This document discusses the new era of digital security in light of emerging technologies like cloud computing, software-defined infrastructure, and the increased use of applications and devices outside of IT's control. It argues that traditional network-based defenses are no longer enough and that security must evolve to be continuous and integrated throughout the IT lifecycle. It presents containers and container platforms like Kubernetes as an approach that can help achieve both agility and improved security by allowing for easy and secure application deployment across hybrid environments.

1. NEW ERA OF DIGITAL SECURITY
Shawn Wells
Chief Security Strategist
U.S. Public Sector
shawn@redhat.com || 443-534-0130

2. Technology for the Digital World
2

3. When New Technologies are adopted, the Security
team gets involved
SECURITY
3

4. Securing the Enterprise is Harder Than Ever
4
Applications &
devices outside
of IT control
Cloud
computing
Software-defined
infrastructure
Dissolving
security
perimeter
The way we develop, deploy and manage IT is
changing dramatically
TRADITIONAL NETWORK-BASED DEFENSES ARE NO LONGER ENOUGH
Menacing
threat
landscape

5. THE COST OF SECURITY BREACHES
5 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report
Total average costs
are increasing:
2016 $4.0 million
2015 $3.8 million
2014 $3.5 million
While “soft” costs are
impacting your business
● Business disruption
● Lost employee and
customer trust
● Brand erosion
● Shareholder anger
● etc

6. 6 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report
Malicious or criminal attack
System glitch
Human error
48%
27%
25%
MULTIPLE SOURCES OF RISKS

7. 7 Source: TechValidate. https://www.techvalidate.com/tvid/885-BC3-190
TRYING TO INNOVATE AND
REMAIN SECURE AT THE SAME TIME
Funding for cloud
infrastructure is taking a clear
priority in 2017, with security
and management still
mandatory investments to
keep it all under control.
What are you organization’s top IT funding priorities for 2017?*
70%
49%
48%
42%
36%
31%
29%
28%
23%
Cloud infrastructure (private, public or hybrid)
Security and compliance
IT Management, automation, orchestration
Big data, analytics
Optimizing or modernizing existing IT
Integration of applications, data or processes
Containers
Cloud-native or mobile applications
Storage
*Select all that apply

8. IMPLEMENT BOTH AGILE & IMPROVED
GOVERNANCE PROCESSES
8 Source: TechValidate. https://www.techvalidate.com/tvid/7A6-663-C71
Compliance and governance
remain a top priority, but agile and
DevOps processes have shot to
the top of our customers list this
year. This is the only way they will
achieve innovation at the speed
they need to compete and win.
64%
54%
41%
26%
23%
11%
Agile development
DevOps processes or methodologies
Compliance or governance processes
User experience
Digital strategies
Using more open source
IT staff training
IT staff retention
IT staff recruitment
23%
10%
6%
3%Stopping shadow IT
What are you organization’s top priorities around IT cultural or process changes?*
*Select all that apply

9. 9
Security policy,
process &
procedures
DESIGN
BUILD
RUN
MANAGE
ADAPT
SECURITY
CHECKLIST
SECURITY MUST EVOLVE

10. Security policy,
process &
procedures
DESIGN
BUILD
RUN
MANAGE
ADAPT
10
Identify security
requirements &
governance models
Built-in from the start;
not bolted-on
Deploy to trusted
platforms with
enhanced security
capabilities
Automate systems for
security & compliance
Revise, update,
remediate as the
landscape changes
SECURITY MUST BE CONTINUOUS
And integrated throughout the IT lifecycle

11. DESIGN
BUILD
RUN
MANAGE
ADAPT
11
Define security
requirements based
on NIST 800-53
Build required
protections like web
SSO into your
applications
Run on platforms with
embedded protective
technology like SELinux
Automate compliance with DISA
STIG; use automated detection &
remediation technologies
Continuously
evaluate
effectiveness and
revise as needed
CONTINUOUS SECURITY WITH NIST
Protect
Identify
Detect
Recover
Respond
COMMUNICATE

12. Risk Management
12
Identify
Analyse
Plan
Track
Control
Communicate
The objectives of risk management are to identify,
address, and eliminate software risk items before
they become either threats to successful software
operation or major sources of software rework.
Barry W Boehm
Approaches to dealing with risk:
Reduction - reduce likelihood
Protection - bottom-up prevention
Transfer - let someone else share or hold
Pecuniary - set aside contingency fund of
resources

13. WHY OPEN SOURCE?

14. OPEN SOURCE DEVELOPMENT
DRIVES RAPID INNOVATION

15. OPEN SOURCE ADOPTION...SOARING
78%
65%
of enterprises run open source.
of companies are contributing to
open software.
[1] Black Duck Software, 9th Annual Future of Open Source survey, 2015. www.blackducksoftware.com/2015-future-of-open-source
[2] Black Duck Software, 10th Annual Future of Open Source survey, 2016. www.blackducksoftware.com/2016-future-of-open-source
[2]
[1]

16. 16
OPEN SOURCE CULTURE
Collaboration
Transparency
(both access and the ability to act)
Shared problems are
solved faster
Working together creates
standardization
*

17. AGILITY, WITH SECURITY

18. The Problem
Applications require
complicated installation
and integration every time
they are deployed
18

19. THE PROBLEM
I.T. OPERATIONSDEVELOPERS
19

20. DEVOPS
Everything as code
Automate everything
Application is always “releaseable”
Continuous Integration/Delivery
Application monitoring
Rapid feedback
Delivery pipeline
Rebuild vs. Repair
20

21. A Solution
Adopting a container
strategy will allow
applications to be easily
shared and deployed.
21

22. 22
WHAT ARE CONTAINERS?
It Depends Who You Ask
● Sandboxed application processes on a
shared Linux OS kernel
● Simpler, lighter, and denser than virtual
machines
● Portable across different environments
● Package my application and all of its
dependencies
● Deploy to any environment in seconds and
enable CI/CD
● Easily access and share containerized
components
INFRASTRUCTURE APPLICATIONS

23. A SOLUTION
Hardware
Virtual Machine
Operating System
Container
App
Controlled by
Developers
Controlled by
IT Operations
23

24. A SOLUTION
I.T. OPERATIONSDEVELOPERS
24

25. $ docker build -t app:v1 .
25

26. $ docker build -t app:v1 .
$ docker run app:v1
26

27. physical
virtual
private cloud
public cloud
27

28. 28
DEVOPS WITH CONTAINERS
source
repository
CI/CD
engine
dev container
physical
virtual
private cloud
public cloud
28

29. ?
29

30. ?
30

31. Scheduling
Decide where to deploy containers
31
WE NEED MORE THAN JUST CONTAINERS
Lifecycle and health
Keep containers running despite failures
Discovery
Find other containers on the network
Monitoring
Visibility into running containers
Security
Control who can do what
Scaling
Scale containers up and down
Persistence
Survive data beyond container lifecycle
Aggregation
Compose apps from multiple containers
31

32. Kubernetes is an open-source
system for automating deployment,
operations, and scaling of
containerized applications across
multiple hosts
kubernetes
32

33. kubernetes
33

34. DEVOPS WITH
CONTAINERS AND KUBERNETES
34

35. INDUSTRY CONVERGING ON KUBERNETES
35

36. INDUSTRY CONVERGING ON KUBERNETES
36

37. DEVOPS WITH
CONTAINERS AND KUBERNETES
NETWORK
Not enough! Need networking
37

38. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
NETWORK
Not enough! Need an image registry
38

39. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
METRICS AND LOGGING
NETWORK
heapster
Not enough! Need metrics and logging
39

40. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
Not enough! Need application lifecycle management
APP LIFECYCLE MGMT
METRICS AND LOGGING
NETWORK
40

41. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
Not enough! Need application services e.g. database and messaging
APP SERVICES
APP LIFECYCLE MGMT
METRICS AND LOGGING
NETWORK
41

42. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
Not enough! Need self-service portal
SELF-SERVICE
APP SERVICES
APP LIFECYCLE MGMT
METRICS AND LOGGING
NETWORK
42

43. NOT ENOUGH, THERE IS MORE!
Routing & Load Balancing
Multi-tenancy
CI/CD Pipelines
Role-based Authorization
Capacity Management
Chargeback
Vulnerability Scanning
Container Isolation
Image Build Automation
Quota Management
Teams and Collaboration
Infrastructure Visibility
43

44. Container application
platform based on Docker
and Kubernetes for building,
distributing and running
containers at scale
44

45. 45
Security policy,
process &
procedures
DESIGN
BUILD
RUN
MANAGE
ADAPT
SECURITY
CHECKLIST
REMEMBER THIS?

46. 46
OpenShift for Government
Accreditations & Standards
RHEL7 COMMON CRITERIA
- EAL4+
- Container Framework
- Secure Multi-tenancy
RHEL7 FIPS 140-2 CERTIFIED
- Data at Rest
- Data in Transport
OPENSHIFT BLUEPRINT FOR
AZURE
(FedRAMP MODERATE)
OCTOBER
2016
DECEMBER
2016
JUNE 2017
INDUSTRY FIRST: NIST
CERTIFIED CONFIGURATION AND
VULNERABILITY SCANNER FOR
CONTAINER
MARCH
2017

47. 47
WANT TO HEAR MORE?

49. plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews
THANK YOU