The document discusses implementing secure Docker environments at scale. It outlines roles and responsibilities for security teams, development teams, and DevOps teams. It presents conceptual designs for architectural diagrams that show secure environments for development, staging, and production. It describes moving from today's designs to better designs with more security controls like isolation, delivery reviews, and delivery-aware security tools. Finally, it discusses three common pitfalls to avoid, such as having compliance policies that are too granular, only monitoring in production, and over-trusting network security tools.

1. Implementing Secure Docker
Environments At Scale
Ben Bernstein
CEO Twistlock
ben@twistlock.com

3. Agenda
Implementing Secure Docker Environments At Scale
Architectural guidance for the security architect

4. Roles &
Responsibilities
Agenda
Implementing Secure Docker Environments At Scale
Architectural guidance for the security architect

5. Roles &
Responsibilities
Agenda
Implementing Secure Docker Environments At Scale
Architectural guidance for the security architect
Conceptual
Design

6. Roles &
Responsibilities
Agenda
Implementing Secure Docker Environments At Scale
Architectural guidance for the security architect
Conceptual
Design
Common Pitfalls

7. • Security Team
• Design secure continuum
 Compliance
 Micro service aware active threat protection
 Synergy with developers
Roles and Responsibilities
Roles and Responsibilities

8. • Security Team
• Design secure continuum
 Compliance
 Micro service aware active threat protection
 Synergy with developers
Roles and Responsibilities
Roles and Responsibilities

9. • Security Team
• Design secure continuum
 Compliance
 Micro service aware active threat protection
 Synergy with developers
• Dev Team
• Vulnerabilities/patching, infrastructure, identities/access
 Fix
 Proactively consider security
Roles and Responsibilities
Roles and Responsibilities

10. • Security Team
• Design secure continuum
 Compliance
 Micro service aware active threat protection
 Synergy with developers
• Dev Team
• Vulnerabilities/patching, infrastructure, identities/access
 Fix
 Proactively consider security
• Devops Team
 Implementation
 Daily security operations
Roles and Responsibilities
Roles and Responsibilities

11. Today
Conceptual
Design

12. Today
Development&Staging
Production Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Identity
Handle
Notifications
Set
Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team

13. Today
Development&Staging
Production Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Identity
Handle
Notifications
Set
Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS

14. Architectural Diagram
Milestone Review
Review Setup Scripts, Security Testing, App Compliance
Communicate Infra Requirements to IT
Development&Staging
Micro-Segmentation E-W FWs
Production
Updates
Security Alerts / Patches
Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
IPS/IDS
Deception
1st / Next Gen Firewall
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Identity
Handle
Notifications
Set
Policy
Host Configuration Compliance
Traffic Encryption
Data Encryption
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS

15. Architectural Diagram
Development&Staging
Production Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
Isolation
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Pre-Checkin Review
Code Analysis
User Behavior Analytics
Identity
Handle
Notifications
Set
Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS

16. Staging
Architectural Diagram
Development Production Maintenance
Security Operation Team
Set
Policy
Isolation
Network
Set
Policy
Dev/Devops Team
Pre-Checkin Review
Code Analysis
User Behavior Analytics
IdentityPlatform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Dev/Devops Team

17. Better &
Even Yet Better
Architectural
Diagram

18. Staging
Architectural Diagram
Development Production
Updates
Security Alerts / Patches
Maintenance
Security Operation Team
Set
Policy
Set
Policy
Handle
Notifications
Isolation
Network
Set
Policy
Handle
Notifications
Dev/Devops Team
Set
Policy
Pre-Checkin Review
Code Analysis
User Behavior Analytics
Identity
Handle
Notifications
Set
Policy
Host Configuration Compliance
Platform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Delivery Review
CVE checks, Signing, Base Image, Other Metadata
Ports, Volumes, Devices, Processes
Delivery Aware Network Restrictions
Delivery Aware Anomaly Detection
Delivery Aware Deception
Dev/Devops Team

19. Staging
Architectural Diagram
Development Production
Updates
Security Alerts / Patches
Maintenance
Security Operation Team
Set
Policy
Set
Policy
Handle
Notifications
Isolation
Network
Set
Policy
Handle
Notifications
Dev/Devops Team
Set
Policy
Pre-Checkin Review
Code Analysis
User Behavior Analytics
Identity
Handle
Notifications
Set
Policy
Host Configuration Compliance
Platform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Delivery Review
CVE checks, Signing, Base Image, Other Metadata
Ports, Volumes, Devices, Processes
Delivery Aware Network Restrictions
Delivery Aware Anomaly Detection
Delivery Aware Deception
Dev/Devops Team
Fuzzing, Sandboxing
Delivery Aware Pen-Tests

20. Three Common Pitfalls
Battle Tested

21. • Compliance Policies
 Adjust per micro-service
 Adjust per R&D team / Org / Application Group.
Three Common Pitfalls
Battle Tested

22. • Compliance Policies
 Adjust per micro-service
 Adjust per R&D team / Org / Application Group.
• Delivery hygiene
 Monitoring only in production
 Monitor early in CI/CD and in production
Three Common Pitfalls
Battle Tested

23. • Compliance Policies
 Adjust per micro-service
 Adjust per R&D team / Org / Application Group.
• Delivery hygiene
 Monitoring only in production
 Monitor early in CI/CD and in production
• Active Threat Protection
 Trust your “application / next-gen firewall”
 Use “delivery aware” active threat protection
Three Common Pitfalls
Battle Tested

24. Thank you!