Cloudreach has built a framework for adopting containers within the enterprise. I shared our framework and perspective with the AWS TechConnect audience.
2. Alex Rhea
Cloud Enablement Leader @ Cloudreach
- Have worked with organizations to build hyper-scale infrastructure
- Driver of immutable infrastructure and automation over humans
- Designed and implemented CaaS platforms for large enterprises
- Creator and Maintainer of Harbor Master, a Docker Node.js SDK
- Proud Hokie, Golf enthusiast, and Caps fan
/alexandermrhea arhea_arheaalex.rhea@cloudreach.com
3. How do container change what we do and how we do it?
Our Perspective
4. Containers at the core are an application packaging format.
Yet containers require organizations rethink the way software is
delivered, managed and secured.
Cloudreach works with customers to efficiently and effectively adopt
containers and gain better insight into their applications.
4
5. Right Tool Right Job
Containers are a crowded market and it can be tough to identify the right tool for the right job. Identifying the tools and
processes to successfully adopt containers can be difficult.
6. Data Container Platform Host Network
Layers of Container Security
Similar to traditional infrastructure, a layered security model is required to deploy containers successfully. Building a secure
Containers as a Service platform requires securing the network, the host, the platform, the container, and the data.
7. One of the most important pieces to container adoption is managing
image sprawl.
When done correctly this allows organizations to patch applications
faster than ever.
It also shifts organizations from being reactive to proactive.
7
8. 8
Base Image
Management
Base images
should be centrally
managed so that
all applications can
be patched.
Docker
Registry
Vulnerability Scanning and
Alerting
Development of base images
(Java, Node.js, etc.)
Automated CI/CD
to central registry
Security + Platform Teams
Application Teams
Automated Reporting and Alerting
Development teams build
applications on top of base images
Automated CI/CD
to central registry
Image automatically
deployed to production
Image
Scanning
9. Awesome, all our applications and dependencies are in one place!
But how do we ship code?
9
10. Delivering Secure Containers to Production
A B C D
i
As enterprises ship more and more software it becomes increasingly difficult to manage production estates and even more
difficult to maintain security.
11. We are now shipping code faster and more secure than ever, but who
does what?
Surrounding our container environments with a proper operating model
is key to a successful platform.
11
12. 12
Responsibility
Container security
starts with the
responsibility model.
Containers enable
Infrastructure,
Development, and
Security teams to work
together by creating
clean partitions
between responsibility.
Docker Platform
On-Premises Hardware Public Cloud Provider
Application
Development
Teams
Infrastructure
Teams
Application Application Application Application
Security Team
13. Containers are best when they can be deployed in an ephemeral
manner. That’s great, but my application needs persistent storage.
How do I bring storage to my containers if I don’t know where my
containers are running?
13
14. 14
Managing Data
Containers are
ephemeral instances
of the application
therefore a persistence
layer between the
container and disk is
needed to facilitate
data storage. Where
possible we always
recommend leveraging
platform services such
as hosted databases,
caches, and queues.
Docker Daemon
Instance
Volume Driver
Application Application
Container requests a persistent disk. Docker or
Kubernetes calls the Volume Driver plugin to provide
a cloud native disk.
The RexRay volume driver by Dell EMC Labs brokers
API calls to mount a disk (EBS, EFS, Persistent Disk,
or Unmanaged Disk) to the instance and mount that
directly into the container.
15. Our containers are now running and storing data, but do we know how
they are doing?
Centralized container monitoring and logging is critical to a successful
container deployment.
15
16. 16
CVE Monitoring
Application components (containers) should be scanned continually for CVEs
and remediation.
Networking Monitoring
Analyze network traffic using Guarduty and
Twistlock.
Centralized Monitoring Data
Centralize data so that data can be correlated
Log Analysis
Logs should continually analyzed for errors, PII, and
performance concerns. Macie and Athena are great
tools for doing this at scale.
Centralized Logging Platform
Logs streamed from containers to a central storage facility like Cloudwatch.
Logging and
Monitoring
Centralized
Monitoring and
Logging
Access to
monitoring and logs
is critical in an
ephemeral
environment.
17. I hear “containers are more secure.” But how does this work?
Containers are a packaging format which allows us to lock down and
monitor all aspects of the container toolchain and runtime.
17
18. Cloudreach has partnered with Twistlock to secure container based
applications, networks, and pipelines.
Twistlock is a turn key security solution for container vulnerability
management, run time defense, and container firewalls.
18
+
24. There are many steps along the way to successfully adopting
containers. Containers are a critical piece to many cloud journeys.
This all seems so easy, where do we get started?
24
25. 25
Container
Adoption
Containers follow a
very similar process to
cloud adoption within
the enterprise. We
combine assessments
and planning into
Container Adoption
which drives
successful
implementations.
- Assess Application Container Readiness
- Assess security, deployment, logging, and monitoring tooling
- Assess high availability, disaster recovery, and backup
requirements
- Assess Licensing and COTs products estate and implications to
containerizing
Assess
- Container as a Service High Level Design (HLD)
- Kubernetes vs Swarm Selection Framework
- Containerize vs Hosted Service Framework
- Migration, Training, Security, and Operational Planning
Plan
Container Readiness Assessment
Container Governance Model
Assess Plan Build Automate Operate
26. 26
Container
Platforms At
Scale
Based on our
assessment and
planning phases we
help organizations
build highly available,
scalable, and fault
tolerant environments
using code.
Assess Plan Build Automate Operate
- Using Terraform we build out the CaaS platform as code
- Using Packer we build repeatable machine image creation processes based on enterprise policies and industry best practices
- Integrate Active Directory, LDAP, or IAM to the CaaS platform (varies based on platform)
- Integrate security tooling with the CaaS platform
- Integrate monitoring and logging platforms with the CaaS platform
- Deploy Development, Staging, and Production Platforms
- Containerize and replatform the application for optimal performance and maintainability
- Define applications as code using Docker Compose or Kubernetes tooling
Build
Containers as a Service Platform
Containerized Applications
Container Readiness
Assessment
Container Governance
Model
27. 27
Automating
Infrastructure and
Software Delivery
Containers enable
organizations to deliver
software and
infrastructure in a fully
automated fashion.
Assess Plan Build Automate Operate
- Build a Jenkins pipeline to build, test, scan, and deploy containers based on enterprise, regulatory, and industry best practices
- Integrate automated unit, integration, and UX testing to the CI/CD pipeline
- Implement Blue/Green, Canary, or Rolling deployment strategy
- Implement automated health checks and resolutions
- Implement automated security checks for best practices and security standards to catch misconfigurations
- Implement automated machine image rollout strategies to roll out new machine images with the latest patches after testing in lower
environments
- Implement a automated infrastructure deployment pipeline for rolling out new infrastructure
Automate
Automated Software Delivery
Automated Infrastructure Delivery
Containers as a Service Platform
Containerized Applications
Container Readiness
Assessment
Container Governance
Model
We talked early about Twistlock being a full-lifecycle platform. Before we move into a product demo – I want to set the stage by sharing how our product capabilities map to the application delivery lifecycle.
What we begin with is compliance and vulnerability management. During the build stage, Twistlock integrates with the DevOps toolchain to scan applications and detect vulnerabilities or compliance issues. We allow you to block or fail builds – preventing code with violations from reaching production.
As applications are deployed – we continue to monitor the vulnerability and compliance posture – but also layer in our cloud native firewalls and threat protection / runtime defense capabilities. These are an automatically-deployed layer of protection that uses machine learning to create security models, and integration with orchestration platforms to dynamically enforce network security policy.
Our integration across the full lifecycle allows us to provide stronger results at every stage within the lifecycle – whether it’s using knowledge of your production deployment to provide prioritization of vulnerabilities identified in registries, or using the scanning we do during the build process to automatically create the core of models to enforce at runtime.
When you’re continousously deploying – you can’t rely on manual security processes. With Twistlock, we use machine learning and behavioral modeling to automatically create a profile of every application at every build. This whitelist based profile outlines known good behavior across processes, filestystem, network calls, and system calls – shifting you from a posture of keeping up with all known threats, to one of explicitaly allowing only known good actions.
This whitelist-based approach strengthens your overall security – and because we automatically create these policies – no manual learning mode or user intervention required – you get stronger protection without sacrificing speed.
Twistlock doesn’t just deliver application protection though. We’ve also built a layer 3 and layer 7 firewalls that are container aware and integrate seamlessly with dynamically orchestrated environments. Instead of being bound to static IP endpoints – the protection from these firewalls follows your applications – no matter how your environment shifts – again – without user intervention to make configuration changes.
Twistlock delivers an industry leading precision. We curate over 30 distinct vulnerability feeds to deliver to customers the lowest possible false positive rate. When scanning for vulnerabilities – false positives create churn and make it harder to address risks in a timely fashion. That’s why we don’t ask our customers to accept a certain false positive rate – if Twistlock returns a false positive during vuln scanning – that’s a bug in the product.
But even when removing false positives from the equation – it can be difficult to know what vulnerabilities need to be addressed first. That’s why Twistlock automatically generates a risk score for every detected CVE in your environment – a risk score based on the nature of the vulnerability, as well as how your applications are deployed and running. By tailoring this prioritization to your specific environment – teams can focus on remediation for the most important risks first.
We mentioned earlier our authorship of the NIST SP on container security. The work done there is built into the platform. In less than a minute, you can apply the NIST recommendations to your environment or any portion of it – the same is true with FISMA, GDPR, PCI DSS and HIPAA.
These templates are only a subset of Twistlock’s comprehensive compliance controls, with full support for the Docker and Kubernetes CIS benchmarks, and a centralized compliance dashboard that provides audit teams with a single pane of glass to inspect current and historical compliance across all elements of your cloud native environment.
It’s our belief that security shouldn’t be an operational burden. Traditional security tools, and a lot of other container security solutions as well often require developers to step out of their toolchain to see the security posture of applications they’re building. With Twistlock, our goal is to meet developers where they already are. We have a native Jenkins plugin and a standalone scanner that works with any CI/CD tool – to deliver vulnerability and compliance scan results directly to developers; without requiring them to leave the tools they already use. In addition to this visibility, Twistlock can block or fail builds that exceed user-defined thresholds – so you can prevent risky or non-compliant applications from reaching sensitive environments.