Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cloud-Native Security
New approach for a new reality
Tsvi Korren, Aqua
2
What do we mean by Cloud-Native?
Made to run
in the cloud
(public, private, hybrid)
App payload is
decoupled from
the in...
3
The rules still need to apply
l Risk mitigation, vulnerabilities, integrity
l Deployment authorization, visibility, inve...
4
The Challenge
Cloud-Native deployments natively lack support
for effective and demonstrable security
required by busines...
5
Urgent need to bridge the gap
CI/CD
Images
Kubernetes
Cloud
Compliance
Access Controls
Intrusion Prevention
Forensics
6
Changes in process
Config
software
Assess
Risk
Coding
Static
Analysis
Compile
package
Deploy
Get Base
Image
Using
Server...
7
Diminishing ability to execute controls
Container
Orchestration
Host
Network
Data Center
Serverless
Functions
App Payloa...
8
Our Goal
Security as a
shared
responsibility
Automate security
as a natural part of
DevOps processes
Protect workloads
w...
9
We have an opportunity to be more precise
Accounting for every vulnerability
and possible threat is untenable
Know what ...
10
We have an opportunity to simplify
Too many manual security options
and rules become ineffective
Protect immutable work...
Stages of Cloud Native security maturity
Image acceptance
Run with least privileges
Network controls
Container immutabilit...
12
The Orchestration System
Easily
misconfigured
Handles
Secrets
Runs
Everywhere
Operates
as root
13
l Restrict network access to the Kubernetes API addresses and ports
l Use separate authentication for each authorized u...
14
Kubernetes assessment
Stages of Cloud Native security maturity
Image acceptance
Run with least privileges
Network controls
Container immutabilit...
16
l Use the smallest image possible for your project
l Avoid storing keys and other sensitive data in the image
l Add the...
17
Top base container images
5.28 MB
95.93 MB
84.79 MB
192.44 MB
18
Scanning images
{
"name": "CVE-2016-7444",
"description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c ...
19
Beyond vulnerabilities: image content
Stages of Cloud Native security maturity
Containment
Image acceptance
Run with least privileges
Network controls
Preventio...
21
Specific controls
Applying Runtime controls
Image
authorization
Runtime
Policies
Container
profile
•Non-Compliant
•Unre...
22
Image acceptance
23
Least privilege at runtime
24
Incident Response with servers
• Suspicious activity? • Shut down service?
• Requires investigation and triage
• Could ...
25
Incident Response with containers
• Unauthorized action • Block specific action
• Container behavior model is known
• A...
26
l Security – Establish the policies that govern:
„ Image acceptance
„ Runtime behavior
l DevOps – Use security advice f...
27
Same standards, escalating enforcement
Sandbox Development Test/Stage Production
Voluntary Mandatory Detection Enforcem...
28
Continuous discovery, image assurance
Enforce immutability with drift prevention
Limit user and executable use
Secured ...
29
Where to start?
n Scans Kubernetes nodes
against the CIS
benchmark checks
n github.com/aquasecurity/
kube-bench
n Scan ...
www.aquasec.com
Upcoming SlideShare
Loading in …5
×

Cloud-Native Security

151 views

Published on

Presented by Tsvi Korren, Aqua Security at DevSecOps 101: Containers, Clouds, and Apps in Boston on May 16th, 2019.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Cloud-Native Security

  1. 1. Cloud-Native Security New approach for a new reality Tsvi Korren, Aqua
  2. 2. 2 What do we mean by Cloud-Native? Made to run in the cloud (public, private, hybrid) App payload is decoupled from the infrastructure Orchestrated for updateability, scaling and resilience App is based on loosely-coupled microservices
  3. 3. 3 The rules still need to apply l Risk mitigation, vulnerabilities, integrity l Deployment authorization, visibility, inventory l Operational administration and change control l Secrets management and secure configuration l Network segmentation of microservices l SOC and incident response
  4. 4. 4 The Challenge Cloud-Native deployments natively lack support for effective and demonstrable security required by business-critical applications Organization: DevOps ó Security Process: Where to secure Technology: How to secure
  5. 5. 5 Urgent need to bridge the gap CI/CD Images Kubernetes Cloud Compliance Access Controls Intrusion Prevention Forensics
  6. 6. 6 Changes in process Config software Assess Risk Coding Static Analysis Compile package Deploy Get Base Image Using Servers Using Containers Deploy Fix Risks Build Image Fix Risks Scan Server Get Base Image Coding Static Analysis Deploy Build Image Fix Risks Coding Static Analysis Provision Server
  7. 7. 7 Diminishing ability to execute controls Container Orchestration Host Network Data Center Serverless Functions App Payload Container Orchestration Host Network Data Center Containers as service App Payload Container Orchestration Host Network Data Center Managed Containers App Payload Container Orchestration Host Network Data Center Cloud VMs App Payload Container Orchestration Host Network Data Center On Premises App Payload Packaging Development Packaging Development Packaging Development Packaging Development Packaging Development
  8. 8. 8 Our Goal Security as a shared responsibility Automate security as a natural part of DevOps processes Protect workloads with focus on prevention Make containers the most secure, predictable and controlled platform for running critical applications
  9. 9. 9 We have an opportunity to be more precise Accounting for every vulnerability and possible threat is untenable Know what to keep safe, and how to defend it
  10. 10. 10 We have an opportunity to simplify Too many manual security options and rules become ineffective Protect immutable workloads, with rules generated over the pipeline
  11. 11. Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Cluster Hygiene RBAC Minimal OS Compliance Checks
  12. 12. 12 The Orchestration System Easily misconfigured Handles Secrets Runs Everywhere Operates as root
  13. 13. 13 l Restrict network access to the Kubernetes API addresses and ports l Use separate authentication for each authorized user l Patch and upgrade Kubernetes as needed l Control access from production Kubernetes to public registries Kubernetes security checklist
  14. 14. 14 Kubernetes assessment
  15. 15. Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
  16. 16. 16 l Use the smallest image possible for your project l Avoid storing keys and other sensitive data in the image l Add the minimal number of packages required for your application l Use dedicated users, non-standard ports l Remove utilities at the end of the build (useradd, chown, curl) l Scan the finished product Image security checklist
  17. 17. 17 Top base container images 5.28 MB 95.93 MB 84.79 MB 192.44 MB
  18. 18. 18 Scanning images { "name": "CVE-2016-7444", "description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This could falsely report a certificate as valid under certain circumstances.", "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "nvd_severity": "medium", "nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444", "vendor_score": 4.3, "vendor_score_version": "CVSS v2", "vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "vendor_severity": "low", "vendor_url": "https://access.redhat.com/security/cve/CVE-2016-7444", "publish_date": "2016-09-27", "modification_date": "2018-01-04", "fix_version": "3.3.26-9.el7", "solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above." } Backports and fix advice NVD data and score Maintainer data and score Impact statement
  19. 19. 19 Beyond vulnerabilities: image content
  20. 20. Stages of Cloud Native security maturity Containment Image acceptance Run with least privileges Network controls Prevention Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
  21. 21. 21 Specific controls Applying Runtime controls Image authorization Runtime Policies Container profile •Non-Compliant •Unregistered •Drift Prevention •Process Blacklists •Full whitelisting General controls Secrets, Networking, Forensics NodeandKuberentesSecurity
  22. 22. 22 Image acceptance
  23. 23. 23 Least privilege at runtime
  24. 24. 24 Incident Response with servers • Suspicious activity? • Shut down service? • Requires investigation and triage • Could be an administrative action • Limited ability for narrow response • Risk of service disruption
  25. 25. 25 Incident Response with containers • Unauthorized action • Block specific action • Container behavior model is known • Administrative action is not allowed • Surgical preventive controls • No disruption of service
  26. 26. 26 l Security – Establish the policies that govern: „ Image acceptance „ Runtime behavior l DevOps – Use security advice from scanning in image builds l SOC – Receive events and respond to incidents Roles and responsibilities
  27. 27. 27 Same standards, escalating enforcement Sandbox Development Test/Stage Production Voluntary Mandatory Detection Enforcement Scanning as a service Scanning in the pipeline with policies Application security modeling Protecting the application
  28. 28. 28 Continuous discovery, image assurance Enforce immutability with drift prevention Limit user and executable use Secured secrets distribution into container Workload firewall across all interfaces Secure workload with application context Rogue deployment Malicious code injection Administration actions Compromised credentials Network connections Unknown vectors (Zero Day) Top risks addressed
  29. 29. 29 Where to start? n Scans Kubernetes nodes against the CIS benchmark checks n github.com/aquasecurity/ kube-bench n Scan Docker build for known vulnerabilities n Plug-in for Jenkins n github.com/aquasecurity /microscanner CIS benchmark for K8SDocker image scanner K8S penetration-testing n Tests K8s clusters against known attack vectors, both remote and internal n github.com/aquasecurity/ kube-hunter
  30. 30. www.aquasec.com

×