SlideShare a Scribd company logo

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris

OW2
OW2

There’s a constant rise of the container usage in the existing cloud ecosystem. Most companies are evaluating how to migrate to newer, flexible and automated platform for content and application delivery. The containers are building themselves alone across the business, but who's securing them? This presentation discusses the evolution of infrastructure solutions from servers to containers, how can they be secured. What opensource security options are available today? Where is the future leading towards container security? What will come after containers?

Technology
1 of 21
Download to read offline
1 Applied Security For Containers Jesus ESCOLAR CEO EXELERYS NextGen CyberSecurity & CyberIntelligence
2 Infrastructure “Changes” Physical Virtual Cloud Containers Serverless 1011010 0100111 0010011
3 The history of “Containers” – Everything started in… • 1970’s!!! • Unix V7: chroot! All was about process isolation at that time! • 2000: • FreeBSD: “Jails” was invented to share resources in a shared environment independently. • 2001: • Linux-VServer: Introduced the FreeBSD “Jails” logic into the Linux world through the “VPS” concept. • 2004: • Sun Microsystems: They invented the “Zones” long before being acquired by Oracle. Their isolation logic allowed a better implementation of Disk, RAM & CPU access.
4 The history of “Containers” – Continued in… • 2005: • OpenVZ: Now we have the first “open-to-public” pre- Dark Ages isolation implementation. <- We ‘ed it! • 2006: • Google: Introduced “Process Containers” as an isolation logical model for CPU, memory, Disk I/O & Network. • 2008: • LXC: Halleluiah! A team of private companies along with individuals developed the “Linux Containers”, the first real implementation of a the container technology in an open- source model with all the fully features that makes a container what a container had to be! (LXC would evolve to become LXD in its 2.0 version…)
5 The history of “Containers” – And concluded… • 2011: • CloudFoundry: Implemented an evolved version of LXC called “Warden” isolating environments in any OS with a daemon and… an API! • 2013: • LMCTFY: An open-source implementation of Google Container Stack. Now applications can be made “container aware”. This moved to the Open Container Foundation in 2015. • 2013: • Docker: Here is the Saint Grail! It developed from LXC but ended up having its own platform and architecture. The successes were: API, container management platform, and obviously, the apps ecosystem.
6 Logic behind Containers
7 Security Landscape = Customer Pain! Evolving Infrastructure Threat Sophistication Speed of App Changes Lack of resources, need to simplify Threat protection & audit Performance across hybrid clouds Customer PainTechnical Dynamics
8 Security Landscape = Shared Responsibility Data Encryption Network Traffic Protection Platform, Applications Operating System, Network & Firewall Configuration Content and Applications Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Cloud Provider or You? Consumer ! The Shared Responsibility Model
9 Securing Containers – What? • So the magical question comes into play: What do I need to secure when I am running containers? • The Host? • The Apps? • The Images? • The permissions? • The users? • The consumers? • All of them? • None of them? Note: Choose all the right answers that apply…
10 Security Paradigm for Containers • Containers are running on top of an existing OS, whether we like it or not. • Containers are still running either an OS or either apps. • Containers are still running workloads with libraries. • And those libraries are shared across all the containers in the same host. • We still have all the security responsibilities from the traditional virtualization landscape into our hands: • Multi-tenancy / Multi-User responsibilities. • App Packaging sources. • Vulnerabilities / Patching. • Accountability. • Accessibility. • Firewalling / Traffic management. • RBAC. • etc, etc, etc…
11 Securing Containers – How? • Resource Control: cgroups • Discretionary Access: namespaces • Mandatory Access: AppArmor / SELinux • Fine Grained Access: seccomp Is that all…? Nothing else? SecDevOps? DevSecOps? No! There are few NextGen solutions with more in-depth approach to cover all possible conditions. Let’s see them together!
12 Security Solutions for Containers – Vulnerabilities • NeuVector Open Source CIS Kubernetes Benchmark https://github.com/neuvector/kubernetes-cis-benchmark
13 Security Solutions for Containers – Vulnerabilities • Aquasec Open Source Tools: https://github.com/aquasecurity/kube-bench Automates the CIS Benchmark for Kubernetes, making it easy for operators to check whether each node in their Kubernetes cluster is configured according to security best practices.
14 Security Solutions for Containers – Vulnerabilities • CoreOS Open Source Clair: https://github.com/coreos/clair/ https://coreos.com/clair/docs/latest/ Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. Since Clair image analysis is static, containers never need to be actually executed, so you can detect a security threat before is already running in your systems. Clair is the security engine that CoreOS Quay registry uses internally.
15 Security Solutions for Containers – Vulnerabilities • Twistlock Developer Edition Container Security : https://www.twistlock.com/products/enterprise-container-security/ https://www.twistlock.com/2016/02/17/free-developer-edition-is- here/ Vulnerability management: Scanning container images to discover vulnerabilities that may exist in the various layers of the image. Access control: Fine-grained access control capabilities to guard access to Docker commands. Runtime defence: Policy-based protection for running containers on production servers.
16 Security Solutions for Containers – Analysis • Anchore Open Source Container Analysis https://anchore.com/opensource/ • Pre-production analysis, vulnerability newsfeed. • Submit an Image to be analysed • See if your images have any known CVE vulnerabilities • List all of the files in a particular image • Evaluate your image against your custom security policy • Subscribe to receive notifications when an image is updated
17 Security Solutions for Containers – Behaviour • Sysdig Open Source Falco : https://sysdig.com/opensource/falco/ Open source, behavioural monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco also works as a intrusion detection system on any Linux host. Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices. Complete container visibility through a single daemon. Easily build rules and get informed immediately.
18 Security Solutions for Containers – Distribution • Notary Open Source : https://github.com/theupdateframework/notary Image forgery and tampering is one major security concern for Docker- based deployments. Notary is a tool for publishing and managing trusted collections of content. You can approve trusted published and create signed collections, in a similar fashion to the software repository management tools present in modern Linux systems, but for Docker images. Some of Notary goals include guaranteeing image freshness (most up to date content, to avoid known vulnerabilities), trust delegation between users or trusted distribution over untrusted mirrors or transport channels. Note: See this implementation of Notary. https://theupdateframework.github.io/
19 What’s next…? • The future is unclear… • Hosts can be infected, images can be infected, apps can be vulnerated. • Docker images, as an example, is vulnerable to malware infection as demonstrated in last Black Hat Conference in 2017. • There’s a need for a full open source security solution for containers based on a next generation security logic: • AM + IPS + WR (mandatory) • Behaviour Monitoring (necessary) • ML + AI (optional) • Sandboxing (highly desired) • There are no open source NextGen Anti-Malware, Firewalls or IPS/IDS tools for containers today. • Why? The container ecosystem is too sparse, the CNF presents dozens of vendors/companies building solutions and standards for containers, there’s no homogeneity. There’s no alignment across the ecosystem. There’s no standard practice.
20 20
21 THANK YOU! Follow us at: @EXELERYS LINKEDIN.COM/COMPANY/EXELERYS

Recommended

From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?Manideep Konakandla
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 

Recommended

From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsDevOps.com
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudJohn Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?Manideep Konakandla
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?Manideep Konakandla
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 RecapLee Calcote
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker SecurityStephane Woillez
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Canada
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to DockerStephane Woillez
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungDigicomp Academy AG
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Containerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentContainerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentDr Ganesh Iyer
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-087 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08Casey Bisson
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Steve Wilson
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 

More Related Content

What's hot

Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 RecapLee Calcote
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Canada
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungDigicomp Academy AG
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Containerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentContainerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentDr Ganesh Iyer
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-087 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08Casey Bisson
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Steve Wilson
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 

What's hot (20)

Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to Docker
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & Virtualisierung
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Containerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deploymentContainerization Principles Overview for app development and deployment
Containerization Principles Overview for app development and deployment
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-087 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
 

Similar to Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris

Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Patrick Chanezon
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetesDr Ganesh Iyer
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectPatrick Chanezon
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Openstack components as containerized microservices
Openstack components as containerized microservicesOpenstack components as containerized microservices
Openstack components as containerized microservicesMiguel Zuniga
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Miguel Zuniga
 
Built in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL LabsBuilt in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL LabsRoss Jimenez
 
DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1Docker, Inc.
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container EcosystemVinay Rao
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersNVISIA
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 

Similar to Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris (20)

Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
BRKSDN-2115
BRKSDN-2115 BRKSDN-2115
BRKSDN-2115
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Openstack components as containerized microservices
Openstack components as containerized microservicesOpenstack components as containerized microservices
Openstack components as containerized microservices
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos
 
Built in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL LabsBuilt in NM - Meetup Talk - CTL Labs
Built in NM - Meetup Talk - CTL Labs
 
DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of Containers
 
Container Security
Container SecurityContainer Security
Container Security
 

More from OW2

OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in RomaOW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in RomaOW2
 
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...OW2
 
GLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloudGLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloudOW2
 
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...OW2
 
FusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open sourceFusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open sourceOW2
 
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...OW2
 
SFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the EquationSFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the EquationOW2
 
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...OW2
 
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...OW2
 
Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020OW2
 
Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020OW2
 
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...OW2
 
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020OW2
 
Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020OW2
 
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020OW2
 
Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020OW2
 
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020OW2
 
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...OW2
 
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...OW2
 
Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020OW2
 

More from OW2 (20)

OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in RomaOW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
 
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
 
GLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloudGLPi v.10, les fonctionnalités principales et l'offre cloud
GLPi v.10, les fonctionnalités principales et l'offre cloud
 
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
 
FusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open sourceFusionIAM : la gestion des identités et des accés open source
FusionIAM : la gestion des identités et des accés open source
 
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
 
SFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the EquationSFScon'20 Bringing the User into the Equation
SFScon'20 Bringing the User into the Equation
 
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...Towards a sustainable solution to open source sustainability, OW2online20, Ju...
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
 
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
 
Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020Open Source governance and the Eclipse Foundation, OW2online, June 2020
Open Source governance and the Eclipse Foundation, OW2online, June 2020
 
Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020Open source contribution policies, OW2online, June 2020
Open source contribution policies, OW2online, June 2020
 
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
 
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
 
Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020Open Source Compliance at Orange, OW2online, June 2020
Open Source Compliance at Orange, OW2online, June 2020
 
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
 
Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020Intelligent package management with FASTEN, OW2online, June 2020
Intelligent package management with FASTEN, OW2online, June 2020
 
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
 
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
 
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
 
Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020Cacti and Big Data at Orange France, OW2online, June 2020
Cacti and Big Data at Orange France, OW2online, June 2020
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris

  • 1. 1 Applied Security For Containers Jesus ESCOLAR CEO EXELERYS NextGen CyberSecurity & CyberIntelligence
  • 3. 3 The history of “Containers” – Everything started in… • 1970’s!!! • Unix V7: chroot! All was about process isolation at that time! • 2000: • FreeBSD: “Jails” was invented to share resources in a shared environment independently. • 2001: • Linux-VServer: Introduced the FreeBSD “Jails” logic into the Linux world through the “VPS” concept. • 2004: • Sun Microsystems: They invented the “Zones” long before being acquired by Oracle. Their isolation logic allowed a better implementation of Disk, RAM & CPU access.
  • 4. 4 The history of “Containers” – Continued in… • 2005: • OpenVZ: Now we have the first “open-to-public” pre- Dark Ages isolation implementation. <- We ‘ed it! • 2006: • Google: Introduced “Process Containers” as an isolation logical model for CPU, memory, Disk I/O & Network. • 2008: • LXC: Halleluiah! A team of private companies along with individuals developed the “Linux Containers”, the first real implementation of a the container technology in an open- source model with all the fully features that makes a container what a container had to be! (LXC would evolve to become LXD in its 2.0 version…)
  • 5. 5 The history of “Containers” – And concluded… • 2011: • CloudFoundry: Implemented an evolved version of LXC called “Warden” isolating environments in any OS with a daemon and… an API! • 2013: • LMCTFY: An open-source implementation of Google Container Stack. Now applications can be made “container aware”. This moved to the Open Container Foundation in 2015. • 2013: • Docker: Here is the Saint Grail! It developed from LXC but ended up having its own platform and architecture. The successes were: API, container management platform, and obviously, the apps ecosystem.
  • 7. 7 Security Landscape = Customer Pain! Evolving Infrastructure Threat Sophistication Speed of App Changes Lack of resources, need to simplify Threat protection & audit Performance across hybrid clouds Customer PainTechnical Dynamics
  • 8. 8 Security Landscape = Shared Responsibility Data Encryption Network Traffic Protection Platform, Applications Operating System, Network & Firewall Configuration Content and Applications Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Cloud Provider or You? Consumer ! The Shared Responsibility Model
  • 9. 9 Securing Containers – What? • So the magical question comes into play: What do I need to secure when I am running containers? • The Host? • The Apps? • The Images? • The permissions? • The users? • The consumers? • All of them? • None of them? Note: Choose all the right answers that apply…
  • 10. 10 Security Paradigm for Containers • Containers are running on top of an existing OS, whether we like it or not. • Containers are still running either an OS or either apps. • Containers are still running workloads with libraries. • And those libraries are shared across all the containers in the same host. • We still have all the security responsibilities from the traditional virtualization landscape into our hands: • Multi-tenancy / Multi-User responsibilities. • App Packaging sources. • Vulnerabilities / Patching. • Accountability. • Accessibility. • Firewalling / Traffic management. • RBAC. • etc, etc, etc…
  • 11. 11 Securing Containers – How? • Resource Control: cgroups • Discretionary Access: namespaces • Mandatory Access: AppArmor / SELinux • Fine Grained Access: seccomp Is that all…? Nothing else? SecDevOps? DevSecOps? No! There are few NextGen solutions with more in-depth approach to cover all possible conditions. Let’s see them together!
  • 12. 12 Security Solutions for Containers – Vulnerabilities • NeuVector Open Source CIS Kubernetes Benchmark https://github.com/neuvector/kubernetes-cis-benchmark
  • 13. 13 Security Solutions for Containers – Vulnerabilities • Aquasec Open Source Tools: https://github.com/aquasecurity/kube-bench Automates the CIS Benchmark for Kubernetes, making it easy for operators to check whether each node in their Kubernetes cluster is configured according to security best practices.
  • 14. 14 Security Solutions for Containers – Vulnerabilities • CoreOS Open Source Clair: https://github.com/coreos/clair/ https://coreos.com/clair/docs/latest/ Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. Since Clair image analysis is static, containers never need to be actually executed, so you can detect a security threat before is already running in your systems. Clair is the security engine that CoreOS Quay registry uses internally.
  • 15. 15 Security Solutions for Containers – Vulnerabilities • Twistlock Developer Edition Container Security : https://www.twistlock.com/products/enterprise-container-security/ https://www.twistlock.com/2016/02/17/free-developer-edition-is- here/ Vulnerability management: Scanning container images to discover vulnerabilities that may exist in the various layers of the image. Access control: Fine-grained access control capabilities to guard access to Docker commands. Runtime defence: Policy-based protection for running containers on production servers.
  • 16. 16 Security Solutions for Containers – Analysis • Anchore Open Source Container Analysis https://anchore.com/opensource/ • Pre-production analysis, vulnerability newsfeed. • Submit an Image to be analysed • See if your images have any known CVE vulnerabilities • List all of the files in a particular image • Evaluate your image against your custom security policy • Subscribe to receive notifications when an image is updated
  • 17. 17 Security Solutions for Containers – Behaviour • Sysdig Open Source Falco : https://sysdig.com/opensource/falco/ Open source, behavioural monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco also works as a intrusion detection system on any Linux host. Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices. Complete container visibility through a single daemon. Easily build rules and get informed immediately.
  • 18. 18 Security Solutions for Containers – Distribution • Notary Open Source : https://github.com/theupdateframework/notary Image forgery and tampering is one major security concern for Docker- based deployments. Notary is a tool for publishing and managing trusted collections of content. You can approve trusted published and create signed collections, in a similar fashion to the software repository management tools present in modern Linux systems, but for Docker images. Some of Notary goals include guaranteeing image freshness (most up to date content, to avoid known vulnerabilities), trust delegation between users or trusted distribution over untrusted mirrors or transport channels. Note: See this implementation of Notary. https://theupdateframework.github.io/
  • 19. 19 What’s next…? • The future is unclear… • Hosts can be infected, images can be infected, apps can be vulnerated. • Docker images, as an example, is vulnerable to malware infection as demonstrated in last Black Hat Conference in 2017. • There’s a need for a full open source security solution for containers based on a next generation security logic: • AM + IPS + WR (mandatory) • Behaviour Monitoring (necessary) • ML + AI (optional) • Sandboxing (highly desired) • There are no open source NextGen Anti-Malware, Firewalls or IPS/IDS tools for containers today. • Why? The container ecosystem is too sparse, the CNF presents dozens of vendors/companies building solutions and standards for containers, there’s no homogeneity. There’s no alignment across the ecosystem. There’s no standard practice.
  • 20. 20 20
  • 21. 21 THANK YOU! Follow us at: @EXELERYS LINKEDIN.COM/COMPANY/EXELERYS