Opportunities of Cross-Asia Collaboration on Secure Containers & Microservices

https://www.cloudsecurityalliance.jp/Copyright © 2017 Cloud Security Alliance Japan Chapter
Eiji Sasahara, Ph.D., MBA
Cloud Security Alliance Japan Chapter – Kansai Region
Opportunities of Cross-Asia Collaboration
on Secure Containers & Microservices
14th September, 2019

https://www.cloudsecurityalliance.jp/Copyright © 2017 Cloud Security Alliance Japan Chapter 2
1. Introduction of Cloud Security Alliance
Japan Chapter – Kansai Region
2. Utilization of Secure Application Containers
3. Utilization of Secure Microservices
4. Opportunities of Cross-Asia Collaboration
on Secure Containers & Microservices

1. Introduction of Cloud Security Alliance
Japan Chapter – Kansai Region

Cloud Security Alliance Japan Chapter
# of local members(as of May 31, 2019)
• Corp: 34 companies
• Individual: 132 people
Cloud Security Alliance Japan Chapter –Kansai Region
Officially Established in June 1, 2019
Kick-off seminar on July 11, 2019
• Key Note by the Ministry of Economy, Trade and Industry
Regional WGs, including Application Containers &
Microservices WG, SLA Innovation WG, and Health WG

Japan-India Talent Development and Exchange
Initiative @CSA Japan – Kansai Region
Co-Chairs: Eiji Sasahara, Jin Arita
Encouraging international talent development and exchange activities
between CSA Japan Chapter Health Information Management (HIM)
User WG/SLA Innovation WG/Application Containers & Microservices
(ACM) WG and CSA Regional Chapters in India.
Actively collaborating with relevant stakeholder communities (i.e.
universities & educational institutions, research institutes, industry
associations, cluster collaboration platform, and regional government
agencies) inside/outside Japan on Japan-India talent development and
exchange activities in the fields of health/wellness, cloud SLA and
containers/microservices security.

Perspectives to Attract Non-Japanese Enterprises in
Kansai, including Kyoto, Kobe and Osaka

2. Utilization of Secure Application
Containers
2-1. Use Case of Application
Containers: Industry 4.0
2-2. Security Standards for
Application Containers

Tim Bayer et al. “A Fog-Cloud Computing Infrastructure
for Condition Monitoring and Distributing Industry 4.0
Services”(May 2-4, 2019）
https://opus.hs-furtwangen.de/frontdoor/index/index/docId/5418
Architecture & Containerization
Infrastructure Services.
Kubernetes Master.
Kubernetes Nodes.
Networking and Communication
Source: Tim Bayer et al. “A Fog-Cloud Computing Infrastructure for
Condition Monitoring and Distributing Industry 4.0 Services”(May 2-4,
2019）

Requirements for Architecture
Source: Tim Bayer et al. “A Fog-Cloud Computing Infrastructure for Condition Monitoring and Distributing Industry 4.0
Items Requirements
Develop a
Industry 4.0
Service
R1: Support distributed data processing tasks between Cloud and Fog nodes
R2: Provide all required functionalities to provide suitable node management,
inter-node communication, and task execution
Integrating
Measurement
Probes
R3: Determine node conditions by integrating and deploying measurement
probes on the nodes
R4: Provide support for centralized and decentralized measurement probes
R5: Provide a uniform way to execute the measurement probes and services
on all nodes regardless of the actual technology they use
R6: Provide a consistent execution environment that is suitable to migrate
measurement probes and services during runtime
Integrate
Distribution
Algorithms
R7: Integration of distribution algorithms that make use of the measurement
results to deploy an application service accordingly
R8: Provide a common interface to apply and configure different distribution
algorithms

Architecture Overview:
Management
Layer
Worker Layer

Application Example:

National Institute of Standards and Technology (NIST),
“SP 800-190: Application Container Security Guide”
(September 25, 2017)
https://csrc.nist.gov/publications/detail/sp/800-190/final
Container
Technology
Architecture
Tiers and
Components
Source: NIST , “SP 800-190: Application Container Security Guide” (September 25, 2017)

Major Risks for Core Components of Container Technologies(1)
Component Risk
Image Image vulnerabilities
Image configuration defects
Embedded malware
Embedded clear text secrets
Use of untrusted images
Registry Insecure connections to registries
Stale images in registries
Insufficient authentication and authorization restrictions
Orchestrator Unbounded administrative access
Unauthorized access
Poorly separated inter-container network traffic
Mixing of workload sensitivity levels
Orchestrator node trust

Major Risks for Core Components of Container Technologies(2)
Component Risk
Container Vulnerabilities within the runtime software
Unbounded network access from containers
Insecure container runtime configurations
App vulnerabilities
Rogue containers
Host OS Large attack surface
Shared kernel
Host OS component vulnerabilities
Improper user access rights
Host OS file system tampering

3. Utilization of Microservices
and Security
3-1. Use Case of Microservices:
Connected Cars
3-2. Security Standards for
Microservices

Salman Taherizadeh et al. “A Capillary Computing
Architecture for Dynamic Internet of Things: Orchestration
of Microservices from Edge Devices to Fog and Cloud
Providers.”
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6164252/
Applications structure of
monolithic versus
Microservices architecture.
Source: Sensors (Basel). 2018 Sep 4;18(9). pii: E2938. doi:
10.3390/s18092938.

Onloading or offloading Microservices between different
layers (Edge, Fog and Cloud) in the proposed capillary
distributed computing architecture.
Source: Sensors
(Basel). 2018 Sep
4;18(9). pii: E2938. doi:
10.3390/s18092938.
Cloud Layer
Fog Layer
Edge Layer

The proposed capillary distributed computing
architecture for smart IoT applications.
Source: Sensors
(Basel). 2018 Sep
4;18(9). pii: E2938. doi:
10.3390/s18092938.

Motorhome Artificial Intelligence Communication
Hardware(MACH) Edge node developed in one of our
ongoing projects called OPTIMUM is settled in the vehicle.
Source: Sensors (Basel). 2018 Sep 4;18(9). pii: E2938. doi: 10.3390/s18092938.

Node Selection
Rank (NSR) values
offered by two Fog
nodes in a specific
part of
the trip.
Source: Sensors (Basel). 2018 Sep
4;18(9). pii: E2938. doi:
10.3390/s18092938.

National Institute of Standards and Technology (NIST),
“SP 800-204: Security Strategies for Microservices-
based Application Systems” (August 7, 2019)
https://www.nist.gov/publications/security-strategies-microservices-based-application-systems
Monolithic Architecture Vs. Microservices Architecture
Source: NIST , “SP 800-204: Security Strategies for Microservices-based Application Systems ” (August 7, 2019)

Security strategies for the design and deployment of
microservices-based application systems
Threats Security Strategies
Identity and access management -Authentication (MS-SS-1)
-Access Management (MS-SS-2)
Service Discovery Mechanism -Service Registry Configuration (MS-SS-3)
Secure Communication Protocols -Secure Communication (MS-SS-4)
Security Monitoring -Security Monitoring (MS-SS-5)
Circuit Breaker implementation -Implementing Circuit Breakers (MS-SS-6)
Load Balancing -Load Balancing（MS-SS-7）
Rate Limiting (Throttling) -Late Limiting（MS-SS-8）

Security strategies for the design and deployment of
microservices-based application systems (Continue.)
Threats Security Strategies
Integrity Assurance -Induction of New Versions of
Microservices (MS-SS-9)
-Handling Session Persistence (MS-SS-10)
Countering Internet-based Attacks -Preventing Credential Abuse and Stuffing
Attacks (MS-SS-11)
Architectural Frameworks in
Microservices
-API Gateway Implementation (MS-SS-12)
-Service Mesh Implementation (MS-SS-13)

4. Opportunities of Cross-Asia Collaboration on
Secure Containers & Microservices

Source:Cabinet Office, Government of Japan, “Society 5.0”
(https://www8.cao.go.jp/cstp/english/society5_0/index.html)
“Society 5.0” Initiative by the Japanese Government
“Cloud by
Default”
Principle

Source: IT Strategic
Headquarters, “Declaration to
Be the World’s Most Advanced
IT Nation
Basic Plan for the Advancement
of Public and Private Sector
Data Utilization “ (May, 2017)
“Cloud by
Default”
Principle
Cloud-native Tech for Integrated Medical Care & Nursing
Care, Anytime &Anywhere

Why don’t you join CSA’s Application Containers &
Microservices WG from APAC?
(https://cloudsecurityalliance.org/research/working-groups/containerization/)

https://www.linkedin.com/in/esasahara
https://www.facebook.com/esasahara
https://twitter.com/esasahara
Cloud Security Alliance Japan Chapter
http://www.cloudsecurityalliance.jp/

Opportunities of Cross-Asia Collaboration on Secure Containers & Microservices

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Opportunities of Cross-Asia Collaboration on Secure Containers & Microservices

Similar to Opportunities of Cross-Asia Collaboration on Secure Containers & Microservices (20)

More from Eiji Sasahara, Ph.D., MBA 笹原英司

More from Eiji Sasahara, Ph.D., MBA 笹原英司 (20)

Recently uploaded

Recently uploaded (20)

Opportunities of Cross-Asia Collaboration on Secure Containers & Microservices