SlideShare a Scribd company logo
1 of 21
Download to read offline
1
Applied Security
For Containers
Jesus ESCOLAR
CEO
EXELERYS
NextGen CyberSecurity & CyberIntelligence
2
Infrastructure “Changes”
Physical Virtual
Cloud
Containers
Serverless
1011010
0100111
0010011
3
The history of “Containers” – Everything started in…
• 1970’s!!!
• Unix V7: chroot! All was about process isolation at that time!
• 2000:
• FreeBSD: “Jails” was invented to share resources in a shared
environment independently.
• 2001:
• Linux-VServer: Introduced the FreeBSD “Jails” logic into the
Linux world through the “VPS” concept.
• 2004:
• Sun Microsystems: They invented the “Zones” long before
being acquired by Oracle. Their isolation logic allowed a
better implementation of Disk, RAM & CPU access.
4
The history of “Containers” – Continued in…
• 2005:
• OpenVZ: Now we have the first “open-to-public” pre-
Dark Ages isolation implementation. <- We ‘ed it!
• 2006:
• Google: Introduced “Process Containers” as an isolation
logical model for CPU, memory, Disk I/O & Network.
• 2008:
• LXC: Halleluiah! A team of private companies along with
individuals developed the “Linux Containers”, the first real
implementation of a the container technology in an open-
source model with all the fully features that makes a
container what a container had to be! (LXC would evolve
to become LXD in its 2.0 version…)
5
The history of “Containers” – And concluded…
• 2011:
• CloudFoundry: Implemented an evolved version of LXC
called “Warden” isolating environments in any OS with a
daemon and… an API!
• 2013:
• LMCTFY: An open-source implementation of Google
Container Stack. Now applications can be made “container
aware”. This moved to the Open Container Foundation in
2015.
• 2013:
• Docker: Here is the Saint Grail! It developed from LXC but
ended up having its own platform and architecture. The
successes were: API, container management platform, and
obviously, the apps ecosystem.
6
Logic behind Containers
7
Security Landscape = Customer Pain!
Evolving Infrastructure
Threat Sophistication
Speed of App Changes
Lack of resources, need to
simplify
Threat protection & audit
Performance across hybrid clouds
Customer PainTechnical Dynamics
8
Security Landscape = Shared Responsibility
Data Encryption Network Traffic Protection
Platform, Applications
Operating System, Network & Firewall Configuration
Content and Applications
Foundation Services
Compute Storage Database Networking
Global
Infrastructure
Regions
Domains, Availability Zones
Foundation Services
Compute Storage Database Networking
Global
Infrastructure
Regions
Domains, Availability Zones
Cloud
Provider
or You?
Consumer !
The Shared Responsibility Model
9
Securing Containers – What?
• So the magical question comes into play: What do I need
to secure when I am running containers?
• The Host?
• The Apps?
• The Images?
• The permissions?
• The users?
• The consumers?
• All of them?
• None of them?
Note: Choose all the right answers that apply…
10
Security Paradigm for Containers
• Containers are running on top of an existing OS, whether we like it or not.
• Containers are still running either an OS or either apps.
• Containers are still running workloads with libraries.
• And those libraries are shared across all the containers in the same host.
• We still have all the security responsibilities from the traditional virtualization
landscape into our hands:
• Multi-tenancy / Multi-User responsibilities.
• App Packaging sources.
• Vulnerabilities / Patching.
• Accountability.
• Accessibility.
• Firewalling / Traffic management.
• RBAC.
• etc, etc, etc…
11
Securing Containers – How?
• Resource Control: cgroups
• Discretionary Access: namespaces
• Mandatory Access: AppArmor / SELinux
• Fine Grained Access: seccomp
Is that all…? Nothing else? SecDevOps? DevSecOps?
No! There are few NextGen solutions with more in-depth
approach to cover all possible conditions.
Let’s see them together!
12
Security Solutions for Containers – Vulnerabilities
• NeuVector Open Source CIS Kubernetes Benchmark
https://github.com/neuvector/kubernetes-cis-benchmark
13
Security Solutions for Containers – Vulnerabilities
• Aquasec Open Source Tools:
https://github.com/aquasecurity/kube-bench
Automates the CIS Benchmark for Kubernetes, making it easy for
operators to check whether each node in their Kubernetes cluster
is configured according to security best practices.
14
Security Solutions for Containers – Vulnerabilities
• CoreOS Open Source Clair:
https://github.com/coreos/clair/
https://coreos.com/clair/docs/latest/
Clair is an open source project for the static analysis of
vulnerabilities in appc and docker containers.
Since Clair image analysis is static, containers never need to be
actually executed, so you can detect a security threat before is
already running in your systems. Clair is the security engine that
CoreOS Quay registry uses internally.
15
Security Solutions for Containers – Vulnerabilities
• Twistlock Developer Edition Container Security :
https://www.twistlock.com/products/enterprise-container-security/
https://www.twistlock.com/2016/02/17/free-developer-edition-is-
here/
Vulnerability management: Scanning container images to
discover vulnerabilities that may exist in the various layers of the
image.
Access control: Fine-grained access control capabilities to guard
access to Docker commands.
Runtime defence: Policy-based protection for running containers
on production servers.
16
Security Solutions for Containers – Analysis
• Anchore Open Source Container Analysis
https://anchore.com/opensource/
• Pre-production analysis, vulnerability newsfeed.
• Submit an Image to be analysed
• See if your images have any known CVE vulnerabilities
• List all of the files in a particular image
• Evaluate your image against your custom security policy
• Subscribe to receive notifications when an image is updated
17
Security Solutions for Containers – Behaviour
• Sysdig Open Source Falco :
https://sysdig.com/opensource/falco/
Open source, behavioural monitoring software designed to detect
anomalous activity based on the Sysdig monitoring technology.
Sysdig Falco also works as a intrusion detection system on any
Linux host.
Build rules specific to your Kubernetes clusters to enforce policy
across all your containers & microservices.
Complete container visibility through a single daemon. Easily build
rules and get informed immediately.
18
Security Solutions for Containers – Distribution
• Notary Open Source :
https://github.com/theupdateframework/notary
Image forgery and tampering is one major security concern for Docker-
based deployments. Notary is a tool for publishing and managing
trusted collections of content. You can approve trusted published and
create signed collections, in a similar fashion to the software repository
management tools present in modern Linux systems, but for Docker
images.
Some of Notary goals include guaranteeing image freshness (most up to
date content, to avoid known vulnerabilities), trust delegation between
users or trusted distribution over untrusted mirrors or transport
channels.
Note: See this implementation of Notary.
https://theupdateframework.github.io/
19
What’s next…?
• The future is unclear…
• Hosts can be infected, images can be infected, apps can be vulnerated.
• Docker images, as an example, is vulnerable to malware infection as
demonstrated in last Black Hat Conference in 2017.
• There’s a need for a full open source security solution for containers based on
a next generation security logic:
• AM + IPS + WR (mandatory)
• Behaviour Monitoring (necessary)
• ML + AI (optional)
• Sandboxing (highly desired)
• There are no open source NextGen Anti-Malware, Firewalls or IPS/IDS tools
for containers today.
• Why? The container ecosystem is too sparse, the CNF presents dozens of
vendors/companies building solutions and standards for containers, there’s
no homogeneity. There’s no alignment across the ecosystem. There’s no
standard practice.
20
20
21
THANK YOU!
Follow us at:
@EXELERYS
LINKEDIN.COM/COMPANY/EXELERYS

More Related Content

What's hot

Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 RecapLee Calcote
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security  for CloudCamp Nov 2017Ten layers of container security  for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Canada
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungDigicomp Academy AG
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Containerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentContainerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentDr Ganesh Iyer
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-087 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08Casey Bisson
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Steve Wilson
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 

What's hot (20)

Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security  for CloudCamp Nov 2017Ten layers of container security  for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to Docker
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & Virtualisierung
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Containerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentContainerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deployment
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-087 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
 

Similar to Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris

Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Patrick Chanezon
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetesDr Ganesh Iyer
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectPatrick Chanezon
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Openstack components as containerized microservices
Openstack components as containerized microservicesOpenstack components as containerized microservices
Openstack components as containerized microservicesMiguel Zuniga
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Miguel Zuniga
 
Built in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL LabsBuilt in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL LabsRoss Jimenez
 
DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1Docker, Inc.
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container EcosystemVinay Rao
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersNVISIA
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 

Similar to Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris (20)

Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
BRKSDN-2115
BRKSDN-2115 BRKSDN-2115
BRKSDN-2115
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Openstack components as containerized microservices
Openstack components as containerized microservicesOpenstack components as containerized microservices
Openstack components as containerized microservices
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos
 
Built in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL LabsBuilt in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL Labs
 
DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of Containers
 
Container Security
Container SecurityContainer Security
Container Security
 

More from OW2

OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in RomaOW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in RomaOW2
 
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...OW2
 
GLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloudGLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloudOW2
 
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...OW2
 
FusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open sourceFusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open sourceOW2
 
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...OW2
 
SFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the EquationSFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the EquationOW2
 
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...OW2
 
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...OW2
 
Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020OW2
 
Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020OW2
 
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...OW2
 
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020OW2
 
Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020OW2
 
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020OW2
 
Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020OW2
 
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020OW2
 
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...OW2
 
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...OW2
 
Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020OW2
 

More from OW2 (20)

OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in RomaOW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
 
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
 
GLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloudGLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloud
 
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
 
FusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open sourceFusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open source
 
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
 
SFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the EquationSFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the Equation
 
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
 
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
 
Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020
 
Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020
 
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
 
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
 
Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020
 
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
 
Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020
 
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
 
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
 
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
 
Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020
 

Recently uploaded

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 

Recently uploaded (20)

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris

  • 1. 1 Applied Security For Containers Jesus ESCOLAR CEO EXELERYS NextGen CyberSecurity & CyberIntelligence
  • 3. 3 The history of “Containers” – Everything started in… • 1970’s!!! • Unix V7: chroot! All was about process isolation at that time! • 2000: • FreeBSD: “Jails” was invented to share resources in a shared environment independently. • 2001: • Linux-VServer: Introduced the FreeBSD “Jails” logic into the Linux world through the “VPS” concept. • 2004: • Sun Microsystems: They invented the “Zones” long before being acquired by Oracle. Their isolation logic allowed a better implementation of Disk, RAM & CPU access.
  • 4. 4 The history of “Containers” – Continued in… • 2005: • OpenVZ: Now we have the first “open-to-public” pre- Dark Ages isolation implementation. <- We ‘ed it! • 2006: • Google: Introduced “Process Containers” as an isolation logical model for CPU, memory, Disk I/O & Network. • 2008: • LXC: Halleluiah! A team of private companies along with individuals developed the “Linux Containers”, the first real implementation of a the container technology in an open- source model with all the fully features that makes a container what a container had to be! (LXC would evolve to become LXD in its 2.0 version…)
  • 5. 5 The history of “Containers” – And concluded… • 2011: • CloudFoundry: Implemented an evolved version of LXC called “Warden” isolating environments in any OS with a daemon and… an API! • 2013: • LMCTFY: An open-source implementation of Google Container Stack. Now applications can be made “container aware”. This moved to the Open Container Foundation in 2015. • 2013: • Docker: Here is the Saint Grail! It developed from LXC but ended up having its own platform and architecture. The successes were: API, container management platform, and obviously, the apps ecosystem.
  • 7. 7 Security Landscape = Customer Pain! Evolving Infrastructure Threat Sophistication Speed of App Changes Lack of resources, need to simplify Threat protection & audit Performance across hybrid clouds Customer PainTechnical Dynamics
  • 8. 8 Security Landscape = Shared Responsibility Data Encryption Network Traffic Protection Platform, Applications Operating System, Network & Firewall Configuration Content and Applications Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Cloud Provider or You? Consumer ! The Shared Responsibility Model
  • 9. 9 Securing Containers – What? • So the magical question comes into play: What do I need to secure when I am running containers? • The Host? • The Apps? • The Images? • The permissions? • The users? • The consumers? • All of them? • None of them? Note: Choose all the right answers that apply…
  • 10. 10 Security Paradigm for Containers • Containers are running on top of an existing OS, whether we like it or not. • Containers are still running either an OS or either apps. • Containers are still running workloads with libraries. • And those libraries are shared across all the containers in the same host. • We still have all the security responsibilities from the traditional virtualization landscape into our hands: • Multi-tenancy / Multi-User responsibilities. • App Packaging sources. • Vulnerabilities / Patching. • Accountability. • Accessibility. • Firewalling / Traffic management. • RBAC. • etc, etc, etc…
  • 11. 11 Securing Containers – How? • Resource Control: cgroups • Discretionary Access: namespaces • Mandatory Access: AppArmor / SELinux • Fine Grained Access: seccomp Is that all…? Nothing else? SecDevOps? DevSecOps? No! There are few NextGen solutions with more in-depth approach to cover all possible conditions. Let’s see them together!
  • 12. 12 Security Solutions for Containers – Vulnerabilities • NeuVector Open Source CIS Kubernetes Benchmark https://github.com/neuvector/kubernetes-cis-benchmark
  • 13. 13 Security Solutions for Containers – Vulnerabilities • Aquasec Open Source Tools: https://github.com/aquasecurity/kube-bench Automates the CIS Benchmark for Kubernetes, making it easy for operators to check whether each node in their Kubernetes cluster is configured according to security best practices.
  • 14. 14 Security Solutions for Containers – Vulnerabilities • CoreOS Open Source Clair: https://github.com/coreos/clair/ https://coreos.com/clair/docs/latest/ Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. Since Clair image analysis is static, containers never need to be actually executed, so you can detect a security threat before is already running in your systems. Clair is the security engine that CoreOS Quay registry uses internally.
  • 15. 15 Security Solutions for Containers – Vulnerabilities • Twistlock Developer Edition Container Security : https://www.twistlock.com/products/enterprise-container-security/ https://www.twistlock.com/2016/02/17/free-developer-edition-is- here/ Vulnerability management: Scanning container images to discover vulnerabilities that may exist in the various layers of the image. Access control: Fine-grained access control capabilities to guard access to Docker commands. Runtime defence: Policy-based protection for running containers on production servers.
  • 16. 16 Security Solutions for Containers – Analysis • Anchore Open Source Container Analysis https://anchore.com/opensource/ • Pre-production analysis, vulnerability newsfeed. • Submit an Image to be analysed • See if your images have any known CVE vulnerabilities • List all of the files in a particular image • Evaluate your image against your custom security policy • Subscribe to receive notifications when an image is updated
  • 17. 17 Security Solutions for Containers – Behaviour • Sysdig Open Source Falco : https://sysdig.com/opensource/falco/ Open source, behavioural monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco also works as a intrusion detection system on any Linux host. Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices. Complete container visibility through a single daemon. Easily build rules and get informed immediately.
  • 18. 18 Security Solutions for Containers – Distribution • Notary Open Source : https://github.com/theupdateframework/notary Image forgery and tampering is one major security concern for Docker- based deployments. Notary is a tool for publishing and managing trusted collections of content. You can approve trusted published and create signed collections, in a similar fashion to the software repository management tools present in modern Linux systems, but for Docker images. Some of Notary goals include guaranteeing image freshness (most up to date content, to avoid known vulnerabilities), trust delegation between users or trusted distribution over untrusted mirrors or transport channels. Note: See this implementation of Notary. https://theupdateframework.github.io/
  • 19. 19 What’s next…? • The future is unclear… • Hosts can be infected, images can be infected, apps can be vulnerated. • Docker images, as an example, is vulnerable to malware infection as demonstrated in last Black Hat Conference in 2017. • There’s a need for a full open source security solution for containers based on a next generation security logic: • AM + IPS + WR (mandatory) • Behaviour Monitoring (necessary) • ML + AI (optional) • Sandboxing (highly desired) • There are no open source NextGen Anti-Malware, Firewalls or IPS/IDS tools for containers today. • Why? The container ecosystem is too sparse, the CNF presents dozens of vendors/companies building solutions and standards for containers, there’s no homogeneity. There’s no alignment across the ecosystem. There’s no standard practice.
  • 20. 20 20
  • 21. 21 THANK YOU! Follow us at: @EXELERYS LINKEDIN.COM/COMPANY/EXELERYS