Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Evolution of Container Security - What's Next?

376 views

Published on

Talk delivered at BSides Toronto on Sep 29, 2018 on positioning container security in context of application lifecycle, as well as observed trends and upcoming technologies.

Published in: Technology
  • Be the first to comment

Evolution of Container Security - What's Next?

  1. 1. EVOLUTION OF CONTAINER SECURITY: WHAT'S NEXT? BSides Toronto 2018 Fernando Montenegro (@fsmontenegro)
  2. 2. Key Objectives • Present containers in context • Touch on key market trends • Discuss what’s next Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 2
  3. 3. Disclaimer Opinions as Analyst (i.e. “Reserve right to be wrong”) Vendor names not endorsements Vendor list representative not comprehensive Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 3
  4. 4. Research Methodology • 451 Voice of the Enterprise • Briefings, Inquiries, Research 60,000+ members ▪Quarterly insights: ▪Workloads & Projects ▪Organizational Dynamics ▪Vendor Evaluations ▪Budgets & Insights ▪ 100s of hours • Enterprise IT • Service Providers • Security vendors • Finance professionals ▪ Qualitative research ▪ Independent 4
  5. 5. •Source: 451 Research, Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2018 •Q4. Which of the following IaaS features is your organization using in connection with your IaaS/public cloud deployment? Please select all that apply. • 45% 42% 41% 37% 33% 30% 25% 23% 22% 21% 16% 14% 5% 8% Relational database Data/business analytics Containers Auto-scaling Data warehouse Serverless compute/function as a service NoSQL database Real-time/streaming data processing Machine learning Mobile services IoT platform Large-scale/batch data transfer Other None % of respondents (n = 322) IaaS features currently in use IaaS/public cloud users 5
  6. 6. •Source: 451 Research, Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2018 •Q5. Which of the following IaaS features is your organization planning to begin using in connection with IaaS/public cloud services during the next year? Please select all that apply. • 27% 19% 18% 16% 16% 15% 15% 13% 12% 12% 12% 10% 2% 18% Machine learning Containers Data/business analytics Serverless compute/function as a service Real-time/streaming data processing Auto-scaling IoT platform Relational database Data warehouse Mobile services NoSQL database Large-scale/batch data transfer Other None % of respondents (n = 268) IaaS features planned for implementation IaaS/public cloud users 6
  7. 7. •Source: 451 Research, Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2018 •Q15. When developing cloud-native software, which, if any, of the following approaches does your organization take to designing that software? • 32% 30% 22% 17% Design it to run effectively on any cloud environment Design it to run on a specific public cloud environment Design it to run effectively on any public cloud environment Design it to run on our own private cloud % of respondents (n = 266) Approaches to cloud-native software development Respondents developing cloud-native or cloud-enabled software 7
  8. 8. Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 8
  9. 9. Container Lifecycle Technology Considerations Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 9
  10. 10. Container Architecture/Security Src:xebia.comSrc:xebia.com Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 10
  11. 11. CI/CD pipeline Artifact Download Container Registries Container Runtime Environments Build Ship Run Host Runtime Workload at Runtime Orchestrator Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 11
  12. 12. Build time considerations • Application Security • Secure Coding Practices • SAST / DAST • Image Scanning on Build/Pull • Vulnerability Management • Software Composition Analysis • Policy Compliance • Issues as Defects • Image signing • Attack Surface Reduction • Multi-stage builds Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 12
  13. 13. Ship time considerations • Image Registries: • Vulnerability Management • Regular Scans • Maintain deployment info • Flag age & vulnerability • RBAC • Limit user privileges • Orchestrator (k8s): • Configuration management • Open APIs • Secrets management integration • RBAC • Traffic segregation • Networking • Docker bridge vs Kubernetes CNI • L4/L7 policies Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 13
  14. 14. Run time considerations • Host protection • Hardening • CIS Benchmarks • Container-friendly OS • Network segregation • Protect APIs • Patching • Logging and auditing • Container runtime • Least privilege • Container firewalls • Alternate runtimes • CRI-O • kata containers (clear containers) • gVisor • Windows Hyper-V containers • Activity monitoring, logging & auditing • Vulnerability tracking Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 14
  15. 15. Container Security Trends Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 15
  16. 16. Evolving Container Governance • 800-190 Container Security Guidance • Sep 2017 • Docker • Kubernetes • * • Image Spec • Runtime Spec • Kubernetes • Networking • Monitoring Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 16
  17. 17. Key points NIST 800-190 • Fix organizational aspects • Container-specific OS vs general purpose • Group containers by sensitivity • Container-specific tooling (vulnerability, runtime) • Hardware-based root of trust Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 17
  18. 18. Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 18
  19. 19. Rise of ‘Managed’ Runtime Orchestrator (ECS/EKS, AKS, GKE) requests container execution CSP transparently instantiates container Security challenges: • No host to monitor from • Ephemeral workloads (by design) • Code issues remain (input sanitization, 3rd party libraries, …) Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 19
  20. 20. Competing Commercial Offerings Benefits Drawbacks Richer container- specific features Additional vendor to manage. Benefits Drawbacks Opportunities for consolidation More limited function set Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 20
  21. 21. Competing Commercial Offerings Benefits Drawbacks Overarching platforms with rich feature sets Usually limited support for newer features Benefits Drawbacks Ease of deployment and integration Limited portability Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 21
  22. 22. Moving Forward – What’s Next? Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 22
  23. 23. Service Mesh (Istio/Linkerd/…) • Mission-critical functions • Traffic Management • Routing, Access Control, … • Observability • Security • Security • Traffic Encryption • Mutual TLS & fine-grained Policies • Auditing Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 23 Src:Istio
  24. 24. CI/CD pipeline Artifact Download Container Registries Container Runtime Environments Build Ship Run Host Runtime Workload at Runtime Orchestrator Service Mesh Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 24
  25. 25. Event-driven Functions as a Service (aka “Serverless”) • No visible footprint • Instantiated as provider-managed containers • Examples • AWS Lambda • Azure Functions • Google Functions • OpenWhisk • Kubeless • Security challenges: • No host to monitor from • Ephemeral workloads (by design) • Code issues remain (input sanitization, 3rd party libraries, …) Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 25 Src:AWS
  26. 26. Recap - Key Objectives • Present containers in context • Container adoption trends • Build, Ship, Run • Touch on key market trends • Governance, Competition, Services • Discuss what’s next • Service Mesh, Serverless • Recommendations Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 26
  27. 27. Recommendations for security • A LOT more to “securing containers” than “container security” • Look beyond container runtime security • Consider diminishing control over runtime environment • DevOps Integration is essential • How to split your time 50-60 20-30 10-20 Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 27
  28. 28. Open Source and News References Project Name Type URL Clair Vulnerability Scanning https://github.com/coreos/clair Microscanner Vulnerability Scanning https://github.com/aquasecurity/microscanner Dagda Vulnerability Scanning https://github.com/eliasgranderubio/dagda Docker-bench Hardening https://github.com/docker/docker-bench-security Kube-bench Hardening https://github.com/aquasecurity/kube-bench Falco Monitoring https://github.com/draios/falco/ Kube-hunter Other https://github.com/aquasecurity/kube-hunter Cilium Other https://cilium.io/ Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 28
  29. 29. @fsmontenegro Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 29

×