Containers can actually improve your security story(!) Maya - - PowerPoint PPT Presentation

containers can actually improve your security story
SMART_READER_LITE
LIVE PREVIEW

Containers can actually improve your security story(!) Maya - - PowerPoint PPT Presentation

Aug 23, 2023 226 likes •652 views

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

slide-1
SLIDE 1

Containers can actually improve your security story(!)

Maya Kaczorowski, Google Cloud June 12 2019
slide-2
SLIDE 2

Maya Kaczorowski

Security PM, Google Cloud @MayaKaczorowski
slide-3
SLIDE 3 3

Objection: “My security team is opposed to containers and Kubernetes”

slide-4
SLIDE 4
  • What’s a koober net ease
  • I can’t use my IDS, firewall, ...
  • Containers don’t contain
  • I am stuck with it, help me

Security people like to complain about containers and Kubernetes

slide-5
SLIDE 5

70%

“70 percent of change programs fail to achieve their goals, largely due to employee resistance and lack

  • f management supporu.”
Changing change management, McKinsey & Co.
slide-6
SLIDE 6

Agenda

1 How container security is different 2 3 Traditional software supply chain and patch management Ideal software supply chain and best practices in image maintenance, patching, and validation
slide-7
SLIDE 7

01

How container security is difgerent

slide-8
SLIDE 8

… container security isn’t that difgerent from any other security

slide-9
SLIDE 9

Threats seen in the wild

February May June Tesla Unsecured Kubernetes dashboard with cloud account credentials Used to mine cryptocurrency Shopify Researcher could access and replay kubelet credentials Not exploited Weight Watchers Unsecured Kubernetes dashboard with sensitive data, including credentials Not exploited Docker Hub Public images with embedded cryptocurrency mining malware Used to mine cryptocurrency April Docker Hub Database with 190k+ Docker Hub accounts exposed Unknown impact 2019 2018
slide-10
SLIDE 10
  • Privilege escalation
  • Credential compromise
  • Kubernetes API
compromise
  • Over-privileged users

Container security threats & risks

  • Unpatched vulnerability
  • Supply chain
vulnerability
  • Zero day exploit on
common library
  • DDoS
  • Node compromise and
exploit
  • Container escape
  • Flood event pipeline
INFRASTRUCTURE SECURITY SOFTWARE SUPPLY CHAIN RUNTIME SECURITY
slide-11
SLIDE 11
  • How can I use Kubernetes security features to
protect my identities, secrets, and network?
  • How can I use native GCP functionality, like IAM,
audit logging, and networking?

INFRASTRUCTURE SECURITY

Is my infrastructure secure for developing containers?
slide-12
SLIDE 12
  • How can I make sure my container images are
vulnerability-free?
  • How can I make sure the images I built aren’t
modifjed before they are deployed?

SOFTWARE SUPPLY CHAIN

Is my container image secure to build and deploy?
slide-13
SLIDE 13
  • How can I identify a container acting maliciously in
production?
  • How can I take action to protect and isolate my
workload?
  • How can I securely scale my containers
deployment?

RUNTIME SECURITY

Is my container secure to run?
slide-14
SLIDE 14 Minimalist host OS and limits the surface of an attack.

Surgace

  • f Atuack
Host resources are separated using namespaces and cgroups.

Resource Isolation

Access controls are for app privileges and shared resources.

Permissions

Containers have a shorter, better defined lifecycle.

Lifecycle

How is securing a container difgerent?

slide-15
SLIDE 15

02

Traditional sofuware supply chain and patch management

slide-16
SLIDE 16

Traditional sofuware supply chain

slide-17
SLIDE 17

Traditional patch management

01

Get patch

02

Take down server n=1 and apply patch

03

Repeat for n servers, where n is unknown From the distributor, some random mailing list, a
  • vendor. Not always sent to
the security team. Test the patch in prod! Take some unimportant workload down to make sure nothing goes too bad. It worked! Now do it again, for everything you think is
  • affected. Miss a bunch of it.
slide-18
SLIDE 18
  • Spreadsheet-driven management
  • Down time
  • 0days are scary
  • Unclear what’s running in your
infrastructure / what’s running where / if you even need a patch

Problems with traditional patch management

slide-19
SLIDE 19

03

Ideal sofuware supply chain

slide-20
SLIDE 20

Containers are meant to be shoru-lived frequently redeployed immutable and help you ‘shifu lefu’

slide-21
SLIDE 21

DevSecOps?!?

slide-22
SLIDE 22

Running containers allows you to adopt a fundamentally difgerent security model

Containers give you a sofuware supply chain Containers let you patch continuously, automatically Containers mean you can actually tell if you’re afgected by a new vulnerability
slide-23
SLIDE 23

Containers give you a sofuware supply chain

slide-24
SLIDE 24

What's difgerent about supply chains with containers

VM based Hard VM VM VM Monolithic application Production environment Debug Patch Update Restaru Manual adjustment
slide-25
SLIDE 25

What's difgerent about supply chains with containers

VM based Hard VM VM VM Monolithic application Debug Patch Update Restaru Production environment Manual adjustment Container based Easy Build Test Scan Analysis QA CI/CD pipeline VM VM VM Pod Microservice Pod Pod Production environment Build & deploy Re-build & re-deploy
slide-26
SLIDE 26

Containers let you enforce a sofuware supply chain

Build Test Scan Analysis QA CI/CD pipeline VM VM VM Pod Microservice Pod Pod Production environment Developer Code Base image Build Application image Deploy
slide-27
SLIDE 27

Containers let you patch continuously, automatically

slide-28
SLIDE 28

Constantly patch your registry… and roll

  • ut as normal

01

Patch the image in your registry

02

Test, validate, and roll
  • ut

03

Load balance traffic over Figure out what’s affected, and apply the patch everywhere you need it. Roll out the patch like you would any other infrastructure change, going incrementally. When testing is successful, move traffic over to the new, patched workload, with no downtime.
slide-29
SLIDE 29

Containers enable passive patching

slide-30
SLIDE 30

not just uptime, but

up-to-time

slide-31
SLIDE 31 Update packages apt-get update & upgrade gets you pretty far. Do this daily. Remove packages Do you really need 6.022x1023 debian packages installed on your production image? Smaller distro In many cases, you can get away with a smaller distro like Alpine or Debian Slim.

Vulnerability mitigation strategies

slide-32
SLIDE 32

Moving to a smaller base

Vanilla Patched Minimal Distroless
slide-33
SLIDE 33

Containers mean you can actually tell if you’re afgected by a new vulnerability

slide-34
SLIDE 34

Check your registry and compare to what you deployed

slide-35
SLIDE 35

Figure out what’s in production

Find all the containers in prod kubectl get pods resolve everything to a digest Find out what is in those containers Package manifests, application dependencies Find out what vulnz are in those packages Cross reference BOM with CVE databases
slide-36
SLIDE 36

Instead container security should be

Streamline image scanning and analysis Centralize and lock down release pipeline Build images from trusted sources Deploy only trusted images Monitor continuously
slide-37
SLIDE 37

Staru here

You have a container registry > Scan for vulnerabilities You have a mandated base image > Make it minimal You have a centralized CI/CD pipeline > Enforce what’s deployed

slide-38
SLIDE 38

Running containers allows you to adopt a fundamentally difgerent security model

Containers give you a sofuware supply chain Containers let you patch continuously, automatically Containers mean you can actually tell if you’re afgected by a new vulnerability
slide-39
SLIDE 39

Learn more

Blog post: goo.gl/Ew6hYa cloud.google.com/containers/security
slide-40
SLIDE 40

Q&A

slide-41
SLIDE 41

That’s a wrap.

Learn more: cloud.google.com/containers/security