference and comparison between Opensh...Kubernates vs Openshift: What is the difference and comparison between Opensh...
Kubernates vs Openshift: What is the difference and comparison between Opensh...
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplane
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release Notes
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 
Micro services Architecture
Micro services ArchitectureMicro services Architecture
Micro services Architecture
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
 
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023
Github Copilot vs Amazon CodeWhisperer for Java developers at JCON 2023
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes Istio
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal Platform
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
 
Gitops Hands On
Gitops Hands OnGitops Hands On
Gitops Hands On
 
GitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with KubernetesGitOps is the best modern practice for CD with Kubernetes
GitOps is the best modern practice for CD with Kubernetes
 

Similar to Presentation ING for ISC2 Secure Summits EMEA

Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptxssuser0fc2211
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud ComputingBharat Kalia
 
lect15_cloud.ppt
lect15_cloud.pptlect15_cloud.ppt
lect15_cloud.pptAjit Mali
 
Cloud computing overview
Cloud computing overviewCloud computing overview
Cloud computing overviewkarthik s
 
cloudintroduction.ppt
cloudintroduction.pptcloudintroduction.ppt
cloudintroduction.pptAhmedRebai8
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesAngelos Kapsimanis
 
A Complete Guide Cloud Computing
A Complete Guide Cloud ComputingA Complete Guide Cloud Computing
A Complete Guide Cloud ComputingSripati Mahapatra
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source Nitesh Jadhav
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptA
 
Lect15 cloud
Lect15 cloudLect15 cloud
Lect15 cloudVan Pham
 
Lect15 cloud
Lect15 cloudLect15 cloud
Lect15 cloudsree raj
 

Similar to Presentation ING for ISC2 Secure Summits EMEA (20)

Introduction to Cloud Security.pptx
Introduction to Cloud Security.pptxIntroduction to Cloud Security.pptx
Introduction to Cloud Security.pptx
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud Computing
 
lecture5_4.pptx
lecture5_4.pptxlecture5_4.pptx
lecture5_4.pptx
 
lect15_cloud.ppt
lect15_cloud.pptlect15_cloud.ppt
lect15_cloud.ppt
 
Cloud computing overview
Cloud computing overviewCloud computing overview
Cloud computing overview
 
cloudintroduction.ppt
cloudintroduction.pptcloudintroduction.ppt
cloudintroduction.ppt
 
lect15_cloud.ppt
lect15_cloud.pptlect15_cloud.ppt
lect15_cloud.ppt
 
CLOUD
CLOUDCLOUD
CLOUD
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced Architectures
 
A Complete Guide Cloud Computing
A Complete Guide Cloud ComputingA Complete Guide Cloud Computing
A Complete Guide Cloud Computing
 
Build cloud native solution using open source
Build cloud native solution using open source Build cloud native solution using open source
Build cloud native solution using open source
 
Lect15 cloud
Lect15 cloudLect15 cloud
Lect15 cloud
 
Cloud
CloudCloud
Cloud
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cloud
CloudCloud
Cloud
 
Lect15 cloud
Lect15 cloudLect15 cloud
Lect15 cloud
 
Lect15 cloud
Lect15 cloudLect15 cloud
Lect15 cloud
 
Lect15 cloud
Lect15 cloudLect15 cloud
Lect15 cloud
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Presentation ING for ISC2 Secure Summits EMEA

  • 1. 15 -16 April 2019 | The Hague
  • 2. ING’s Cloud Native Journey No questions during the presentation please 15 -16 April 2019 | The Hague
  • 3. Introduction » Thijs Ebbers, CISSP » ING Enterprise Architect, Infrastructure Domain » Currently working on: • ING’s Cloud Native Journey - Container Hosting (“Kubernetes”) - Data Services (Object (“S3”) & File Services (“NFS”)) - and all the Risk/Security topics touched by this innovation 3
  • 4. About ING » ING is a global financial institution with a strong European base, offering retail and wholesale banking services to customers in over 40 countries. The purpose of ING is empowering people to stay a step ahead in life and in business. » ING Bank has more than 52,000 employees. As at the end of 2018, we had 38.4 million retail customers, with 12.5 million considered primary customers.
  • 5. Just a little example… » “A critical CVE (+patch) for a commonly used Java library has just become known which allows for remotely exploitable privilege escalations. Your IT department tells you 26 images in your repositories (which amount to around 200 active containers in your production clusters) are vulnerable. Your CEO has heard rumours and anxiously asked you for your plan to resolve the situation.” » You respond to him that: • your developer just tested the patch successfully • the IT operations department will apply the patch in production starting immediately • after the patches have been applied you will use your state of the art Vulnerability Scanning capability to scan your production environments • he will have the report proving the company is safe on his desk within 48 hours » Raise your hands please if this is the right approach 5
  • 6. For those of you who raised their hands: » You failed since: • Containers cannot be patched (they should be immutable…) - A new build process to create a higher version of the image including the patch must be started. - This build process should use a pipeline which should include all relevant (automated!) tests and deliver the new version to a repository. - Then all environments must be redeployed with this version. • Containers should not be scanned in runtime - You scan the images in your build pipeline and enforce the immutability of the containers into the production environment. • Having implemented a proper cloud native ecosystem your CEO should at latest have confirmation his company is secure (again) by the next morning » Let’s start with giving you some insights in this new Cloud Native world: 6
  • 7. The Cloud Native ecosystem Kube 7 » A model of a Cloud Native ecosystem without local persistency (“12 Factor”) and fit for a regulated Enterprise » Purpose: To make you familiar with the concepts & terminology » Not to be confused with the CNCF’s Cloud Native landscape (https://landscape.cncf.io/)
  • 8. Side 0 – The DevOps Team’s input: 8 » Container Image • Immutable, Stateless, Short Living • Base Image (the “operating system”) - Where was it obtained ? - Is it vulnerability free ? - Who will provide patched versions (in time…) ? • Code (standard SDLC) » Deployment Config • YAML file containing all information needed to deploy an image successfully » Network Config • All information needed to have communication paths outside the cluster to/from your application in place
  • 9. Side 1 – The Data Services: 9 » Defined by Bindings • Data Service instance location + secrets to connect it + driver (optional) » Purposes: • To persist your state outside the cluster • To push out logs & events
  • 10. Side 2 – The Security Services: 10 » Purpose: Externalizing your users / certificates / passwords (Directories, PKI solutions, Password Vaults, …) » No interfaces for SIEM and VS/TSCM in Runtime ! • SIEM listens on Topics • VS/TSCM is performed during Build (& enforce immutability in Runtime)
  • 11. Side 3a – The Container Hosting Platform: 11 » Kubernetes (“k8s”): “Distributed Linux Kernel” • Use a (Managed) k8s Distribution* (OpenShift/Rancher/PKS/GKE/EKS/AKS/…) * https://www.cncf.io/certification/software-conformance/ » Node: (Physical/Virtual) machine hosting k8s code supplying resources to the Cluster » Cluster: Namespace manager • Production – Non Production • (virtual) Data Center 1 – (virtual) Data Center 2 – (virtual) Data Center n • Payload specific Clusters » Namespace: • SLA on resources (CPU/Memory) • Unit of isolation (no access by default) » Platform: The collection of Clusters
  • 12. Side 3b – The Container Hosting Platform: 12 Power failure kills 2 nodes
  • 13. Side 3b – The Container Hosting Platform: 13 Power failure kills 2 nodes
  • 14. Side 3b – The Container Hosting Platform: 14 Chaos Monkey kills the container
  • 15. Side 3b – The Container Hosting Platform: 15 Your app is effectively hosted like this temporarily » Very Dynamic behaviour • App stays online ! • New container instances will be spun up • K8s scheduler will eventually return the situation to “normal” » Replica’s • Enforce a minimum safe number in your production clusters !
  • 16. Side 3c – The Container Hosting Platform: 16 » Services make your app available for 1 or more namespaces in the cluster » Ingress/Routes make your app available for 1 or more sources outside the cluster (e.g. the cluster in the other DC) » Internal Firewalling (“network policies”) open network ports for other namespaces or external IP adresses
  • 17. Side 4 – The CI/CD Platform: 17 » The CI/CD platform supports/manages the creation of deployable artifacts, either via a pipeline or via legacy methods (portals,…) » The Scanning engines here provide your VS/TSCM evidence (in combination with immutability of your nodes & containers…) as well as detecting license violations and unwanted configuration settings
  • 18. Side 5 – The Network Platform: 18 » Load Balancing provides the capabilities to balance load over multiple clusters (and hence enables HA/DR/LCM of clusters) » The DMZ’s provide capabilities to securely connect the applications hosted on the Container platform to the Internet or other insecure networks (e.g. the Workplace area’s) » Firewalling enables access to/from other networks e.g. Data Services, Security Services, CD/CI, legacy application landscapes, ...
  • 19. Where is ING now on its Journey ? » Everything described earlier is/will be achieved one step at a time… » Throughout 2018 multiple ING DevOps teams enjoyed learning and experimenting in ING’s Non-Production container environments. » In Asia as of last November ING went live with its fully digital, mobile-only bank in the Phillipines: https://www.ing.com.ph/ The front-end of this bank is hosted on ING’s container hosting platform. » In Europe multiple ING application landscapes will start onboarding ING’s container hosting platform in 2019.
  • 20. Summary / Lessons Learned / Best Practices » Plotted on the ISC2 CISSP CBK so you can tick that nice “Group A : Multiple Domains” box ;-) 20
  • 21. Asset Security » Do not register individual containers (as they are short living processes). • Register the application(s), the namespace(s), the cluster(s) with their nodes and the relations between them in your CMDB. » Separate Production and non-Production workloads in separate immutable clusters (Workloads share kernel & memory space ! / CVE-2019-5736). • Only allow verified (scanned & signed, vulnerability free) workloads on your production cluster. • Do not allow any valuable data to be hosted/accessible from your non-production cluster. » Limit your consumers resource utilization • Enforce CPU and Memory limits on name spaces to prevent malbehaving consumers “eating” all resources in your clusters (thereby stealing other tenants resources). » Only host suitable workloads (Silver Bullets do not exist…) • Do not allow local persistency within your stateless cluster -> Use external Data Services. 21
  • 22. Communication and Network Security » Automate everything! • Data Service connectivity • Firewall configuration » Least privilege is key. Do not: • Give unnecessary access to your master nodes/etcd/API server (CVE- 2018-1002105). For metrics use scrapers instead (push, not pull access) • Open up your entire cluster to/from Data Services. Instead use fine grained access / enforced path / endpoint isolation (e.g. Namespace -> Tablespace / S3 bucket / Topic) • Connect your clusters directly to untrusted networks (e.g. the Internet or the Workplace area). Use a proper DMZ in between 22
  • 23. Identity and Access Management » Easy ☺ : Nobody (no exceptions!) should be allowed to log on to your immutable (Production) infrastructure (not on nodes, not into container runtimes) • The only access is via your Deploy Pipeline or Cloud Automation • Events/Logging/Metrics should be pushed outside your cluster for observability • Hosted applications must use an external user access repository (no local persistency…) • In case of issues in production you re-deploy the last known good version • (You can be a bit more lenient on your non-Production cluster…) 23
  • 24. Security and Risk Management » CIA • C – same as always (least privilege) • I – run your images immutable, persist your state externally • A – Resilience by replicating your runtimes over multiple nodes / clusters / locations » Vendor/Contractor Security • make sure they are capable to timely provide a higher version of their software(-image) in case of vulnerabilities, and pay attention to the origin of the base images used… (no more patching ! -> redeploy a version without the vulnerability) 24
  • 25. Security Architecture and Engineering » Design for failure. Your Nodes/Containers will fail ! • Disperse nodes over local/remote availability zones • Small/More is beautiful (The impact of 1 node/container instance out of 8 failing is better to digest then 1 out of 2…) • The Node is the unit of failure (hence local raid, dual power supplies, dual NIC’s could be reconsidered… (use the budget to buy more nodes…)) • Enforce a minimum replica setting for your production clusters » Design for short lifecycles/immutability. Your Nodes/Containers will develop vulnerabilities! • Cycle your nodes and containers regularly. Interval should be shorter than the maximum response time for low and medium vulnerabilities in your organisations security policy (Because you won’t need to scan your runtime estate in this case…) • Have the automation & procedures in place for an immediate emergency cycle in the case of unmitigated high- or critical vulnerabilities 25
  • 26. Security Assessment and Testing » Automate everything! • Code Scanning • Scanning for Vulnerabilities, License Violations and unwanted configuration settings • Compliance testing / Evidence generation » As you no longer can/should have controls in runtime by definition you must implement all controls & tests in your build/development pipeline (“Shift Left”) 26
  • 27. Security Operations » Automate everything! • Secrets Management • Customer onboarding/Cloud provisioning • Data Service connectivity • Compliance testing / Evidence generation » Logging & Monitoring is key ! (and persisted OUTSIDE your cluster !) » Patching is no longer possible -> Redeploy » Disaster Recovery (-testing) -> Redeploy • either your External LoadBalancer config • or your containers with a purposely faulty image on 1 location » No Backups, no Restores (data is persisted OUTSIDE your clusters !) 27
  • 28. Software Development Security » Automate everything! • Secrets Management • Scanning for Vulnerabilities, License Violations and unwanted configuration settings • Image Signing • Customer onboarding/Cloud provisioning • Compliance testing / Evidence generation » As you no longer can/should have controls in runtime by definition you must implement all controls & tests in your build/development pipeline (“Shift Left”) 28
  • 29. And in general (1/2): » Properly implemented Cloud Native landscapes are at least as secure (and probably more secure, time will tell…) as traditional IT landscapes, because: • Immutability and short lifespan of both your hosted application instances and your cluster components • Inherent availability due to “defined state” enforced by the kubernetes scheduler • Removing the interfaces for interactive access, patching, scanning and backup/restore will dramatically reduce the available attack surface • The risk of sharing kernel and memory space can be adequately mitigated 29
  • 30. And in general (2/2): » Container hosting/Kubernetes deployment is only a small part of the ecosystem you need to implement to transform to a cloud native enterprise » There is no Big Bang here. Take incremental steps to improve and consciously accept remaining risks until they can be mitigated » Technology is only part of your challenge… (eventually technology will work…) » People and Process will cost you the most effort/energy/time spend… In order to successfully complete your cloud-native journey you need: • An Agile mindset throughout your organization (not just the developers…) • Risk and Governance processes suitable for this new world… - Trying to prove compliancy using a traditional risk/control framework is a wasted effort… 30