This document discusses cloud-native security and the challenges of securing containerized and microservices-based applications in cloud environments. It outlines a maturity model for cloud-native security with stages like image acceptance, least privilege at runtime, container immutability, and immediate incident response. The document also provides checklists and best practices for securing Kubernetes clusters, container images, and the container build pipeline to help bridge the gap between development, operations, and security in cloud-native applications.

1. Cloud-Native Security
New approach for a new reality
Tsvi Korren, Aqua

2. 2
What do we mean by Cloud-Native?
Made to run
in the cloud
(public, private, hybrid)
App payload is
decoupled from
the infrastructure
Orchestrated for
updateability, scaling
and resilience
App is based on
loosely-coupled
microservices

3. 3
The rules still need to apply
l Risk mitigation, vulnerabilities, integrity
l Deployment authorization, visibility, inventory
l Operational administration and change control
l Secrets management and secure configuration
l Network segmentation of microservices
l SOC and incident response

4. 4
The Challenge
Cloud-Native deployments natively lack support
for effective and demonstrable security
required by business-critical applications
Organization:
DevOps ó Security
Process:
Where to secure
Technology:
How to secure

5. 5
Urgent need to bridge the gap
CI/CD
Images
Kubernetes
Cloud
Compliance
Access Controls
Intrusion Prevention
Forensics

6. 6
Changes in process
Config
software
Assess
Risk
Coding
Static
Analysis
Compile
package
Deploy
Get Base
Image
Using
Servers
Using
Containers
Deploy Fix Risks
Build
Image
Fix Risks
Scan
Server
Get Base
Image
Coding
Static
Analysis
Deploy
Build
Image
Fix Risks
Coding
Static
Analysis
Provision
Server

7. 7
Diminishing ability to execute controls
Container
Orchestration
Host
Network
Data Center
Serverless
Functions
App Payload
Container
Orchestration
Host
Network
Data Center
Containers
as service
App Payload
Container
Orchestration
Host
Network
Data Center
Managed
Containers
App Payload
Container
Orchestration
Host
Network
Data Center
Cloud VMs
App Payload
Container
Orchestration
Host
Network
Data Center
On Premises
App Payload
Packaging
Development
Packaging
Development
Packaging
Development
Packaging
Development
Packaging
Development

8. 8
Our Goal
Security as a
shared
responsibility
Automate security
as a natural part of
DevOps processes
Protect workloads
with focus on
prevention
Make containers the most secure, predictable
and controlled platform for running critical
applications

9. 9
We have an opportunity to be more precise
Accounting for every vulnerability
and possible threat is untenable
Know what to keep safe,
and how to defend it

10. 10
We have an opportunity to simplify
Too many manual security options
and rules become ineffective
Protect immutable workloads, with
rules generated over the pipeline

11. Stages of Cloud Native security maturity
Image acceptance
Run with least privileges
Network controls
Container immutability
Application context authorization
Immediate incident response
Cluster Hygiene
RBAC
Minimal OS
Compliance Checks

12. 12
The Orchestration System
Easily
misconfigured
Handles
Secrets
Runs
Everywhere
Operates
as root

13. 13
l Restrict network access to the Kubernetes API addresses and ports
l Use separate authentication for each authorized user
l Patch and upgrade Kubernetes as needed
l Control access from production Kubernetes to public registries
Kubernetes security checklist

14. 14
Kubernetes assessment

15. Stages of Cloud Native security maturity
Image acceptance
Run with least privileges
Network controls
Container immutability
Application context authorization
Immediate incident response
Image Hygiene
Vulnerability scanning
Compliant configuration
Approved base images
Cluster Hygiene
RBAC
Minimal OS
Compliance Checks

16. 16
l Use the smallest image possible for your project
l Avoid storing keys and other sensitive data in the image
l Add the minimal number of packages required for your application
l Use dedicated users, non-standard ports
l Remove utilities at the end of the build (useradd, chown, curl)
l Scan the finished product
Image security checklist

17. 17
Top base container images
5.28 MB
95.93 MB
84.79 MB
192.44 MB

18. 18
Scanning images
{
"name": "CVE-2016-7444",
"description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and
3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote
attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left
by gnutls_malloc.nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This
could falsely report a certificate as valid under certain circumstances.",
"nvd_score": 5,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"nvd_severity": "medium",
"nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444",
"vendor_score": 4.3,
"vendor_score_version": "CVSS v2",
"vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"vendor_severity": "low",
"vendor_url": "https://access.redhat.com/security/cve/CVE-2016-7444",
"publish_date": "2016-09-27",
"modification_date": "2018-01-04",
"fix_version": "3.3.26-9.el7",
"solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above."
}
Backports and fix
advice
NVD data and score
Maintainer data
and score
Impact statement

19. 19
Beyond vulnerabilities: image content

20. Stages of Cloud Native security maturity
Containment
Image acceptance
Run with least privileges
Network controls
Prevention
Container immutability
Application context authorization
Immediate incident response
Image Hygiene
Vulnerability scanning
Compliant configuration
Approved base images
Cluster Hygiene
RBAC
Minimal OS
Compliance Checks

21. 21
Specific controls
Applying Runtime controls
Image
authorization
Runtime
Policies
Container
profile
•Non-Compliant
•Unregistered
•Drift Prevention
•Process Blacklists
•Full whitelisting
General controls
Secrets, Networking, Forensics
NodeandKuberentesSecurity

22. 22
Image acceptance

23. 23
Least privilege at runtime

24. 24
Incident Response with servers
• Suspicious activity? • Shut down service?
• Requires investigation and triage
• Could be an administrative action
• Limited ability for narrow response
• Risk of service disruption

25. 25
Incident Response with containers
• Unauthorized action • Block specific action
• Container behavior model is known
• Administrative action is not allowed
• Surgical preventive controls
• No disruption of service

26. 26
l Security – Establish the policies that govern:
„ Image acceptance
„ Runtime behavior
l DevOps – Use security advice from scanning in image builds
l SOC – Receive events and respond to incidents
Roles and responsibilities

27. 27
Same standards, escalating enforcement
Sandbox Development Test/Stage Production
Voluntary Mandatory Detection Enforcement
Scanning as a
service
Scanning in the
pipeline with
policies
Application
security modeling
Protecting the
application

28. 28
Continuous discovery, image assurance
Enforce immutability with drift prevention
Limit user and executable use
Secured secrets distribution into container
Workload firewall across all interfaces
Secure workload with application context
Rogue deployment
Malicious code injection
Administration actions
Compromised credentials
Network connections
Unknown vectors (Zero Day)
Top risks addressed

29. 29
Where to start?
n Scans Kubernetes nodes
against the CIS
benchmark checks
n github.com/aquasecurity/
kube-bench
n Scan Docker build for
known vulnerabilities
n Plug-in for Jenkins
n github.com/aquasecurity
/microscanner
CIS benchmark for K8SDocker image scanner K8S penetration-testing
n Tests K8s clusters against
known attack vectors,
both remote and internal
n github.com/aquasecurity/
kube-hunter

30. www.aquasec.com