Somik Behera, profile picture
Uploaded bySomik Behera
PPTX, PDF128 views

Container Infrastructure Security for Cloud Native Infrastructure

The document discusses the implementation of zero trust security in container infrastructure, emphasizing its importance for secure access and identity management. It outlines various layers of container infrastructure and the need for pluggable local identity systems to support zero trust principles. Key considerations include network segmentation, compute hardening, and mutual authentication to enhance security across and within these layers.

Embed presentation

Downloaded 17 times
Pluggable Identity For Container Infra Security Somik Behera @strikesme
2 somik@CS-Summit:~$ whoami Somik Behera Product Mgmt Lead Mesosphere Inc. Since 2015 somik@CS-Summit:~$ last somik | less somik Product Lead Mesosphere Inc. May 2015 still logged in somik Founding Prod. Lead VMware Cloud Native BU Aug 2012 May 2015 somik Product Line Leader VMware NW & Sec. BU Aug 2012 May 2015 somik Product Mgmt Lead Nicira Inc. Feb 2011 Aug 2012 somik Core Dev & Founder Openstack Neutron Feb 2011 Aug 2013 somik MTS - Tech. Lead VMware Inc. May 2005 Feb 2011 INTRODUCTION
3 OVERVIEW - WHAT THIS TALK IS ABOUT Local SPIFFE 20% 80%80% 20% Container Mgmt Infrastructure Identity Mgmt Infrastructure
ZERO TRUST SECURITY A Quick Primer 4
RULE #1 5
ZERO TRUST BACKGROUND 6
ZERO TRUST BASICS 7 ● Secure Access ● Access Model of Least Privilege ● Trust but Verify Verify AND Never Trust
ZERO TRUST FOR CONTAINER INFRA What does Zero Trust mean for Container Infra? 8
LAYERS OF CONTAINER INFRA. 9 Network Compute Container Orchestration Distributed Services
ZERO TRUST BETWEEN THE LAYERS 10 Network Compute Container Orchestration Distributed Services
ZERO TRUST WITHIN EACH LAYER 11 Network Compute Container Orchestration Distributed Services
IDENTITY CRITICAL TO ZERO TRUST 12
IDENTITY & ZER0 TRUST 13 Network Compute Container Orchestration Distributed Services Loc al
IDENTITY NEEDS TO BE PLUGGABLE 14 Local SPIFFE
ZERO TRUST CONSIDERATIONS 15
CONSIDERATIONS FOR SECURITY ACROSS LAYERS 16 Network Compute Container Orchestration Distributed Services 1. Network Segmentation across Zones 2. Compute Hardening 3. Container aware Privilege Access Mgmt. 4. Mutual Authentication with Encryption for Container Orchestrator to Compute Node communication 5. Mutually Authenticated, Authorized & Encrypted Service Launcher to Container Orchestrator communication
CONSIDERATIONS FOR SECURITY WITHIN LAYERS 17 Network Compute Container Orchestration Distributed Services 1. Network Isolation between Services 2. Static and Runtime Vulnerability Management 3. Service Accounts for Authentication & Authorization 4. PKI for Internode communication a. For Services. b. For Container Orchestration elements.
IMPLEMENT ZERO TRUST TODAY - WWW.DCOS.IO 18 MANY TOOLS. ONE APPROACH - ZERO TRUST.
Thank you.

More Related Content

PDF
Application Security in a Container World - Akash Mahajan - BCC 2017
byCodeOps Technologies LLP
 
PPTX
FinTech Belgium MeetUp on APIs 16/11/17 - Case 1 edebex
byAlessandra Gambrill - Guion
 
PDF
The Journey from Monolith to Microservices: a Guided Adventure
byVMware Tanzu
 
PDF
Using Cookies to Store Your Postman Secrets
byPostman
 
PDF
Azure Management Basics
byASPEX_BE
 
PPTX
Networks, Networks Everywhere, And Not A Packet To Drink
byReadWrite
 
PDF
Manage Your Akamai-as-Code with Terraform
byAkamai Developers & Admins
 
PPT
Get More From Your Messages with Twilio + Watson Add-Ons
byIBM Watson
 
Application Security in a Container World - Akash Mahajan - BCC 2017
byCodeOps Technologies LLP
 
FinTech Belgium MeetUp on APIs 16/11/17 - Case 1 edebex
byAlessandra Gambrill - Guion
 
The Journey from Monolith to Microservices: a Guided Adventure
byVMware Tanzu
 
Using Cookies to Store Your Postman Secrets
byPostman
 
Azure Management Basics
byASPEX_BE
 
Networks, Networks Everywhere, And Not A Packet To Drink
byReadWrite
 
Manage Your Akamai-as-Code with Terraform
byAkamai Developers & Admins
 
Get More From Your Messages with Twilio + Watson Add-Ons
byIBM Watson
 

What's hot

PDF
How to Adopt Serverless and Get to Production Faster
byEoin Shanaghy
 
PDF
Turn On The Lights
byPostman
 
PDF
Security in the Delivery Pipeline - GOTO Amsterdam 2017
byJames Wickett
 
PDF
OWIN Why should i care?
byTerence Kruger
 
PPTX
What the business thinks about
byDevOps4Networks
 
PPTX
Developing Docs for OpenDaylight
byCisco DevNet
 
PPTX
Service fabric demo
byPaul Nichols
 
PPTX
Yes, one can simply terraform their app to azure, easily
byOmer Barel
 
PDF
Top 8 mistakes developer teams make in their first serverless project
byPaul Swail
 
PDF
Implementing the Top 10 AWS Security Best Practices
bySebastian Taphanel CISSP-ISSEP
 
PPTX
Api management - a lap around vs code extension
byWagner Silveira
 
PDF
DESIGN THE PRIORITY, PERFORMANCE 
AND UX
byPeter Rozek
 
PPTX
OWIN Web API with Linky
byTomas Jansson
 
PDF
Tutto quello che avreste voluto sapere sull'API Management (e non avete mai o...
byMassimo Bonanni
 
PDF
Leverage Entity Framework 7 in Business Application Design
byWinWire Technologies Inc
 
PDF
PHPNW14 - Getting Started With AWS
bybenwaine
 
PDF
PayPal's History of Microservices Architecture
byPostman
 
PDF
Microfrontends architectures - Nick Balestra - Codemotion Amsterdam 2018
byCodemotion
 
PDF
OSGi Community Event 2010 - Eclipse Virgo Update
bymfrancis
 
PDF
Introducing ASP.NET vNext – The Future of .NET on the Server | FalafelCON 2014
byFalafelSoftware
 
How to Adopt Serverless and Get to Production Faster
byEoin Shanaghy
 
Turn On The Lights
byPostman
 
Security in the Delivery Pipeline - GOTO Amsterdam 2017
byJames Wickett
 
OWIN Why should i care?
byTerence Kruger
 
What the business thinks about
byDevOps4Networks
 
Developing Docs for OpenDaylight
byCisco DevNet
 
Service fabric demo
byPaul Nichols
 
Yes, one can simply terraform their app to azure, easily
byOmer Barel
 
Top 8 mistakes developer teams make in their first serverless project
byPaul Swail
 
Implementing the Top 10 AWS Security Best Practices
bySebastian Taphanel CISSP-ISSEP
 
Api management - a lap around vs code extension
byWagner Silveira
 
DESIGN THE PRIORITY, PERFORMANCE 
AND UX
byPeter Rozek
 
OWIN Web API with Linky
byTomas Jansson
 
Tutto quello che avreste voluto sapere sull'API Management (e non avete mai o...
byMassimo Bonanni
 
Leverage Entity Framework 7 in Business Application Design
byWinWire Technologies Inc
 
PHPNW14 - Getting Started With AWS
bybenwaine
 
PayPal's History of Microservices Architecture
byPostman
 
Microfrontends architectures - Nick Balestra - Codemotion Amsterdam 2018
byCodemotion
 
OSGi Community Event 2010 - Eclipse Virgo Update
bymfrancis
 
Introducing ASP.NET vNext – The Future of .NET on the Server | FalafelCON 2014
byFalafelSoftware
 

Recently uploaded

PDF
Introduction to Software , Product and Process
byGunjalSanjay
 
PDF
PASSIVE AND ACTIVE REINFORCEMENT LEARNING
byAnushaSanjay
 
PDF
Formality - Logic Equivalence Checking - Part 1
byAmr Adel
 
PPTX
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
PPTX
L1 (1) Agricultural informatics and artificial intelligence.pptx
bymanoiitkgp
 
PPTX
The Arduino Basics.pptx - The basic function of the Arduino programming langu...
byronaldo10311979
 
PPTX
Industry 4.0- fourth industrial revolution Presentation.pptx
byrameswari15491
 
PPTX
Why Air Droppable Containers Are Critical for Modern Aerial Logistics
byNeometrix_Engineering_Pvt_Ltd
 
PDF
Formality - Logic Equivalence Checking - Part 2
byAmr Adel
 
PDF
Earths-Structure-and-Composition_20260127_110958_0000.pdf
byabdurasabarfaki
 
PPTX
Reinforcement Learning for Robotic Singulation: Policy Space Impact on Intera...
byraghabBsingh
 
PDF
Chip Designer's Code - Linux Terminal Part 6 - Text Viewers
byAmr Adel
 
PDF
Software Engineering : Process Model
byGunjalSanjay
 
PDF
RVV Basic Terms and Analogy - (en/zhTW) - DannyJiang
byDanny Jiang
 
PPT
Magnetism-PPT.ppt presentation and explanation
byAngelaSarmiento16
 
PDF
Software Engineering : Process Models.
byGunjalSanjay
 
DOCX
Hallucination Reduction In Generative Artificial Intelligence (1).docx
by21nitinsinha
 
PPTX
Filtration-slow sand filtration and rapid sand filtration.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
PPTX
An Early Production Facility (EPF) is a modular, temporary system for rapidly...
byDrAdelSalem1
 
PPTX
lecture 1 Machine tools the introduction
bypushkarkamble2
 
Introduction to Software , Product and Process
byGunjalSanjay
 
PASSIVE AND ACTIVE REINFORCEMENT LEARNING
byAnushaSanjay
 
Formality - Logic Equivalence Checking - Part 1
byAmr Adel
 
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
L1 (1) Agricultural informatics and artificial intelligence.pptx
bymanoiitkgp
 
The Arduino Basics.pptx - The basic function of the Arduino programming langu...
byronaldo10311979
 
Industry 4.0- fourth industrial revolution Presentation.pptx
byrameswari15491
 
Why Air Droppable Containers Are Critical for Modern Aerial Logistics
byNeometrix_Engineering_Pvt_Ltd
 
Formality - Logic Equivalence Checking - Part 2
byAmr Adel
 
Earths-Structure-and-Composition_20260127_110958_0000.pdf
byabdurasabarfaki
 
Reinforcement Learning for Robotic Singulation: Policy Space Impact on Intera...
byraghabBsingh
 
Chip Designer's Code - Linux Terminal Part 6 - Text Viewers
byAmr Adel
 
Software Engineering : Process Model
byGunjalSanjay
 
RVV Basic Terms and Analogy - (en/zhTW) - DannyJiang
byDanny Jiang
 
Magnetism-PPT.ppt presentation and explanation
byAngelaSarmiento16
 
Software Engineering : Process Models.
byGunjalSanjay
 
Hallucination Reduction In Generative Artificial Intelligence (1).docx
by21nitinsinha
 
Filtration-slow sand filtration and rapid sand filtration.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
An Early Production Facility (EPF) is a modular, temporary system for rapidly...
byDrAdelSalem1
 
lecture 1 Machine tools the introduction
bypushkarkamble2
 

Container Infrastructure Security for Cloud Native Infrastructure

  • 1.
    Pluggable Identity ForContainer Infra Security Somik Behera @strikesme
  • 2.
    2 somik@CS-Summit:~$ whoami Somik BeheraProduct Mgmt Lead Mesosphere Inc. Since 2015 somik@CS-Summit:~$ last somik | less somik Product Lead Mesosphere Inc. May 2015 still logged in somik Founding Prod. Lead VMware Cloud Native BU Aug 2012 May 2015 somik Product Line Leader VMware NW & Sec. BU Aug 2012 May 2015 somik Product Mgmt Lead Nicira Inc. Feb 2011 Aug 2012 somik Core Dev & Founder Openstack Neutron Feb 2011 Aug 2013 somik MTS - Tech. Lead VMware Inc. May 2005 Feb 2011 INTRODUCTION
  • 3.
    3 OVERVIEW - WHATTHIS TALK IS ABOUT Local SPIFFE 20% 80%80% 20% Container Mgmt Infrastructure Identity Mgmt Infrastructure
  • 4.
    ZERO TRUST SECURITY AQuick Primer 4
  • 5.
  • 6.
  • 7.
    ZERO TRUST BASICS 7 ●Secure Access ● Access Model of Least Privilege ● Trust but Verify Verify AND Never Trust
  • 8.
    ZERO TRUST FORCONTAINER INFRA What does Zero Trust mean for Container Infra? 8
  • 9.
    LAYERS OF CONTAINERINFRA. 9 Network Compute Container Orchestration Distributed Services
  • 10.
    ZERO TRUST BETWEENTHE LAYERS 10 Network Compute Container Orchestration Distributed Services
  • 11.
    ZERO TRUST WITHINEACH LAYER 11 Network Compute Container Orchestration Distributed Services
  • 12.
    IDENTITY CRITICAL TOZERO TRUST 12
  • 13.
    IDENTITY & ZER0TRUST 13 Network Compute Container Orchestration Distributed Services Loc al
  • 14.
    IDENTITY NEEDS TOBE PLUGGABLE 14 Local SPIFFE
  • 15.
  • 16.
    CONSIDERATIONS FOR SECURITYACROSS LAYERS 16 Network Compute Container Orchestration Distributed Services 1. Network Segmentation across Zones 2. Compute Hardening 3. Container aware Privilege Access Mgmt. 4. Mutual Authentication with Encryption for Container Orchestrator to Compute Node communication 5. Mutually Authenticated, Authorized & Encrypted Service Launcher to Container Orchestrator communication
  • 17.
    CONSIDERATIONS FOR SECURITYWITHIN LAYERS 17 Network Compute Container Orchestration Distributed Services 1. Network Isolation between Services 2. Static and Runtime Vulnerability Management 3. Service Accounts for Authentication & Authorization 4. PKI for Internode communication a. For Services. b. For Container Orchestration elements.
  • 18.
    IMPLEMENT ZERO TRUSTTODAY - WWW.DCOS.IO 18 MANY TOOLS. ONE APPROACH - ZERO TRUST.
  • 19.

Editor's Notes

  • #8 List Vulnerabilities