SlideShare a Scribd company logo

Practical Approaches to Cloud Native Security

Karthik Gaekwad
Karthik Gaekwad

Security considerations for containers, Kubernetes and microservices. Presented at RSA 2019

Engineering
1 of 88
Download to read offline
#RSAC SESSION ID: Karthik Gaekwad Practical Approaches to Cloud Native Security ASD-W10 Principal Engineer Oracle Inc @iteration1
#RSAC •I’m Karthik Gaekwad •NOT a DBA •https://cloudnative.oracle.com/ •Cloud Native Evangelist at Oracle Cloud •Past: Developer on the Oracle Managed Kubernetes Team Hello @iteration1
#RSAC Hello Been in Industry for 15 years. In general, I like building stuff with friends. – Maintainer for Gauntlt- Open source security scanner. Love Teaching and building community. – Run Devopsdays Austin, Container Days, Cloud Austin. – Chair All Day Devops Cloud Native track. – LinkedIn Learning Author for Learning Kubernetes (and more).
#RSAC I mustache you a question…
#RSAC The Cloud Native Journey 5 Phase I Developer Focus Phase II DevOps Focus Phase III Business Focus (end-to-end) Container Adoption Application Deployment Intelligent Operations SpeedEfficiencyAgility Docker Kubernetes Core to Edge Developer adoption Dev/Test apps Simple orchestration Individual developers DevOps deployment Production apps Advanced orchestration Teams & lines of business End-to-end integration Digital business apps Serverless, DevSecOps, & ML Cloud native enterprises Focus Applications Automation Community
#RSAC CNCF Survey: August 2018 How Does Your Company Use Containers and Where? Lots of adoption on dev/staging Continued production increase
#RSAC CNCF Survey: August 2018 How Does Your Company Use Containers and Where? Adoption over public and on-prem
#RSAC Kubernetes Dominates Container Management Your company/organization manages containers with: Winner! Kubernetes
#RSAC Good News, Bad News… But... ManyProjects… Good usage in dev/prod
#RSAC Top 5 challenges to cloud native adoption… 0 5 10 15 20 25 30 35 40 45 Complexity Cultural Challenges Lack of Training Security Monitoring Percentages
#RSAC Managing, maintaining, upgrading Kubernetes Control Plane – API Server, etcd, scheduler etc…. Managing, maintaining, upgrading Kubernetes Data Plane – In place upgrades, deploy parallel cluster etc…. Figuring out container networking & storage – Overlays, persistent storage etc… - it should just work Managing Teams – How do I manage & control team access to my clusters? Security, security, security Kubernetes & Cloud Native Challenges 11 Source: Oracle Customer Survey 2018
#RSAC How Are Teams Addressing Complexity, Training Issues? App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation Customer Managed Fully-Managed App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation  Faster Time to Deploy  Lower Risk  Accelerate Innovation Benefits YOU
#RSAC Which brings us to security…
#RSAC Where no news, is good news!
#RSAC Unsecured K8s dashboards Unsecured Kubernetes Dashboard with account creds. Used this to mine cryptocurrency. 2017: Aviva 2018: Tesla, Weight Watchers https://redlock.io/blog/cryptojacking-tesla
#RSAC Kubelet credentials hack Shopify: Server Side request Forgery Get kubelet certs/private key Root access to any container in part of infrastructure. https://hackerone.com/reports/341876
#RSAC CVE’s Happen… Even more relevant with increased production usage of containers…
#RSAC CVE’s Happen… Container Escaping Privilege Escalation
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC How did we get here?
#RSAC “Kubernetes is too complicated”
#RSAC “Kubernetes is too complicated” “We hope it’ll get easier”
#RSAC What is your strate
#RSAC Let’s look at: Attack Surface –More importantly, how to limit damage Security related features in K8s –The more you know, the better you build Opensource Tooling to help –Because we all need help
#RSAC Attack Surface
#RSAC Attack Surface Goal: Reduce the attack surface Analysis for: –Host(s) –Container (Images and running) –Kubernetes Cluster
#RSAC Attack Surface: Host These are the machines you’re running Kubernetes on. Age old principles of Linux still apply: – Enable SELinux – AppArmor – Seccomp – Hardened Images Goal: Minimize privilege to applications running on the host Good news: Already a wealth of information on this subject! – http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux
#RSAC Attack Surface: Container Images GOAL: Know your base image when building containers
#RSAC Attack Surface: Container Images GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
#RSAC Attack Surface: Container Images GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
#RSAC Attack Surface: Container Images GOAL: Know your base image when building containers Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only
#RSAC Attack Surface: Container Images GOAL: Know your base image when building containers When in doubt, stick to an official images! Or start from a sane base image (example: alpine linux)
#RSAC Attack Surface: Container Images GOAL: Smaller the image, the better Less things for an attacker to exploit. Quicker to push, quicker to pull.
#RSAC Attack Surface: Container Images GOAL: Don’t rely on :latest tag :latest image yesterday might not be :latest image tomorrow Instead, you’d want to know what specific version you’re operating with. Side benefit: If there is a new vulnerability announced for OS version x.y.z, you know immediately whether you’re running that version!
#RSAC Attack Surface: Container Images GOAL: Check for vulnerabilities periodically Plenty of ways to do this in registries. We’ll cover more in the tooling section
#RSAC Attack Surface: Running Containers GOAL: Don’t run as root Containers running as root might be completely unnecessary for the actual application. If compromised, attacker can do a lot more things.. Pod security policies can help (we’ll see how later).
#RSAC Attack Surface: Running Containers GOAL: Limit host mounts Be wary of images that require broad access to paths on the host Limit your host mount to a smaller subset of directories Reduces blast radius on compromise
#RSAC Attack Surface: Kubernetes Cluster
#RSAC Kubernetes Cluster- TLS TLS ALL THE THINGS
#RSAC Kubernetes Cluster- TLS TLS Checklist: 1. Nodes and Master 2. User and Master 3. Everything etcd 4. Kubelet to API Server
#RSAC Kubernetes Cluster- TLS
#RSAC Kubernetes Cluster- TLS TLS Checklist: 1. User and Master 2. Nodes and Master 3. Everything etcd 4. Kubelet to API Server
#RSAC CVE’s 47 GOAL: Have an upgrade strategy Because…CVE’s are fixed in new minor versions. Don’t treat K8s as “install once, run all the time”. Make your K8s install repeatable for different versions. ..Or use a Managed Provider. – Either automatically patch for you, or tell you what to do.
#RSAC We’re a little better off now. But what else to do?
#RSAC K8s Features How can the platform help me make secure choices?
#RSAC K8s Features Kubernetes Secrets Authentication Authorization Audit Logging Network Policies Pod security policies
#RSAC Kubernetes Secrets GOAL: Use Kubernetes secrets to store sensitive data instead of config maps. Also look at: secrets encryption provider. – Controls how etcd encrypts API data – --experimental-encryption-provider-config https://kubernetes.io/docs/tasks/administer-cluster/encrypt- data/
#RSAC Authentication and Authorization Do you know how you are authenticating with Kubernetes? Many ways to Authenticate – Client Certs – Static token file – Service Account tokens – OpenID – Webhook Mode – And more (https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
#RSAC Whatever you do, DO NOT YOLO! Goal: Pick a strategy that fits your use case
#RSAC You can pick an authz strategy.. If you DO NOT YOLO…
#RSAC Authentication and Authorization https://kubernetes.io/docs/reference/acc ess-authn-authz/authorization/
#RSAC Authentication and Authorization Pro tip: Nobody uses ABAC anymore. Don’t be that guy…. RBAC is the defacto standard – Based on roles and role bindings – Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-policies Can use multiple authorizers together, but can get confusing. – 1st authorizer to authorize passes authz
#RSAC Kubernetes Cluster- Audit Logs Wat? “Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.” Answers: What/when/who/where information on security events. Your job: Periodically watch Kubernetes Audit logs https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
#RSAC
#RSAC Kubernetes Cluster- Network Policies Consider adding a network policy to the cluster… Default Policy: All pods can talk to all other pods. Consider limiting this with a Network Policy https://kubernetes.io/docs/concepts/services-networking/network-policies/
#RSAC Kubernetes Cluster- Pod Security Policies Consider adding Pod Security policies PodSecurityPolicy: A Defined set of conditions a pod must run with. Think of this as authorization for pods.
#RSAC Kubernetes Cluster: Pod Security Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy Capability for an admin to control specific actions
#RSAC Open Policy Agent Policy based control for your whole environment. Full featured Policy Engine to offload policy decisions from each application/service. – Deploy OPA alongside your service – Add policy data to OPA’s store – Query OPA on decisions. Great idea, still early, watch this space… Standardize policies for all clusters https://www.openpolicyagent.org/ 62
#RSAC Tooling Opensource Tooling
#RSAC Keep tabs on the CNCF Security landscape https://landscape.cncf.io/landscape=security-complia
#RSAC CNCF Projects “The Update Framework” Is a framework or a methodology. Used for secure software updates. Based on ideas surrounding trust and integrity. Is a project. Based on TUF. A solution to secure software updates and distribution. Used in Docker Trusted Registry.
#RSAC Clair Open source project for the static analysis of vulnerabilities in containers. Find vulnerable images in your repo. Built into quay.io, but you can add to your own repo. https://github.com/coreos/clair
#RSAC
#RSAC Harbor Newer! CNCF Project Registry product Supports vulnerability scanning, image signing and identity control Scope is larger than clair
#RSAC Harbor
#RSAC Kube-bench Checks whether a Kubernetes cluster is deployed according to security best practices. Run this after creating your K8s cluster. https://github.com/aquasecurity/kube-bench Defined by the CIS Benchmarks Docs: https://www.cisecurity.org/cis-benchmarks/ Run it against your Kubernetes Master, or Kubernetes node.
#RSAC Kube-bench example
#RSAC Kube-hunter Penetration Testing tool for Kubernetes clusters. Looks for weaknesses in your cluster. 2 ways to run: – External to cluster (what an attacker sees) – Internal to cluster (install as a pod) Active and Passive mode. – Active mode changes stuff (probably don’t use in Prod) Read more: https://kube-hunter.aquasec.com/ ONLY RUN ON YOUR OWN CLUSTER. 72
#RSAC Kube-hunter 73
#RSAC Kubesec Helps you quantify risk for Kubernetes resources. Run against your K8s applications (deployments/pods/daemonsets etc) https://kubesec.io/ from controlplane Can be used standalone, or as a kubectl plugin (https://github.com/stefanprodan/kubectl-kubesec)
#RSAC Kubesec example
#RSAC Kubeaudit Opensourced from Shopify. Auditing your applications in your K8s cluster. https://github.com/Shopify/kubeaudit Little more targeted than Kubesec.
#RSAC
#RSAC Kubeaudit example
#RSAC Sonobuoy by Heptio Sonobuoy is a diagnostic tool. Tells you whether your cluster is built correctly per best practices. vendor-agnostic conformance tests to let you test the cluster. End to End tests test that APIs required for your deployment are supported by the cluster. Can take a long time to finish (1-3 hours). https://scanner.heptio.com/ 79
#RSAC Test Output summary Stored in a file called e2e.log 80
Put it all together… 81
#RSAC Apply It! 82 Day 1: Know what version of Docker and Kubernetes you use. Understand if your control and data plane nodes are hardened. Understand how your Docker containers are built. Find out how you authenticate and authorize for your clusters.
#RSAC Apply It! 83 Week 1: Build an Automation Pipeline: –To build Docker images on code pushes –Versioning strategy for code –To build your Kubernetes clusters
#RSAC Apply It! 84 1st Month Sanitize your code: –Know your base images –Implement versioning for your containers –Invest in a registry (or tooling) that does vulnerability scanning Kubernetes: –Have an upgrade strategy in place –Analyze secrets/sensitive cluster data –Turn on audit logging
#RSAC Apply It! 85 3 Months: Continuously Monitor – Tooling like sonobuoy/Kubesec/Kube-audit/kube-hunter// Plan how to address vulnerabilities/CVE’s K8s: – Strategy for Pod Security Policies – Strategy for Network Policies – Run scans (like kube-bench) on cluster creation
#RSAC Apply It! 86 6 Months: Re-ask day 1 questions. Review strategies- is it working? What needs tweaking? Review tooling- are there new tools that help? Are existing tools working? Review CVE’s
#RSAC Couple more resources to look at: 11 ways not to get hacked: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get- hacked K8s security (from Image Hygiene to Network Policy): https://speakerdeck.com/mhausenblas/kubernetes-security- from-image-hygiene-to-network-policies
#RSAC KEEP CALM AND KUBE ON @iteration1

Recommended

Kube Apps in action
Kube Apps in actionKube Apps in action
Kube Apps in actionKarthik Gaekwad
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
KubeSecOps
KubeSecOpsKubeSecOps
KubeSecOpsKarthik Gaekwad
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Immutable Awesomeness by John Willis and Josh Corman
Immutable Awesomeness by John Willis and Josh CormanImmutable Awesomeness by John Willis and Josh Corman
Immutable Awesomeness by John Willis and Josh CormanDocker, Inc.
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Making Friendly Microservices by Michele Titlol
Making Friendly Microservices by Michele TitlolMaking Friendly Microservices by Michele Titlol
Making Friendly Microservices by Michele TitlolDocker, Inc.
 

Recommended

Kube Apps in action
Kube Apps in actionKube Apps in action
Kube Apps in actionKarthik Gaekwad
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
KubeSecOps
KubeSecOpsKubeSecOps
KubeSecOpsKarthik Gaekwad
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Immutable Awesomeness by John Willis and Josh Corman
Immutable Awesomeness by John Willis and Josh CormanImmutable Awesomeness by John Willis and Josh Corman
Immutable Awesomeness by John Willis and Josh CormanDocker, Inc.
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
Making Friendly Microservices by Michele Titlol
Making Friendly Microservices by Michele TitlolMaking Friendly Microservices by Michele Titlol
Making Friendly Microservices by Michele TitlolDocker, Inc.
 
Docker and Devops
Docker and DevopsDocker and Devops
Docker and DevopsDocker, Inc.
 
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...Docker, Inc.
 
Docker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker, Inc.
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Docker Meetup at Docker HQ: Docker Cloud
Docker Meetup at Docker HQ: Docker CloudDocker Meetup at Docker HQ: Docker Cloud
Docker Meetup at Docker HQ: Docker CloudDocker, Inc.
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Keith Lynch
 
56k.cloud training
56k.cloud training56k.cloud training
56k.cloud trainingBrian Christner
 
DockerCon EU 2015: Official Repos and Project Nautilus
DockerCon EU 2015: Official Repos and Project NautilusDockerCon EU 2015: Official Repos and Project Nautilus
DockerCon EU 2015: Official Repos and Project NautilusDocker, Inc.
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Docker, Inc.
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT RightScale
 
OpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetesOpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetesSamuel Terburg
 
Docker management
Docker managementDocker management
Docker managementKarthik Gaekwad
 
The Next Generation Cloud: Unleashing the Power of the Unikernal
The Next Generation Cloud: Unleashing the Power of the UnikernalThe Next Generation Cloud: Unleashing the Power of the Unikernal
The Next Generation Cloud: Unleashing the Power of the UnikernalAll Things Open
 
Enterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalEnterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalQAware GmbH
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1Docker, Inc.
 
DockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDocker, Inc.
 
DCSF 19 Docker Enterprise Platform and Architecture
DCSF 19 Docker Enterprise Platform and ArchitectureDCSF 19 Docker Enterprise Platform and Architecture
DCSF 19 Docker Enterprise Platform and ArchitectureDocker, Inc.
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...Daniel Bryant
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesAmbassador Labs
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?James Wickett
 

More Related Content

What's hot

DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...Docker, Inc.
 
Docker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker, Inc.
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Docker Meetup at Docker HQ: Docker Cloud
Docker Meetup at Docker HQ: Docker CloudDocker Meetup at Docker HQ: Docker Cloud
Docker Meetup at Docker HQ: Docker CloudDocker, Inc.
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Keith Lynch
 
DockerCon EU 2015: Official Repos and Project Nautilus
DockerCon EU 2015: Official Repos and Project NautilusDockerCon EU 2015: Official Repos and Project Nautilus
DockerCon EU 2015: Official Repos and Project NautilusDocker, Inc.
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Weaveworks
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Docker, Inc.
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT RightScale
 
OpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetesOpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetesSamuel Terburg
 
The Next Generation Cloud: Unleashing the Power of the Unikernal
The Next Generation Cloud: Unleashing the Power of the UnikernalThe Next Generation Cloud: Unleashing the Power of the Unikernal
The Next Generation Cloud: Unleashing the Power of the UnikernalAll Things Open
 
Enterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalEnterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalQAware GmbH
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1Docker, Inc.
 
DockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDocker, Inc.
 
DCSF 19 Docker Enterprise Platform and Architecture
DCSF 19 Docker Enterprise Platform and ArchitectureDCSF 19 Docker Enterprise Platform and Architecture
DCSF 19 Docker Enterprise Platform and ArchitectureDocker, Inc.
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...Daniel Bryant
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesAmbassador Labs
 

What's hot (20)

Docker and Devops
Docker and DevopsDocker and Devops
Docker and Devops
 
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
 
Docker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott CoultonDocker in Production, Look No Hands! by Scott Coulton
Docker in Production, Look No Hands! by Scott Coulton
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Docker Meetup at Docker HQ: Docker Cloud
Docker Meetup at Docker HQ: Docker CloudDocker Meetup at Docker HQ: Docker Cloud
Docker Meetup at Docker HQ: Docker Cloud
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016
 
56k.cloud training
56k.cloud training56k.cloud training
56k.cloud training
 
DockerCon EU 2015: Official Repos and Project Nautilus
DockerCon EU 2015: Official Repos and Project NautilusDockerCon EU 2015: Official Repos and Project Nautilus
DockerCon EU 2015: Official Repos and Project Nautilus
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
 
Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT Using Rancher and Docker with RightScale at Industrie IT
Using Rancher and Docker with RightScale at Industrie IT
 
OpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetesOpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetes
 
Docker management
Docker managementDocker management
Docker management
 
The Next Generation Cloud: Unleashing the Power of the Unikernal
The Next Generation Cloud: Unleashing the Power of the UnikernalThe Next Generation Cloud: Unleashing the Power of the Unikernal
The Next Generation Cloud: Unleashing the Power of the Unikernal
 
Enterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New NormalEnterprise Cloud Native is the New Normal
Enterprise Cloud Native is the New Normal
 
DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1DockerCon 16 General Session Day 1
DockerCon 16 General Session Day 1
 
DockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, SaferDockerCon SF 2015: Faster, Cheaper, Safer
DockerCon SF 2015: Faster, Cheaper, Safer
 
DCSF 19 Docker Enterprise Platform and Architecture
DCSF 19 Docker Enterprise Platform and ArchitectureDCSF 19 Docker Enterprise Platform and Architecture
DCSF 19 Docker Enterprise Platform and Architecture
 
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
LJC 4/21"Easy Debugging of Java Microservices Running on Kubernetes with Tele...
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for Kubernetes
 

Similar to Practical Approaches to Cloud Native Security

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?James Wickett
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityPriyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesQAware GmbH
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityScott Carlson
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityFrank Kim
 

Similar to Practical Approaches to Cloud Native Security (20)

DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack Vectors
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 

More from Karthik Gaekwad

Mental Health studies and devops
Mental Health studies and devopsMental Health studies and devops
Mental Health studies and devopsKarthik Gaekwad
 
Kubernetes security and you
Kubernetes security and youKubernetes security and you
Kubernetes security and youKarthik Gaekwad
 
Kube applications in action
Kube applications in actionKube applications in action
Kube applications in actionKarthik Gaekwad
 
Containers, microservices and serverless for realists
Containers, microservices and serverless for realistsContainers, microservices and serverless for realists
Containers, microservices and serverless for realistsKarthik Gaekwad
 
Containers and microservices for realists
Containers and microservices for realistsContainers and microservices for realists
Containers and microservices for realistsKarthik Gaekwad
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applicationsKarthik Gaekwad
 
Agile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devopsAgile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devopsKarthik Gaekwad
 
Devopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weirdDevopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weirdKarthik Gaekwad
 
Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013Karthik Gaekwad
 
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!Karthik Gaekwad
 
Agile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes EverythingAgile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes EverythingKarthik Gaekwad
 
Sexy HTML with Twitter Bootstrap
Sexy HTML with Twitter BootstrapSexy HTML with Twitter Bootstrap
Sexy HTML with Twitter BootstrapKarthik Gaekwad
 
12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- Stormpath12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- StormpathKarthik Gaekwad
 
We built this city on Dev and Ops
We built this city on Dev and OpsWe built this city on Dev and Ops
We built this city on Dev and OpsKarthik Gaekwad
 
30 days or less: New Features to Production
30 days or less: New Features to Production30 days or less: New Features to Production
30 days or less: New Features to ProductionKarthik Gaekwad
 

More from Karthik Gaekwad (20)

Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud Native
 
Mental Health studies and devops
Mental Health studies and devopsMental Health studies and devops
Mental Health studies and devops
 
This is your community
This is your communityThis is your community
This is your community
 
Kubernetes security and you
Kubernetes security and youKubernetes security and you
Kubernetes security and you
 
Kube applications in action
Kube applications in actionKube applications in action
Kube applications in action
 
Devops and Dadops
Devops and DadopsDevops and Dadops
Devops and Dadops
 
Containers, microservices and serverless for realists
Containers, microservices and serverless for realistsContainers, microservices and serverless for realists
Containers, microservices and serverless for realists
 
Containers and microservices for realists
Containers and microservices for realistsContainers and microservices for realists
Containers and microservices for realists
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
 
Why to docker
Why to dockerWhy to docker
Why to docker
 
Agile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devopsAgile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devops
 
Devopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weirdDevopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weird
 
Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013
 
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
 
Agile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes EverythingAgile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes Everything
 
DevOps at the CIA
DevOps at the CIADevOps at the CIA
DevOps at the CIA
 
Sexy HTML with Twitter Bootstrap
Sexy HTML with Twitter BootstrapSexy HTML with Twitter Bootstrap
Sexy HTML with Twitter Bootstrap
 
12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- Stormpath12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- Stormpath
 
We built this city on Dev and Ops
We built this city on Dev and OpsWe built this city on Dev and Ops
We built this city on Dev and Ops
 
30 days or less: New Features to Production
30 days or less: New Features to Production30 days or less: New Features to Production
30 days or less: New Features to Production
 

Recently uploaded

Forming section troubleshooting checklist for improving wire life (1).ppt
Forming section troubleshooting checklist for improving wire life (1).pptForming section troubleshooting checklist for improving wire life (1).ppt
Forming section troubleshooting checklist for improving wire life (1).pptNoman khan
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...IJAEMSJORNAL
 
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...gerogepatton
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfShreyas Pandit
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...KrishnaveniKrishnara1
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Secure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech LabsSecure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech Labsamber724300
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProRay Yuan Liu
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmDeepika Walanjkar
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfalene1
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxCurve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxRomil Mishra
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptJohnWilliam111370
 

Recently uploaded (20)

Forming section troubleshooting checklist for improving wire life (1).ppt
Forming section troubleshooting checklist for improving wire life (1).pptForming section troubleshooting checklist for improving wire life (1).ppt
Forming section troubleshooting checklist for improving wire life (1).ppt
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
 
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
Guardians of E-Commerce: Harnessing NLP and Machine Learning Approaches for A...
 
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
March 2024 - Top 10 Read Articles in Artificial Intelligence and Applications...
 
Theory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdfTheory of Machine Notes / Lecture Material .pdf
Theory of Machine Notes / Lecture Material .pdf
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Secure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech LabsSecure Key Crypto - Tech Paper JET Tech Labs
Secure Key Crypto - Tech Paper JET Tech Labs
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision Pro
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
 
ASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductosASME-B31.4-2019-estandar para diseño de ductos
ASME-B31.4-2019-estandar para diseño de ductos
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptxCurve setting (Basic Mine Surveying)_MI10412MI.pptx
Curve setting (Basic Mine Surveying)_MI10412MI.pptx
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
 

Practical Approaches to Cloud Native Security

  • 1. #RSAC SESSION ID: Karthik Gaekwad Practical Approaches to Cloud Native Security ASD-W10 Principal Engineer Oracle Inc @iteration1
  • 2. #RSAC •I’m Karthik Gaekwad •NOT a DBA •https://cloudnative.oracle.com/ •Cloud Native Evangelist at Oracle Cloud •Past: Developer on the Oracle Managed Kubernetes Team Hello @iteration1
  • 3. #RSAC Hello Been in Industry for 15 years. In general, I like building stuff with friends. – Maintainer for Gauntlt- Open source security scanner. Love Teaching and building community. – Run Devopsdays Austin, Container Days, Cloud Austin. – Chair All Day Devops Cloud Native track. – LinkedIn Learning Author for Learning Kubernetes (and more).
  • 4. #RSAC I mustache you a question…
  • 5. #RSAC The Cloud Native Journey 5 Phase I Developer Focus Phase II DevOps Focus Phase III Business Focus (end-to-end) Container Adoption Application Deployment Intelligent Operations SpeedEfficiencyAgility Docker Kubernetes Core to Edge Developer adoption Dev/Test apps Simple orchestration Individual developers DevOps deployment Production apps Advanced orchestration Teams & lines of business End-to-end integration Digital business apps Serverless, DevSecOps, & ML Cloud native enterprises Focus Applications Automation Community
  • 6. #RSAC CNCF Survey: August 2018 How Does Your Company Use Containers and Where? Lots of adoption on dev/staging Continued production increase
  • 7. #RSAC CNCF Survey: August 2018 How Does Your Company Use Containers and Where? Adoption over public and on-prem
  • 8. #RSAC Kubernetes Dominates Container Management Your company/organization manages containers with: Winner! Kubernetes
  • 9. #RSAC Good News, Bad News… But... ManyProjects… Good usage in dev/prod
  • 10. #RSAC Top 5 challenges to cloud native adoption… 0 5 10 15 20 25 30 35 40 45 Complexity Cultural Challenges Lack of Training Security Monitoring Percentages
  • 11. #RSAC Managing, maintaining, upgrading Kubernetes Control Plane – API Server, etcd, scheduler etc…. Managing, maintaining, upgrading Kubernetes Data Plane – In place upgrades, deploy parallel cluster etc…. Figuring out container networking & storage – Overlays, persistent storage etc… - it should just work Managing Teams – How do I manage & control team access to my clusters? Security, security, security Kubernetes & Cloud Native Challenges 11 Source: Oracle Customer Survey 2018
  • 12. #RSAC How Are Teams Addressing Complexity, Training Issues? App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation Customer Managed Fully-Managed App Management Upgrades & Patching Platform Backup & Recovery High Availability Scaling App Deployment Power, HVAC Rack and Stack Server Provisioning Software Installation  Faster Time to Deploy  Lower Risk  Accelerate Innovation Benefits YOU
  • 13. #RSAC Which brings us to security…
  • 14. #RSAC Where no news, is good news!
  • 15. #RSAC Unsecured K8s dashboards Unsecured Kubernetes Dashboard with account creds. Used this to mine cryptocurrency. 2017: Aviva 2018: Tesla, Weight Watchers https://redlock.io/blog/cryptojacking-tesla
  • 16. #RSAC Kubelet credentials hack Shopify: Server Side request Forgery Get kubelet certs/private key Root access to any container in part of infrastructure. https://hackerone.com/reports/341876
  • 17. #RSAC CVE’s Happen… Even more relevant with increased production usage of containers…
  • 19. #RSAC
  • 20. #RSAC
  • 21. #RSAC
  • 22. #RSAC
  • 23. #RSAC
  • 24. #RSAC How did we get here?
  • 25. #RSAC “Kubernetes is too complicated”
  • 26. #RSAC “Kubernetes is too complicated” “We hope it’ll get easier”
  • 28. #RSAC Let’s look at: Attack Surface –More importantly, how to limit damage Security related features in K8s –The more you know, the better you build Opensource Tooling to help –Because we all need help
  • 30. #RSAC Attack Surface Goal: Reduce the attack surface Analysis for: –Host(s) –Container (Images and running) –Kubernetes Cluster
  • 31. #RSAC Attack Surface: Host These are the machines you’re running Kubernetes on. Age old principles of Linux still apply: – Enable SELinux – AppArmor – Seccomp – Hardened Images Goal: Minimize privilege to applications running on the host Good news: Already a wealth of information on this subject! – http://lmgtfy.com/?q=how+to+reduce+attack+surface+linux
  • 32. #RSAC Attack Surface: Container Images GOAL: Know your base image when building containers
  • 33. #RSAC Attack Surface: Container Images GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
  • 34. #RSAC Attack Surface: Container Images GOAL: Know your base image when building containers **BTW, this is just a ruby helloworld app
  • 35. #RSAC Attack Surface: Container Images GOAL: Know your base image when building containers Full disclosure: I’m karthequian; I created this as a ruby 101 container for learning purposes only
  • 36. #RSAC Attack Surface: Container Images GOAL: Know your base image when building containers When in doubt, stick to an official images! Or start from a sane base image (example: alpine linux)
  • 37. #RSAC Attack Surface: Container Images GOAL: Smaller the image, the better Less things for an attacker to exploit. Quicker to push, quicker to pull.
  • 38. #RSAC Attack Surface: Container Images GOAL: Don’t rely on :latest tag :latest image yesterday might not be :latest image tomorrow Instead, you’d want to know what specific version you’re operating with. Side benefit: If there is a new vulnerability announced for OS version x.y.z, you know immediately whether you’re running that version!
  • 39. #RSAC Attack Surface: Container Images GOAL: Check for vulnerabilities periodically Plenty of ways to do this in registries. We’ll cover more in the tooling section
  • 40. #RSAC Attack Surface: Running Containers GOAL: Don’t run as root Containers running as root might be completely unnecessary for the actual application. If compromised, attacker can do a lot more things.. Pod security policies can help (we’ll see how later).
  • 41. #RSAC Attack Surface: Running Containers GOAL: Limit host mounts Be wary of images that require broad access to paths on the host Limit your host mount to a smaller subset of directories Reduces blast radius on compromise
  • 44. #RSAC Kubernetes Cluster- TLS TLS Checklist: 1. Nodes and Master 2. User and Master 3. Everything etcd 4. Kubelet to API Server
  • 46. #RSAC Kubernetes Cluster- TLS TLS Checklist: 1. User and Master 2. Nodes and Master 3. Everything etcd 4. Kubelet to API Server
  • 47. #RSAC CVE’s 47 GOAL: Have an upgrade strategy Because…CVE’s are fixed in new minor versions. Don’t treat K8s as “install once, run all the time”. Make your K8s install repeatable for different versions. ..Or use a Managed Provider. – Either automatically patch for you, or tell you what to do.
  • 48. #RSAC We’re a little better off now. But what else to do?
  • 49. #RSAC K8s Features How can the platform help me make secure choices?
  • 50. #RSAC K8s Features Kubernetes Secrets Authentication Authorization Audit Logging Network Policies Pod security policies
  • 51. #RSAC Kubernetes Secrets GOAL: Use Kubernetes secrets to store sensitive data instead of config maps. Also look at: secrets encryption provider. – Controls how etcd encrypts API data – --experimental-encryption-provider-config https://kubernetes.io/docs/tasks/administer-cluster/encrypt- data/
  • 52. #RSAC Authentication and Authorization Do you know how you are authenticating with Kubernetes? Many ways to Authenticate – Client Certs – Static token file – Service Account tokens – OpenID – Webhook Mode – And more (https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
  • 53. #RSAC Whatever you do, DO NOT YOLO! Goal: Pick a strategy that fits your use case
  • 54. #RSAC You can pick an authz strategy.. If you DO NOT YOLO…
  • 56. #RSAC Authentication and Authorization Pro tip: Nobody uses ABAC anymore. Don’t be that guy…. RBAC is the defacto standard – Based on roles and role bindings – Good set of defaults: https://github.com/uruddarraju/kubernetes-rbac-policies Can use multiple authorizers together, but can get confusing. – 1st authorizer to authorize passes authz
  • 57. #RSAC Kubernetes Cluster- Audit Logs Wat? “Kubernetes auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.” Answers: What/when/who/where information on security events. Your job: Periodically watch Kubernetes Audit logs https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
  • 58. #RSAC
  • 59. #RSAC Kubernetes Cluster- Network Policies Consider adding a network policy to the cluster… Default Policy: All pods can talk to all other pods. Consider limiting this with a Network Policy https://kubernetes.io/docs/concepts/services-networking/network-policies/
  • 60. #RSAC Kubernetes Cluster- Pod Security Policies Consider adding Pod Security policies PodSecurityPolicy: A Defined set of conditions a pod must run with. Think of this as authorization for pods.
  • 61. #RSAC Kubernetes Cluster: Pod Security Policies https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy Capability for an admin to control specific actions
  • 62. #RSAC Open Policy Agent Policy based control for your whole environment. Full featured Policy Engine to offload policy decisions from each application/service. – Deploy OPA alongside your service – Add policy data to OPA’s store – Query OPA on decisions. Great idea, still early, watch this space… Standardize policies for all clusters https://www.openpolicyagent.org/ 62
  • 64. #RSAC Keep tabs on the CNCF Security landscape https://landscape.cncf.io/landscape=security-complia
  • 65. #RSAC CNCF Projects “The Update Framework” Is a framework or a methodology. Used for secure software updates. Based on ideas surrounding trust and integrity. Is a project. Based on TUF. A solution to secure software updates and distribution. Used in Docker Trusted Registry.
  • 66. #RSAC Clair Open source project for the static analysis of vulnerabilities in containers. Find vulnerable images in your repo. Built into quay.io, but you can add to your own repo. https://github.com/coreos/clair
  • 67. #RSAC
  • 68. #RSAC Harbor Newer! CNCF Project Registry product Supports vulnerability scanning, image signing and identity control Scope is larger than clair
  • 70. #RSAC Kube-bench Checks whether a Kubernetes cluster is deployed according to security best practices. Run this after creating your K8s cluster. https://github.com/aquasecurity/kube-bench Defined by the CIS Benchmarks Docs: https://www.cisecurity.org/cis-benchmarks/ Run it against your Kubernetes Master, or Kubernetes node.
  • 72. #RSAC Kube-hunter Penetration Testing tool for Kubernetes clusters. Looks for weaknesses in your cluster. 2 ways to run: – External to cluster (what an attacker sees) – Internal to cluster (install as a pod) Active and Passive mode. – Active mode changes stuff (probably don’t use in Prod) Read more: https://kube-hunter.aquasec.com/ ONLY RUN ON YOUR OWN CLUSTER. 72
  • 74. #RSAC Kubesec Helps you quantify risk for Kubernetes resources. Run against your K8s applications (deployments/pods/daemonsets etc) https://kubesec.io/ from controlplane Can be used standalone, or as a kubectl plugin (https://github.com/stefanprodan/kubectl-kubesec)
  • 76. #RSAC Kubeaudit Opensourced from Shopify. Auditing your applications in your K8s cluster. https://github.com/Shopify/kubeaudit Little more targeted than Kubesec.
  • 77. #RSAC
  • 79. #RSAC Sonobuoy by Heptio Sonobuoy is a diagnostic tool. Tells you whether your cluster is built correctly per best practices. vendor-agnostic conformance tests to let you test the cluster. End to End tests test that APIs required for your deployment are supported by the cluster. Can take a long time to finish (1-3 hours). https://scanner.heptio.com/ 79
  • 80. #RSAC Test Output summary Stored in a file called e2e.log 80
  • 81. Put it all together… 81
  • 82. #RSAC Apply It! 82 Day 1: Know what version of Docker and Kubernetes you use. Understand if your control and data plane nodes are hardened. Understand how your Docker containers are built. Find out how you authenticate and authorize for your clusters.
  • 83. #RSAC Apply It! 83 Week 1: Build an Automation Pipeline: –To build Docker images on code pushes –Versioning strategy for code –To build your Kubernetes clusters
  • 84. #RSAC Apply It! 84 1st Month Sanitize your code: –Know your base images –Implement versioning for your containers –Invest in a registry (or tooling) that does vulnerability scanning Kubernetes: –Have an upgrade strategy in place –Analyze secrets/sensitive cluster data –Turn on audit logging
  • 85. #RSAC Apply It! 85 3 Months: Continuously Monitor – Tooling like sonobuoy/Kubesec/Kube-audit/kube-hunter// Plan how to address vulnerabilities/CVE’s K8s: – Strategy for Pod Security Policies – Strategy for Network Policies – Run scans (like kube-bench) on cluster creation
  • 86. #RSAC Apply It! 86 6 Months: Re-ask day 1 questions. Review strategies- is it working? What needs tweaking? Review tooling- are there new tools that help? Are existing tools working? Review CVE’s
  • 87. #RSAC Couple more resources to look at: 11 ways not to get hacked: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get- hacked K8s security (from Image Hygiene to Network Policy): https://speakerdeck.com/mhausenblas/kubernetes-security- from-image-hygiene-to-network-policies

Editor's Notes

  1. However, customers face challenges along the way.  As we have spoken to customers, many have agreed with the challenges presented on this slide.
  2. Faster Time to Deploy No need to provision and maintain Operating System and Platforms (Linux, Kubernetes, Docker Registry, Continuous Integration Systems) Lower Risk Oracle is committed to SLAs on Performance and Manageability, in addition to Availability Accelerate Innovation Develop new Container Native apps quickly, and port existing apps faster
  3. Photo by rawpixel on Unsplash
  4. Photo by rawpixel on Unsplash
  5. Photo by Byron Sterk on Unsplash
  6. Photo by Byron Sterk on Unsplash
  7. Photo by rawpixel on Unsplash
  8. Photo by rawpixel on Unsplash
  9. Photo by rawpixel on Unsplash
  10. Diagram from https://docs.google.com/presentation/d/1Gp-2blk5WExI_QR59EUZdwfO2BWLJqa626mK2ej-huo/edit#slide=id.g1e639c415b_0_56. Thanks @Lucas Käldström
  11. Photo by Mikhail Vasilyev on Unsplash
  12. Photo by Mikhail Vasilyev on Unsplash
  13. https://www.openpolicyagent.org/docs/how-does-opa-work.html#overview
  14. Photo by Barn Images on Unsplash
  15. Photo by Damon Lam on Unsplash
  16. Photo by Damon Lam on Unsplash
  17. Photo by Damon Lam on Unsplash
  18. Photo by Damon Lam on Unsplash
  19. Photo by Damon Lam on Unsplash
  20. Photo by Damon Lam on Unsplash