So, you've finished your (rushed by lockdown) lift-and-shift to the cloud, and now your developers are adopting cloud-native workloads such as containers, serverless functions, storage buckets, and databases as a service. These new technologies introduce new attack vectors, and must be defended in unique ways. You're not "just running on someone else's servers" when workloads come and go in seconds. How do you secure a function when the communication layer is opaque to you? Can you govern container use well enough to protect it, but without slowing down developers and the business? Heck, do you even know what's out there? This session will provide you with enough knowledge to begin securing the your most important assets in the cloud. Sure, cloud-native workloads can seem mysterious, but once you know the differences (and hidden pitfalls) of cloud-native workloads, you'll be in good shape to start defending them.
2. Gabe Schuyler
• Operations veteran
• DevOps enthusiast
• Cloud security specialist
• ... and running, RFID, and
using technology to effect
positive social change.
Gabe Schuyler @gabe_sky
KernelCon 2022
I've been in operations for ever -- Playstation.
I spent seven years in professional services at PuppetLabs.
I work as a solutions engineer at Wiz, Inc right now.
In my spare time I like running, playing with RFID, and promoting the use of technology for positive social change.
3. Shared Responsibility Model
Hardware Services Con
fi
g Workloads
Them Us
Gabe Schuyler @gabe_sky
KernelCon 2022
Cloud security providers talk about the "shared responsibility model."
Basically, they promise to keep the servers running and the card machine swiping.
You are responsible for how you con
fi
gure their services.
You are also responsible for what you run on workloads.
You're also responsible for who you let do what.
4. Acronyms
Con
fi
g Workloads
Gabe Schuyler @gabe_sky
KernelCon 2022
CSPM:
Cloud Security Posture
Management
CWPP:
Cloud Workload
Protection Platform
CIEM:
Cloud Identity and
Entitlement Management
CNAPP:
Cloud Native Application Protection Platform
Let's talk acronyms.
Protecting how you con
fi
gure your services is CSPM.
Protecting what you run on your workloads is CWPP.
Protecting the way that you authorize people and services to use things is CIEM.
Wrap it all up together and you've got what Gartner calls CNAPP.
5. What is cloud native?
• Beyond lift-and-shift
• Disposable workloads
• Automated and codi
fi
ed
• X as a service
Gabe Schuyler @gabe_sky
KernelCon 2022
Let's start by talking about what we mean by "cloud native."
It's not just lift-and-shift, it's what's evolved from that.
Workloads are short-lived. If they break, you destroy and rebuild them.
To be able to do this we need to automate, and codify con
fi
gs and infrastructure.
Increasingly we don't even run the server, we let the cloud provider do it.
6. Securing disposable workloads
• The cattle vs. pets metaphor
(Randy Bias)
• Runtime defense directs redeployment
• Con
fi
guration in version control & pipelines
• Developers making infrastructure choices
• Security must be part of continuous delivery
Gabe Schuyler @gabe_sky
KernelCon 2022
We're used to patching/
fi
xing broken workloads; in the cloud you just redeploy.
So if something gets hacked, you don't use EDR, you update and redeploy.
To be able to adopt this lifestyle, the infrastructure itself needs to be part of SDLC.
Once infrastructure is codi
fi
ed, it's now part of the development process itself.
Security must be integral to the CICD process, just as other tests are.
7. Containers in clusters
• Single purpose modules
• Microservice architecture
• Automatic (opaque) networking
• But easy to allow-list protect
• Base images and layers
Gabe Schuyler @gabe_sky
KernelCon 2022
front-end
cart
payment
metrics
session
443
2711
8088
8089
4744
I'll assume most folks are comfortable with containers.
Where they really di
ff
er is the application architecture of microservices.
And in a cluster, the communication is opaque to the outside.
It looks complicated, however, single-purpose means allow-lists are obvious.
Keep an eye on the base images, and be able to detect the layer of vulnerabilities.
8. Serverless functions
• Single purpose/endpoint
• Non-IP communication
• Dead-simple allow-lists
• Dependencies ...
dependencies everywhere!
Gabe Schuyler @gabe_sky
KernelCon 2022
login
logout
tracker
metrics
to_png
upload
443
443
443
443
queue
?
!?
Now we get exciting, these aren't just one application piece, they're one function.
Also, communication isn't always over IP! It could be a queue, or in-place.
However, securing these is dead simple, they do one thing with known inputs.
Similar to base images, make sure to not just scan code, but the dependencies.
9. Persistent services
• Storage
• Databases
• Load balancers
• Secrets stores
• Firewalls
Gabe Schuyler @gabe_sky
KernelCon 2022
front-end
cart
payment
session
metrics
to_png
upload
storage
load balancer
secrets
So, if everything's ephemeral, how do I use anything persistent.
You use software/platform as a service, allowing you to focus on code.
This is where CSPM comes in; you need to scan this stu
ff
for miscon
fi
gurations.
Make sure you understand CIEM, limiting who can do what. (And if they use it.)
You'll also want to keep an eye on user behavior anomalies.
10. Infrastructure as code
• Automated and codi
fi
ed
• Terraform, CloudFormation, ARM &c
• Puppet, Chef, weaponized Bash scripts
• Scan scan scan
• Watch for drift
Gabe Schuyler @gabe_sky
KernelCon 2022
In devops we allow developers to de
fi
ne the infrastructure, so then use code.
It's where we put the dev in ops ... technologies like Terraform, CF, ARM
On the lift-and-shift side, we adopted con
fi
guration management. It's similar!
Scan this stu
ff
everywhere, including in CICD pipelines.
And, since this is the authoritative, any drift should be considered an incident.
11. Shift left security
• Prevention vs. cure
• Developers' native tools
• Find a champion.
• Describe underlying patterns
• Prioritize true exposure and risks
• Offer remediation advice
Gabe Schuyler @gabe_sky
KernelCon 2022
Blah blah blah an ounce of prevention is worth a pound of cure. (In metric?)
Meet developers in the tools they use ... from CLI to IDE to CICD.
Look up some talks about
fi
nding security champions within development teams.
Don't just
fl
ag issues -- describe why they matter and a pattern they represent.
Don't just hand over a pile of issues -- prioritize them by true risk.
There are plenty of tools that o
ff
er advice or even a pull request.
12. Policy as code
• Putting the Dev in Ops Sec
• Borrow from the best
• # lint-ignore ... # sec-ignore ?
• Test in the pipeline
Gabe Schuyler @gabe_sky
KernelCon 2022
From devops we learned that it's not just ops in dev, it's dev in ops.
If we're going to codify infrastructure, why not borrow dev tools?
Ask yourself, if we let devs skip lint checks, why not security checks?
Once you have IaC and PaC going, put it all together in CICD.
13. Summary
• Brave new world
• Fast, disposable, automated and codi
fi
ed
• Containers, serverless, X as a service
• Shift left on infrastructure as code
• Trust
Gabe Schuyler @gabe_sky
KernelCon 2022
Forget lift-and-shift, this is a new world, and developers are driving to it.
Fast, disposable, automated and codi
fi
ed. Use this for yourself too.
Get comfortable enough with the new tech to apply security tools.
Shifting left is essential, and easy once everything is codi
fi
ed.
Foster an environment of trust. We've done it for devops ... now it's our turn.
14. Call to action
• Start small
• Find champions
• Learn new things
• Go get 'em!
Gabe Schuyler @gabe_sky
KernelCon 2022