containers can actually improve your security story
play

Containers can actually improve your security story(!) Maya - PowerPoint PPT Presentation

Aug 23, 2023 •226 likes •649 views

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

  1. Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019

  2. Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski

  3. Objection: “My security team is opposed to containers and Kubernetes” 3

  4. Security people like to complain about containers and Kubernetes ● What’s a koober net ease ● I can’t use my IDS, firewall, ... ● Containers don’t contain ● I am stuck with it, help me

  5. 70% “70 percent of change programs fail to achieve their goals, largely due to employee resistance and lack of management supporu.” Changing change management, McKinsey & Co.

  6. 1 How container security is different Traditional software supply chain and Agenda 2 patch management Ideal software supply chain and best 3 practices in image maintenance, patching, and validation

  7. How container 01 security is difgerent

  8. … container security isn’t that difgerent from any other security

  9. Threats seen in the wild 2018 February May June 2019 April Tesla Shopify Weight Watchers Docker Hub Docker Hub Unsecured Researcher could Unsecured Public images Database with Kubernetes access and replay Kubernetes with embedded 190k+ Docker dashboard with kubelet dashboard with cryptocurrency Hub accounts cloud account credentials sensitive data, mining malware exposed credentials including Not exploited Used to mine Unknown impact credentials Used to mine cryptocurrency cryptocurrency Not exploited

  10. Container security threats & risks INFRASTRUCTURE SOFTWARE SUPPLY RUNTIME SECURITY SECURITY CHAIN ● Privilege escalation ● Unpatched vulnerability ● DDoS ● Credential compromise ● Supply chain ● Node compromise and vulnerability exploit ● Kubernetes API compromise ● Zero day exploit on ● Container escape common library ● Over-privileged users ● Flood event pipeline

  11. INFRASTRUCTURE SECURITY Is my infrastructure secure for developing containers? ● How can I use Kubernetes security features to protect my identities, secrets, and network? ● How can I use native GCP functionality, like IAM, audit logging, and networking?

  12. SOFTWARE SUPPLY CHAIN Is my container image secure to build and deploy? ● How can I make sure my container images are vulnerability-free? ● How can I make sure the images I built aren’t modifjed before they are deployed?

  13. RUNTIME SECURITY Is my container secure to run? ● How can I identify a container acting maliciously in production? ● How can I take action to protect and isolate my workload? ● How can I securely scale my containers deployment?

  14. How is securing a container difgerent? Surgace Resource of Atuack Isolation Permissions Lifecycle Minimalist host Host resources are Access controls Containers have a OS and limits the separated using are for app shorter, better surface of an namespaces and privileges and defined lifecycle. attack. cgroups. shared resources.

  15. Traditional sofuware 02 supply chain and patch management

  16. Traditional sofuware supply chain

  17. Traditional patch management 01 02 03 Get patch Take down server n=1 Repeat for n servers, and apply patch where n is unknown From the distributor, some Test the patch in prod! Take It worked! Now do it again, random mailing list, a some unimportant workload for everything you think is vendor. Not always sent to down to make sure nothing affected. Miss a bunch of it. the security team. goes too bad.

  18. Problems with traditional patch management ● Spreadsheet-driven management ● Down time ● 0days are scary ● Unclear what’s running in your infrastructure / what’s running where / if you even need a patch

  19. Ideal sofuware 03 supply chain

  20. Containers are meant to be shoru-lived frequently redeployed immutable and help you ‘shifu lefu’

  21. DevSecOps?!?

  22. Running containers allows you to adopt a fundamentally difgerent security model Containers give you a Containers let you Containers mean you sofuware supply patch continuously , can actually tell if chain automatically you’re afgected by a new vulnerability

  23. Containers give you a sofuware supply chain

  24. What's difgerent about supply chains with containers VM based Hard Debug Patch Update VM VM Monolithic Restaru application VM Production environment Manual adjustment

  25. What's difgerent about supply chains with containers VM based Container based Hard Easy Debug Build & deploy Patch Analysis Build Scan Test QA Update VM VM Re-build & Monolithic CI/CD pipeline Restaru re-deploy application VM VM VM Production environment Pod Pod Microservice VM Pod Manual adjustment Production environment

  26. Containers let you enforce a sofuware supply chain Base Application Code Build Deploy image image VM VM Analysis Build Scan Test QA Pod Pod Microservice VM Pod Developer CI/CD pipeline Production environment

  27. Containers let you patch continuously, automatically

  28. Constantly patch your registry… and roll out as normal 01 02 03 Patch the image in your Test, validate, and roll Load balance traffic over registry out Figure out what’s affected, Roll out the patch like you When testing is successful, and apply the patch would any other move traffic over to the new, everywhere you need it. infrastructure change, going patched workload, with no incrementally. downtime.

  29. Containers enable passive patching

  30. not just uptime, but up-to-time

  31. Vulnerability mitigation strategies Update packages Remove packages Smaller distro Do you really need 6.022x10 23 apt-get update & upgrade In many cases, you can get gets you pretty far. Do this debian packages installed on away with a smaller distro daily. your production image? like Alpine or Debian Slim.

  32. Moving to a smaller base Vanilla Patched Minimal Distroless

  33. Containers mean you can actually tell if you’re afgected by a new vulnerability

  34. Check your registry and compare to what you deployed

  35. Figure out what’s in production Find all the containers in Find out what is in those Find out what vulnz are in containers those packages prod kubectl get pods resolve Package manifests, application Cross reference BOM with CVE everything to a digest dependencies databases

  36. Centralize and lock down release pipeline Instead Build images from trusted sources container Streamline image scanning and security analysis should be Deploy only trusted images Monitor continuously

  37. You have a container registry > Scan for vulnerabilities Staru here You have a mandated base image > Make it minimal You have a centralized CI/CD pipeline > Enforce what’s deployed

  38. Running containers allows you to adopt a fundamentally difgerent security model Containers give you a Containers let you Containers mean you sofuware supply patch continuously , can actually tell if chain automatically you’re afgected by a new vulnerability

  39. Learn more Blog post: goo.gl/Ew6hYa cloud.google.com/containers/security

  40. Q&A

  41. That’s a wrap. Learn more: cloud.google.com/containers/security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers Zhiming Shen Cornell University Joint work with Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, Hakim

266 views • 26 slides
Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of resources Reduce costs Run workloads in isolation Cannot observe others Security Isolation Running apps as different user not enough - privilege

274 views • 15 slides
Kata Containers Story of a container runtime Sbastien Boeuf, Software Engineer Intel

Kata Containers Story of a container runtime Sbastien Boeuf, Software Engineer Intel

Kata Containers Story of a container runtime Sbastien Boeuf, Software Engineer Intel Corporation Agenda Why Kata Containers? Acceptance Community growth Ecosystem influence Hypervisor flexible

958 views • 49 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

954 views • 66 slides
Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Containers at Netflix - An Evolving Story Sangeeta Narayanan Engineering Manager @Netflix

Containers at Netflix - An Evolving Story Sangeeta Narayanan Engineering Manager @Netflix

Containers at Netflix - An Evolving Story Sangeeta Narayanan Engineering Manager @Netflix @sangeetan Going Global Recent Launches: Italy, Spain, Portugal Early 2016: Korea, Hong Kong, Taiwan, Singapore Growing BIGGER Winning Moments of

865 views • 61 slides
1 QC STORY -32 QC STORY -32 QC STORY -32 QC Story-1 QC Story-1 QC Story-1 Awards and

1 QC STORY -32 QC STORY -32 QC STORY -32 QC Story-1 QC Story-1 QC Story-1 Awards and

QC STORY -32 QC STORY -32 QC STORY -32 Shop Floor view QC Story-1 QC Story-1 FACTORY OVERVIEW QC Story-1 On Behalf of Susira Industries Ltd., Chennai. We Welcome the Delegates for the QCI DL SHAH NATIONAL AWARDS ON ECONOMICS OF

976 views • 13 slides
HTCondor and Containers for Batch and Interactive use (Mostly) a success story Oliver

HTCondor and Containers for Batch and Interactive use (Mostly) a success story Oliver

Introduction Configuration Containerization Conclusions HTCondor and Containers for Batch and Interactive use (Mostly) a success story Oliver Freyermuth, Peter Wienemann University of Bonn {freyermuth,wienemann}@physik.uni-bonn.de 19 th

414 views • 22 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson <ian.jackson@eu.citrix.com> FOSDEM 2015 originally based on a talk and research by George Dunlap "Some people make the mistake of thinking

328 views • 6 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Presentation H1 2019 Disclaimer This presentation has been prepared by Sterling Bank Plc

Presentation H1 2019 Disclaimer This presentation has been prepared by Sterling Bank Plc

Investors & Analysts Presentation H1 2019 Disclaimer This presentation has been prepared by Sterling Bank Plc (hereafter refereed to as Sterling Bank, the Bank, We) . It is intended for an audience of professional and

381 views • 22 slides
Council on Watershed Management Meeting M AY 3 0 , 2 0 1 9 Meeting No. 8 Public Comment 2 L

Council on Watershed Management Meeting M AY 3 0 , 2 0 1 9 Meeting No. 8 Public Comment 2 L

Council on Watershed Management Meeting M AY 3 0 , 2 0 1 9 Meeting No. 8 Public Comment 2 L O U I S I A N A W A T E R S H E D I N I T I A T I V E W O R K I N G T O G E T H E R F O R S U S T A I N A B I L I T Y A N D R E S I L I E N C

807 views • 55 slides
2014 Earnings Guidance Presentation December 6, 2013 Safe Harbor Statement Statements made in

2014 Earnings Guidance Presentation December 6, 2013 Safe Harbor Statement Statements made in

2014 Earnings Guidance Presentation December 6, 2013 Safe Harbor Statement Statements made in this presentation that relate to future events of PNM Resources (PNMR), Public Service Company of New Mexicos (PNM), or Texas - New

926 views • 25 slides
Biogas Technology for Sustainable Bioenergy Production Jyvskyl University, Finland

Biogas Technology for Sustainable Bioenergy Production Jyvskyl University, Finland

IEA Bioenergy Task 37 Seminar Programme,28.4.2009 Biogas Technology for Sustainable Bioenergy Production Jyvskyl University, Finland Biofertilizer optimal recycling! Processing digestate to valuable products by Jens Bo Holm-Nielsen Head

618 views • 42 slides
the cornerstone of modern economies QANTM INTELLECTUAL PROPERTY LIMITED (ASX:QIP ) Craig Dower,

the cornerstone of modern economies QANTM INTELLECTUAL PROPERTY LIMITED (ASX:QIP ) Craig Dower,

FULL YEAR RESULTS PRESENTATION 12 MONTHS TO 30 JUNE 2020 IP Protection, the cornerstone of modern economies QANTM INTELLECTUAL PROPERTY LIMITED (ASX:QIP ) Craig Dower, CEO and Managing Director 27 August 2020 Martin Cleaver, Chief Financial

493 views • 32 slides
Alleghany Investor Presentation August 2020 Our Management Approach Strategy Philosophy 1

Alleghany Investor Presentation August 2020 Our Management Approach Strategy Philosophy 1

Alleghany Investor Presentation August 2020 Our Management Approach Strategy Philosophy 1 Own high-quality underwriting franchises Conservatism dominates our Underwrite for profit management philosophy. We Grow premiums

520 views • 35 slides
Patient Advice and Liaison Service (PALS & Complaints) Deborah Tapley, Head of PALS &

Patient Advice and Liaison Service (PALS & Complaints) Deborah Tapley, Head of PALS &

Patient Advice and Liaison Service (PALS & Complaints) Deborah Tapley, Head of PALS & Complaints Overview Patient Advice and Liaison Service (PALS ) Complaints Team Listening to our patients, carers and families, patient feedback

556 views • 12 slides
Ohio Medical Marijuana Control Program State of Ohio Board of Pharmacy Provisional Dispensary

Ohio Medical Marijuana Control Program State of Ohio Board of Pharmacy Provisional Dispensary

Ohio Medical Marijuana Control Program State of Ohio Board of Pharmacy Provisional Dispensary Licenses: Overview & Recommendations June 4, 2018 Objectives Review status of Medical Marijuana Program Describe approach to provisional

546 views • 20 slides

More recommend