Securing Your Containers is Not Enough: How to Encrypt Container Data

Mirantis
MirantisMirantis
Copyright © 2020 Mirantis, Inc. All rights reserved
Securing Your
Containers Isn't
Enough
How to Encrypt
Containerized Data
WEBINAR | April 8, 2020
2
Tim Reilly
CEO
Featured Presenters - Zettaset
Tim brings more than 25 years of successful public and
private experience in the high-tech industry filling key
operational roles within product line business units and
venture capital funded companies through all stages of
growth. During his time at Zettaset, the company has
successfully grown its software-defined encryption
portfolio to provide a comprehensive data protection
solution across all physical, virtual and cloud
environments.
Prior to joining Zettaset, Tim took on a variety of roles at
companies including Trapeze Networks, Nicira, netVmg,
and WorldxChange. He has a BS in Accounting from the
University of Southern California and currently resides in
the San Francisco Bay Area.
Maksim
Yankovskiy
VP Engineering
Maksim has over 20 years of experience delivering and
managing enterprise encryption and database software
across all the major high tech industries. During his
tenure at Zettaset, he has been responsible for the
engineering team that delivered the entire XCrypt
product portfolio. He has also filed patents related to
distributed and high-performance encryption.
Prior to Zettaset, Maksim worked at Ingrian Networks
and held various roles related to distributed database
systems at Siemens Medical Solutions, Ross Stores and
Adobe Systems.
3
Bryan Langston
Cloud Solutions
Architect
Featured Presenter - Mirantis
Bryan Langston has been with Mirantis for five years and
is currently a Pre-Sales Senior Cloud Architect. Other
roles he's had in Mirantis include Director of Architecture
for Openstack and Kubernetes professional services, and
a product manager for Mirantis' Operations and
Business Support Systems (OSS/BSS) products.
Prior to joining Mirantis, Bryan worked at IBM Research
for 17 years where he built a Linux-based supercomputer
for web-scale crawling, indexing and mining, and led
multiple first-of-a-kind projects in the cloud computing
space.
4
A Little Housekeeping
● Please submit questions in the
Questions panel.
● We’ll provide a link where you
can download the slides at the
end of the webinar.
5
● What we're trying to achieve
● Where containers are today
● DevOps, DevSecOps and common security issues
● Encrypting containerized data
● What all of this means for customers
● Q&A
Agenda
6
XCrypt Container Encryption for Docker Enterprise - Fixed Topology
Anthem (Key3
)
United Health (Key1
)
Docker Enterprise Host 1
Cigna (Key2
)
Highly Available Storage VolumeLegend Container Host
Docker Enterprise Host 2
Container1
United
Health
Billing
Container2
Cigna
Analytics
Container3
Anthem
Electronic
Health Records
Anthem (Key4
)
Cigna (Key5
)
Container4
Anthem
Patient Registration
Container5
Cigna
Call Center
Copyright © 2020 Mirantis, Inc. All rights reserved
Container Adoption
Today
8
Containers in Production
Use of Containers since 2016 Use of Containers in Production
• 69% of respondents intend to store sensitive data in containers
• 76% of container usage from Tech, FinServ & Healthcare
• 89% of container runtime is Docker
• 94% experienced a security incident in last 12 months
• Security is top barrier to further container adoption
9
● Improving customer experience
● Supporting new business models
● Increasing operational efficiency
● Examples:
○ 40x more deployments per day helps leading bank innovate faster
○ 700 apps running 15k containers at an online payment processor
helps build a consistent operating model across multiple clouds
○ 10x scalability increase and 65k+ transactions/sec for global payment
technology company delivers efficiency
Current State of Container Utilization
10
DevOps
The Good
Well-defined
pipeline
automation helps
coordinate activities
across Dev, Test and
Prod environments
The Bad
Introduces
“unknown
unknowns” to an
organization
The Ugly
Cultural barriers
inhibit the
realization of full
value of container
adoption
11
● Keeping default values
● Implementing concept of “least privilege”
● Establishing solid RBAC support
● Trusted content
● Related to establishing operational boundaries, defining and
enforcing network policies that control N/S, E/W traffic flows
Common Security Issues
12
What is it? The augmentation of DevOps to
allow for the integration of security practices
DevSecOps
Advantages
● Greater speed and agility for security teams
● Ability to respond to change & needs rapidly
● Better collaboration and communication
among teams
● More opportunities for automated builds and
quality assurance testing
● Early identification of vulnerabilities in code
● Team member assets are freed to work on
high-value work
Examples of Activities
● Integrate security scanners for containers
● Centralize user identity and access control
capabilities
● Isolate containers running microservices
from each other and the network
● Encrypt data between apps and services
Copyright © 2020 Mirantis, Inc. All rights reserved
Encrypting
Containerized Data
Protect the Data
What are your top 3 storage challenges with containers?
2019 Container Adoption Survey, Portworx and Aqua Security
What are your top 3 security challenges with containers?
Ensuring data security
Concerns about data loss
Planning for disaster recovery and
business continuity
Legacy storage technologies not a
good fit for container workloads
Storage doesn't effectively scale
with number of containers
Inadequate tools for managing
container storage
Block devices like Amazon EBS are
slow to mount
Provisioning storage takes too
long
Data security
Vulnerability management
Runtime protection
(e.g. blocking of anomalies)
Exposure of secretes
(passwords, keys, certificates)
Runtime monitoring
and visibility
Network segmentation
Trusted image deployment
Pipeline (CI/CD) security
automation
Hardening hosts and
orchestration
So, how do you protect your data?
Top three data
breach protection
methods universally
recommended by
security experts and
organizations in
many surveys and
panels:
Encrypt data throughout the process of collection, viewing
and manipulation - preferably at the source.
1
2
3
Any sensitive data that must be stored or is "at rest" needs
to be encrypted and the keys can't be stored at the same
location as the data.
All access and manipulation of data must be logged.
DevSecOps for Containers
The castle has many forms of defense
Moat, geography, routes in, thick walls, watch towers, guards
Traditional tools are applied in new form ensure integrity of container
• RBAC
• Monitoring & Logging
• Policy enforcement
But what if they get inside the castle and find the treasure?
Need to protect the most valuable asset….the DATA
Encryption provides data protection and last line of defense
▪Transparent integration via volume driver
▪ All required services run in containers: key manager, certificate
authority, license server
▪Automated management of host storage
▪Dedicated volume group allocated for each container volume
▪Container volumes cryptographically tied to containers
Container Encryption
17
Protecting Data at Rest in Containerized Environments
Secure Container
Storage
Key Points
Encryption must follow storage. Containers will share
storage in multi-tenant environment, but they must not
share encryption keys. Otherwise, one compromised
container compromises the entire environment.
1
2
3
Storage must be independent of host and containers.
Using legacy approach of hardware-defined storage
provisioning will lead to data loss if host reboots or dies.
Separation of duties. Developers and platform operators
should not have visibility into or knowledge of encryption
keys and processes. Encryption must be granular, yet
transparent.
Anthem (Key3
)
United Health (Key1
)
Docker Enterprise Host 1
Cigna (Key2
)
XCrypt Container Encryption for Docker Enterprise - Fixed Topology
Highly Available Storage VolumeLegend Container Host
Docker Enterprise Host 2
Container1
United
Health
Billing
Container2
Cigna
Analytics
Container3
Anthem
Electronic
Health Records
Anthem (Key4
)
Cigna (Key5
)
Container4
Anthem
Patient Registration
Container5
Cigna
Call Center
1. On creation, the container
requests a particular-sized
encrypted storage volume
2. Zettaset’s volume driver requests
a volume from the host
3. Zettaset’s volume manager
constructs a volume from various
partitions on the device and
creates a volume group
4. Volume manager communicates
with the key manager to create a
key and encrypt the volume
5. On container destruction, the
encryption key is destroyed, and
volumes are made available
again
Container Encryption – Where to implement
▪ Cybersecurity and DevOps are forever linked
▪ Security is not the enemy
▪ No one technology will address all security challenges
▪ Encryption is an essential tool and the last line of defense
Protect your Containers and Step towards DevSecOps
Takeaways
Copyright © 2020 Mirantis, Inc. All rights reserved
Thank You
Q&A
Download the slides from: bit.ly/mirantis-zettaset
We’ll send you the slides and recording later this week.
1 von 22

Recomendados

What's New in Kubernetes 1.18 Webinar Slides von
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesMirantis
192 views88 Folien
How to Build a Basic Edge Cloud von
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
264 views26 Folien
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes von
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
488 views23 Folien
Using Kubernetes to make cellular data plans cheaper for 50M users von
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
400 views31 Folien
Demystifying Cloud Security Compliance von
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceMirantis
220 views13 Folien
Comparison of Current Service Mesh Architectures von
Comparison of Current Service Mesh ArchitecturesComparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesMirantis
1.6K views46 Folien

Más contenido relacionado

Was ist angesagt?

The How and Why of Container Vulnerability Management von
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
981 views30 Folien
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment von
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentDevOps.com
101 views16 Folien
Securing danish healthcare using cloudnative von
Securing danish healthcare using cloudnativeSecuring danish healthcare using cloudnative
Securing danish healthcare using cloudnativeFrederik Mogensen
74 views24 Folien
Security Patterns for Microservice Architectures - London Java Community 2020 von
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
288 views74 Folien
Evaluating container security with ATT&CK Framework von
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
140 views12 Folien
Barbican 1.0 - Open Source Key Management for OpenStack von
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackjarito030506
5.3K views19 Folien

Was ist angesagt?(20)

The How and Why of Container Vulnerability Management von Tim Mackey
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey981 views
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment von DevOps.com
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com101 views
Security Patterns for Microservice Architectures - London Java Community 2020 von Matt Raible
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible288 views
Evaluating container security with ATT&CK Framework von Sandeep Jayashankar
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Barbican 1.0 - Open Source Key Management for OpenStack von jarito030506
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStack
jarito0305065.3K views
PKI in DevOps: How to Deploy Certificate Automation within CI/CD von DevOps.com
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com465 views
Cisco Cloud Networking Workshop von Cisco Canada
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
Cisco Canada1.9K views
The Future of Security and Productivity in Our Newly Remote World von DevOps.com
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com208 views
Patterns of evolution from monolith to microservices von Karina Mora
Patterns of evolution from monolith to microservicesPatterns of evolution from monolith to microservices
Patterns of evolution from monolith to microservices
Karina Mora249 views
Using hypervisor and container technology to increase datacenter security pos... von Tim Mackey
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey829 views
Docker and Jenkins [as code] von Mark Waite
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
Mark Waite486 views
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps von Daniel Oh
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
Daniel Oh624 views
Secured APIM-as-a-Service von NGINX, Inc.
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
NGINX, Inc.132 views
NGINX DevSecOps Workshop von NGINX, Inc.
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps Workshop
NGINX, Inc.186 views
Hacking into your containers, and how to stop it! von Eric Smalling
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling288 views
Microservices and containers networking: Contiv, an industry leading open sou... von Codemotion
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion1.3K views
Cisco at v mworld 2015 shipped-vmworld von ldangelo0772
Cisco at v mworld 2015 shipped-vmworldCisco at v mworld 2015 shipped-vmworld
Cisco at v mworld 2015 shipped-vmworld
ldangelo0772292 views

Similar a Securing Your Containers is Not Enough: How to Encrypt Container Data

DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con... von
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...raksac
23 views26 Folien
The How and Why of Container Vulnerability Management von
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
1.1K views30 Folien
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework von
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
870 views26 Folien
AWS TechConnect 2018 - Container Adoption von
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container AdoptionAlex Rhea
196 views30 Folien
DevSecCon Lightning 2021- Container defaults are a hackers best friend von
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
102 views11 Folien
110307 cloud security requirements gourley von
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
976 views21 Folien

Similar a Securing Your Containers is Not Enough: How to Encrypt Container Data(20)

DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con... von raksac
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
raksac23 views
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework von centralohioissa
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa870 views
AWS TechConnect 2018 - Container Adoption von Alex Rhea
AWS TechConnect 2018 - Container AdoptionAWS TechConnect 2018 - Container Adoption
AWS TechConnect 2018 - Container Adoption
Alex Rhea196 views
DevSecCon Lightning 2021- Container defaults are a hackers best friend von Eric Smalling
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
Eric Smalling102 views
110307 cloud security requirements gourley von GovCloud Network
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network976 views
Are Your Containers as Secure as You Think? von DevOps.com
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com128 views
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017 von Big Data Spain
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain1.3K views
Immutable Infrastructure Security von Ricky Sanders
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders1.2K views
Q Con New York 2015 Presentation - Conjur von conjur_inc
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
conjur_inc835 views
Cloud Security Engineer Interview Questions.pdf von Infosec Train
Cloud Security Engineer Interview Questions.pdfCloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
Infosec Train82 views
Cloud Security Engineer Interview Questions.pdf von infosec train
Cloud Security Engineer Interview Questions.pdfCloud Security Engineer Interview Questions.pdf
Cloud Security Engineer Interview Questions.pdf
infosec train3 views
Maintaining Trust & Control of your Data in the Cloud von Amazon Web Services
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
Why and how are containers the foundation for a hybrid cloud future von Stefan van Oirschot
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud future
AWS live hack: Docker + Snyk Container on AWS von Eric Smalling
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling231 views
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc... von Shannon Williams
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams1.4K views
Python Web Conference 2022 - Why should devs care about container security.pdf von Eric Smalling
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling134 views

Más de Mirantis

How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin... von
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...Mirantis
96 views25 Folien
Kubernetes Security Workshop von
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security WorkshopMirantis
223 views31 Folien
Mirantis life von
Mirantis lifeMirantis life
Mirantis lifeMirantis
75.2K views14 Folien
OpenStack and the IoT: Where we are, where we're going, what we need to get t... von
OpenStack and the IoT: Where we are, where we're going, what we need to get t...OpenStack and the IoT: Where we are, where we're going, what we need to get t...
OpenStack and the IoT: Where we are, where we're going, what we need to get t...Mirantis
2.1K views10 Folien
Boris Renski: OpenStack Summit Keynote Austin 2016 von
Boris Renski: OpenStack Summit Keynote Austin 2016Boris Renski: OpenStack Summit Keynote Austin 2016
Boris Renski: OpenStack Summit Keynote Austin 2016Mirantis
884 views11 Folien
Digital Disciplines: Attaining Market Leadership through the Cloud von
Digital Disciplines: Attaining Market Leadership through the CloudDigital Disciplines: Attaining Market Leadership through the Cloud
Digital Disciplines: Attaining Market Leadership through the CloudMirantis
2.2K views28 Folien

Más de Mirantis(20)

How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin... von Mirantis
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis96 views
Kubernetes Security Workshop von Mirantis
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security Workshop
Mirantis223 views
Mirantis life von Mirantis
Mirantis lifeMirantis life
Mirantis life
Mirantis75.2K views
OpenStack and the IoT: Where we are, where we're going, what we need to get t... von Mirantis
OpenStack and the IoT: Where we are, where we're going, what we need to get t...OpenStack and the IoT: Where we are, where we're going, what we need to get t...
OpenStack and the IoT: Where we are, where we're going, what we need to get t...
Mirantis2.1K views
Boris Renski: OpenStack Summit Keynote Austin 2016 von Mirantis
Boris Renski: OpenStack Summit Keynote Austin 2016Boris Renski: OpenStack Summit Keynote Austin 2016
Boris Renski: OpenStack Summit Keynote Austin 2016
Mirantis884 views
Digital Disciplines: Attaining Market Leadership through the Cloud von Mirantis
Digital Disciplines: Attaining Market Leadership through the CloudDigital Disciplines: Attaining Market Leadership through the Cloud
Digital Disciplines: Attaining Market Leadership through the Cloud
Mirantis2.2K views
Decomposing Lithium's Monolith with Kubernetes and OpenStack von Mirantis
Decomposing Lithium's Monolith with Kubernetes and OpenStackDecomposing Lithium's Monolith with Kubernetes and OpenStack
Decomposing Lithium's Monolith with Kubernetes and OpenStack
Mirantis2.2K views
OpenStack: Changing the Face of Service Delivery von Mirantis
OpenStack: Changing the Face of Service DeliveryOpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service Delivery
Mirantis1.6K views
Accelerating the Next 10,000 Clouds von Mirantis
Accelerating the Next 10,000 CloudsAccelerating the Next 10,000 Clouds
Accelerating the Next 10,000 Clouds
Mirantis1.7K views
Containers for the Enterprise: It's Not That Simple von Mirantis
Containers for the Enterprise: It's Not That SimpleContainers for the Enterprise: It's Not That Simple
Containers for the Enterprise: It's Not That Simple
Mirantis884 views
Protecting Yourself from the Container Shakeout von Mirantis
Protecting Yourself from the Container ShakeoutProtecting Yourself from the Container Shakeout
Protecting Yourself from the Container Shakeout
Mirantis1.1K views
It's Not the Technology, It's You von Mirantis
It's Not the Technology, It's YouIt's Not the Technology, It's You
It's Not the Technology, It's You
Mirantis852 views
OpenStack as the Platform for Innovation von Mirantis
OpenStack as the Platform for InnovationOpenStack as the Platform for Innovation
OpenStack as the Platform for Innovation
Mirantis830 views
Moving AWS workloads to OpenStack von Mirantis
Moving AWS workloads to OpenStackMoving AWS workloads to OpenStack
Moving AWS workloads to OpenStack
Mirantis3.7K views
Your 1st Ceph cluster von Mirantis
Your 1st Ceph clusterYour 1st Ceph cluster
Your 1st Ceph cluster
Mirantis22.5K views
App catalog (Vancouver) von Mirantis
App catalog (Vancouver)App catalog (Vancouver)
App catalog (Vancouver)
Mirantis1.3K views
Tales From The Ship: Navigating the OpenStack Community Seas von Mirantis
Tales From The Ship: Navigating the OpenStack Community SeasTales From The Ship: Navigating the OpenStack Community Seas
Tales From The Ship: Navigating the OpenStack Community Seas
Mirantis1.5K views
OpenStack Overview and History von Mirantis
OpenStack Overview and HistoryOpenStack Overview and History
OpenStack Overview and History
Mirantis5.4K views
OpenStack Architecture von Mirantis
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis88.5K views
OpenStack Architecture von Mirantis
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis6.4K views

Último

Future of AR - Facebook Presentation von
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook PresentationRob McCarty
64 views27 Folien
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... von
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...ShapeBlue
186 views15 Folien
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... von
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...ShapeBlue
126 views10 Folien
CryptoBotsAI von
CryptoBotsAICryptoBotsAI
CryptoBotsAIchandureddyvadala199
40 views5 Folien
Cencora Executive Symposium von
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposiummarketingcommunicati21
159 views14 Folien
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T von
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TShapeBlue
152 views34 Folien

Último(20)

Future of AR - Facebook Presentation von Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty64 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... von ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue186 views
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... von ShapeBlue
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
ShapeBlue126 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T von ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue152 views
Initiating and Advancing Your Strategic GIS Governance Strategy von Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software176 views
Business Analyst Series 2023 - Week 4 Session 7 von DianaGray10
Business Analyst Series 2023 -  Week 4 Session 7Business Analyst Series 2023 -  Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10139 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue von ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue138 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT von ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue206 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... von ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue139 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... von The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue von ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue147 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue von ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue203 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... von ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue166 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... von ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue173 views
Business Analyst Series 2023 - Week 4 Session 8 von DianaGray10
Business Analyst Series 2023 -  Week 4 Session 8Business Analyst Series 2023 -  Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10123 views
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... von ShapeBlue
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
ShapeBlue132 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... von ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue180 views

Securing Your Containers is Not Enough: How to Encrypt Container Data

  • 1. Copyright © 2020 Mirantis, Inc. All rights reserved Securing Your Containers Isn't Enough How to Encrypt Containerized Data WEBINAR | April 8, 2020
  • 2. 2 Tim Reilly CEO Featured Presenters - Zettaset Tim brings more than 25 years of successful public and private experience in the high-tech industry filling key operational roles within product line business units and venture capital funded companies through all stages of growth. During his time at Zettaset, the company has successfully grown its software-defined encryption portfolio to provide a comprehensive data protection solution across all physical, virtual and cloud environments. Prior to joining Zettaset, Tim took on a variety of roles at companies including Trapeze Networks, Nicira, netVmg, and WorldxChange. He has a BS in Accounting from the University of Southern California and currently resides in the San Francisco Bay Area. Maksim Yankovskiy VP Engineering Maksim has over 20 years of experience delivering and managing enterprise encryption and database software across all the major high tech industries. During his tenure at Zettaset, he has been responsible for the engineering team that delivered the entire XCrypt product portfolio. He has also filed patents related to distributed and high-performance encryption. Prior to Zettaset, Maksim worked at Ingrian Networks and held various roles related to distributed database systems at Siemens Medical Solutions, Ross Stores and Adobe Systems.
  • 3. 3 Bryan Langston Cloud Solutions Architect Featured Presenter - Mirantis Bryan Langston has been with Mirantis for five years and is currently a Pre-Sales Senior Cloud Architect. Other roles he's had in Mirantis include Director of Architecture for Openstack and Kubernetes professional services, and a product manager for Mirantis' Operations and Business Support Systems (OSS/BSS) products. Prior to joining Mirantis, Bryan worked at IBM Research for 17 years where he built a Linux-based supercomputer for web-scale crawling, indexing and mining, and led multiple first-of-a-kind projects in the cloud computing space.
  • 4. 4 A Little Housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
  • 5. 5 ● What we're trying to achieve ● Where containers are today ● DevOps, DevSecOps and common security issues ● Encrypting containerized data ● What all of this means for customers ● Q&A Agenda
  • 6. 6 XCrypt Container Encryption for Docker Enterprise - Fixed Topology Anthem (Key3 ) United Health (Key1 ) Docker Enterprise Host 1 Cigna (Key2 ) Highly Available Storage VolumeLegend Container Host Docker Enterprise Host 2 Container1 United Health Billing Container2 Cigna Analytics Container3 Anthem Electronic Health Records Anthem (Key4 ) Cigna (Key5 ) Container4 Anthem Patient Registration Container5 Cigna Call Center
  • 7. Copyright © 2020 Mirantis, Inc. All rights reserved Container Adoption Today
  • 8. 8 Containers in Production Use of Containers since 2016 Use of Containers in Production • 69% of respondents intend to store sensitive data in containers • 76% of container usage from Tech, FinServ & Healthcare • 89% of container runtime is Docker • 94% experienced a security incident in last 12 months • Security is top barrier to further container adoption
  • 9. 9 ● Improving customer experience ● Supporting new business models ● Increasing operational efficiency ● Examples: ○ 40x more deployments per day helps leading bank innovate faster ○ 700 apps running 15k containers at an online payment processor helps build a consistent operating model across multiple clouds ○ 10x scalability increase and 65k+ transactions/sec for global payment technology company delivers efficiency Current State of Container Utilization
  • 10. 10 DevOps The Good Well-defined pipeline automation helps coordinate activities across Dev, Test and Prod environments The Bad Introduces “unknown unknowns” to an organization The Ugly Cultural barriers inhibit the realization of full value of container adoption
  • 11. 11 ● Keeping default values ● Implementing concept of “least privilege” ● Establishing solid RBAC support ● Trusted content ● Related to establishing operational boundaries, defining and enforcing network policies that control N/S, E/W traffic flows Common Security Issues
  • 12. 12 What is it? The augmentation of DevOps to allow for the integration of security practices DevSecOps Advantages ● Greater speed and agility for security teams ● Ability to respond to change & needs rapidly ● Better collaboration and communication among teams ● More opportunities for automated builds and quality assurance testing ● Early identification of vulnerabilities in code ● Team member assets are freed to work on high-value work Examples of Activities ● Integrate security scanners for containers ● Centralize user identity and access control capabilities ● Isolate containers running microservices from each other and the network ● Encrypt data between apps and services
  • 13. Copyright © 2020 Mirantis, Inc. All rights reserved Encrypting Containerized Data
  • 14. Protect the Data What are your top 3 storage challenges with containers? 2019 Container Adoption Survey, Portworx and Aqua Security What are your top 3 security challenges with containers? Ensuring data security Concerns about data loss Planning for disaster recovery and business continuity Legacy storage technologies not a good fit for container workloads Storage doesn't effectively scale with number of containers Inadequate tools for managing container storage Block devices like Amazon EBS are slow to mount Provisioning storage takes too long Data security Vulnerability management Runtime protection (e.g. blocking of anomalies) Exposure of secretes (passwords, keys, certificates) Runtime monitoring and visibility Network segmentation Trusted image deployment Pipeline (CI/CD) security automation Hardening hosts and orchestration
  • 15. So, how do you protect your data? Top three data breach protection methods universally recommended by security experts and organizations in many surveys and panels: Encrypt data throughout the process of collection, viewing and manipulation - preferably at the source. 1 2 3 Any sensitive data that must be stored or is "at rest" needs to be encrypted and the keys can't be stored at the same location as the data. All access and manipulation of data must be logged.
  • 16. DevSecOps for Containers The castle has many forms of defense Moat, geography, routes in, thick walls, watch towers, guards Traditional tools are applied in new form ensure integrity of container • RBAC • Monitoring & Logging • Policy enforcement But what if they get inside the castle and find the treasure? Need to protect the most valuable asset….the DATA Encryption provides data protection and last line of defense
  • 17. ▪Transparent integration via volume driver ▪ All required services run in containers: key manager, certificate authority, license server ▪Automated management of host storage ▪Dedicated volume group allocated for each container volume ▪Container volumes cryptographically tied to containers Container Encryption 17
  • 18. Protecting Data at Rest in Containerized Environments Secure Container Storage Key Points Encryption must follow storage. Containers will share storage in multi-tenant environment, but they must not share encryption keys. Otherwise, one compromised container compromises the entire environment. 1 2 3 Storage must be independent of host and containers. Using legacy approach of hardware-defined storage provisioning will lead to data loss if host reboots or dies. Separation of duties. Developers and platform operators should not have visibility into or knowledge of encryption keys and processes. Encryption must be granular, yet transparent.
  • 19. Anthem (Key3 ) United Health (Key1 ) Docker Enterprise Host 1 Cigna (Key2 ) XCrypt Container Encryption for Docker Enterprise - Fixed Topology Highly Available Storage VolumeLegend Container Host Docker Enterprise Host 2 Container1 United Health Billing Container2 Cigna Analytics Container3 Anthem Electronic Health Records Anthem (Key4 ) Cigna (Key5 ) Container4 Anthem Patient Registration Container5 Cigna Call Center
  • 20. 1. On creation, the container requests a particular-sized encrypted storage volume 2. Zettaset’s volume driver requests a volume from the host 3. Zettaset’s volume manager constructs a volume from various partitions on the device and creates a volume group 4. Volume manager communicates with the key manager to create a key and encrypt the volume 5. On container destruction, the encryption key is destroyed, and volumes are made available again Container Encryption – Where to implement
  • 21. ▪ Cybersecurity and DevOps are forever linked ▪ Security is not the enemy ▪ No one technology will address all security challenges ▪ Encryption is an essential tool and the last line of defense Protect your Containers and Step towards DevSecOps Takeaways
  • 22. Copyright © 2020 Mirantis, Inc. All rights reserved Thank You Q&A Download the slides from: bit.ly/mirantis-zettaset We’ll send you the slides and recording later this week.