Running security service in gcloud

•Download as PPTX, PDF•

3 likes•3,430 views

How Aqua runs its own security service in gcloud using Kubernetes. Was presented at Seattle Kubernetes meetup (http://www.meetup.com/Seattle-Kubernetes-Meetup/events/231348751/)

Software

2
WHO AM I
 Head of Security Research at Aqua Security, a leader
in container security
 20 years of building security products, development
and research
 Held senior security research positions at Microsoft,
Aorato
and Imperva.
 Presented at security conferences, among them,
BlackHat Europe, RSA Europe and Virus Bulleting.

3
PEEKR
 Scans for known vulnerabilities (CVEs)
 Profiles container activities on host and network
 Automatically runs the image and checks it against malicious
behaviors
 Highlights suspicious container behavior
 Free (no credit card needed for registration)
 https://peekr.aquasec.com

5
YOU WERE SAYING...
 Automatically runs the image and checks it against
malicious behaviors
 Meaning we are running arbitrary, unknown containers
on our infrastructure
 Every time we consulted people and organizations, we
got same response...

6
YOU ARE CRAZY
INSANE, NUTS, KOOKY,
WACKY...

7
ARCHITECTURAL REQUIREMENTS
 Scalable web front end
 Scalable Scanner workers
 Asynchronous processing
 Security

8
SECURITY CONCERNS
 Web front end
 Malicious containers
 Exploding containers
 Lateral movement
 Attacking from our infrastructure

9
MALICIOUS CONTAINERS
 Local behavior
 Fork Bomb
 Fallocate
 Resource consumption
 Network
 East-West
 North-East

10
IMPLEMENTATION
 Kubernetes
 Security
 Kubernetes
 Aqua

11
PEEKR ARCHITECTURE OVERVIEW
Front end cluster
Front
end
Service
Web
Queue
CVEs
Back end cluster
Scanner

12
OVERALL SECURITY
 Log everything
 Use Kubectl to access containers, to limit ssh access
 Apply resource quota and limits with Kubernetes
namespaces
 Network segregation through Kubernetes clusters

13
PROTECTING AGAINST MALICIOUS
CONTAINERS
 Local
 Run unprivileged
 Run with user namespace
 Containers data (volumes) on separate partition
 Aqua
 Network
 Deny network access
 No internet access to backend cluster
 Communication between clusters is limited to absolute
minimum

14
FORK BOMB
 :(){ :|:& };:
 Exhausts PIDs
 System freezes

15
FORK BOMB PROTECTION
 nproc
 ulimit –u 100
 Limit per user per session
 Can be done either for docker daemon or per container
 Doesn’t enforce for root
 PID cgroup
 Future, kernel 4.3

THANK YOU
Michael Cherny
cherny@aquasec.com
@chernymi

Viewers also liked

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13

Zach Hill

Veer's Container Security

Jim Barlow

Monetising Your Skill

'Detola Amure

ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...

DynamicInfraDays

Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop. Led By Docker Security Experts: Riyaz Faizullabhoy David Lawrence Viktor Stanchev Experience Level: Intermediate to advanced level Docker experience recommended

Docker Security workshop slides

Docker, Inc.

AWS Security Architecture - Overview

Sai Kesavamatham

AWS Security Best Practices and Design Patterns

Amazon Web Services

Security best practices for kubernetes deployment

Michael Cherny

Monitoring, Logging and Tracing on Kubernetes

Martin Etmajer

How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis. Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now. With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them. In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.

Docker Security - Secure Container Deployment on Linux

Michael Boelen

London HUG 19/5 - Kubernetes and vault

London HashiCorp User Group

Video: https://youtu.be/C_u4_l84ED8 Karl Isenberg reviews the history of distributed computing, clarifies terminology for layers in the container stack, and does a head to head comparison of several tools in the space, including Kubernetes, Marathon, and Docker Swarm. Learn which features and qualities are critical for container orchestration and how you can apply this knowledge when evaluating platforms.

Container Orchestration Wars

Karl Isenberg

Docker Security Overview

Sreenivas Makam

Viewers also liked (13)

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13

Veer's Container Security

Monetising Your Skill

ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...

Docker Security workshop slides

AWS Security Architecture - Overview

AWS Security Best Practices and Design Patterns

Security best practices for kubernetes deployment

Monitoring, Logging and Tracing on Kubernetes

Docker Security - Secure Container Deployment on Linux

London HUG 19/5 - Kubernetes and vault

Container Orchestration Wars

Docker Security Overview

Recently uploaded

Auto-Affiliate AI is the only Automated Affiliate system that generates $5,000/week in affiliate commissions without sales funnels, email marketing, or advertising. I've take all the guesswork out of affiliate marketing by taking the fastest, most beginner-friendly commission strategy and trained a ChatGTP system to implement the whole thing automatically. Inside Auto-Affiliate AI you'll discover: How to run this business in 2 hours per week with $0 out-of-pocket expense. Step-by-step beginner-friendly instructions with no technical requirements. Our Auto-Affiliate AI campaigns average $5,000/week in profits. No ad buying required - all traffic comes from free sources. No sales funnels or landing pages - Clicks go directly to your affiliate links. No manual content creation - Everything is generated with pre-trained AI. Generates affiliate link clicks immediately, first sale hours after getting started. Guaranteed affiliate approval with commissions as high as 85%. Automation allows anyone to earn maximum money in minimum time. How to recession-proof this opportunity to work in any economy: your passive income only grows year after year. (Note: Download the paper about this software or make it your own. do After that, click on Click here for Instant access inside the paper, and it will take you to the sales page of the product.)

Auto Affiliate AI Earns First Commission in 3 Hours..pdf

SelfMade bd

Transformer Neural Network Use Cases with Links

JinanKordab

Secure Software Ecosystem Teqnation 2024

Soroosh Khodami

Evolving Data Governance for the Real-time Streaming and AI Era

confluent

^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto

kasambamuno

Choosing the right Recruitment Management Software can be difficult considering how many are available. Let us begin by describing what a recruitment management system is. In simplified terms, Recruitment Management Software refers to a comprehensive suite of tools designed to effectively oversee and streamline an organisation's recruitment process. To know more information here: https://sites.google.com/view/nyggs-recruitment-management/home

What is a Recruitment Management Software?

NYGGS Automation Suite

Building a notification campaign might seem easy and it is easy to get started with a simple set up. But once the scale kicks in, it becomes every important to have a resilient architecture that can handle hundreds of thousands of recipients. This talk will focus on the Serverless services consumed in building the architecture and the various architectural decisions. The talk covers the various challenges in building an architecture of this sorts and how we overcame them using Serverless services.

Lessons Learned from Building a Serverless Notifications System.pdf

Srushith Repakula

Operations departments are at the heart of organizational efficiency and effectiveness, constantly assessing performance against strategic objectives and key results. With OnePlan, operations leaders can gain the insights and tools needed to align resources optimally and drive essential outcomes. This webinar will delve into how OnePlan facilitates real-time visibility into performance metrics and resource allocation, enabling operations teams to remain agile and effective. Join us to explore actionable strategies for enhancing your operational efficiency and achieving your key results.

Optimizing Operations by Aligning Resources with Strategic Objectives Using O...

OnePlan Solutions

The Mythical Technical Debt (Brooke, please, forgive me.) <This talk is designed for a technical audience> In software-intensive systems development, we often face trade-offs between speed and long-term maintainability. These trade-offs accumulate as technical debt, the hidden cost of short-term decisions that can impact future development. Technical debt goes beyond the initial choices made when creating software. It encompasses design decisions, coding practices, or anything that might hinder future development efforts. By effectively identifying and managing this debt, we can build robust and scalable software systems. In this talk, we'll explore different types of technical debt and their impact on projects. We'll delve into practical methods to identify, measure, and reduce it. Finally, we'll see how to turn technical debt into an advantage, using it as a springboard for innovation with real-world examples.

The mythical technical debt. (Brooke, please, forgive me)

Roberto Bettazzoni

Salesforce unveiled the Salesforce Zero Copy Partner Network, a global alliance of tech and solution providers developing secure, bidirectional zero-copy interfaces with Salesforce Data Cloud. This innovative approach enables seamless data actioning across the Salesforce Einstein Platform. Brian Miliham, Salesforce’s President and COO, highlighted the challenge companies face with fragmented data. This ecosystem empowers businesses to harness all their data, irrespective of its location, maximizing the potential for personalized customer experiences and facilitating quicker, cost-effective AI integration within Salesforce.

Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...

CloudMetic

This session unveils the multifaceted horizontal scaling strategies that power Wix's robust infrastructure. From Kafka consumer scaling and dynamic traffic routing for site segments to DynamoDB sharding and MySQL clusters custom routing with ProxySQL, we dissect the mechanisms that ensure scalability and performance at Wix. Attendees will learn about the art of sharding and routing key selection across different systems, and how to apply these strategies to their own infrastructure. We'll share insights into choosing the right scaling strategy for various scenarios, balancing between managed services and custom solutions. Key Takeaways: - Grasp various sharding techniques and routing strategies used at Wix. - Understand key considerations for sharding key and routing rule selection. - Learn when and why to choose specific horizontal scaling strategies. - Gain practical knowledge for applying these strategies to achieve scalability and high availability. Join us to gain a blueprint for scaling your systems horizontally, drawing from Wix's proven practices.

Effective Strategies for Wix's Scaling challenges - GeeCon

Natan Silnitsky

This is a classic migration case study (the past, current and the future) at scale from a world-wide company transitioning from Confluent Platform and Confluent Cloud to self-managed Apache Kafka on Kubernetes using Strimzi. At Maersk, we have been architecting, designing and implementing our 3rd generation Event Streaming Platform. This platform is based on Kubernetes in Azure and using Strimzi to operate Apache Kafka at large scale, highly reliable, segregating data based on isolated use cases. Our 2nd generation was based on OnPrem Confluent Platform and Confluent Cloud and this presentation is the story of this migration and reasoning behind it. Furthermore, we would get into details on how we monitor (Grafana, Prometheus), alert (GoAlert and alert as code), operate and provide self-service solutions on top of Strimzi to enable business critical application in Maersk, implemented in GoLang using the GitOps deployment model with Flux and Kustomization among others. Finally, if time allows we will end with a demo of an open-source self service tool to monitor and explore the cluster with most wanted features such as topic message browsing and configuring and restarting connectors.

StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf

steffenkarlsson2

^Clinic ^%[+27788225528*Abortion Pills For Sale In harare

kasambamuno

Unlock the full potential of your software development lifecycle with SpiraPlan's powerful REST APIs. Led by experts from Inflectra and our partner, MVerve, this webinar offers a practical guide to leveraging the API's power for automation, integration, and data-driven insights. Whether you're an API expert or beginner, our recap blog is packed with valuable information to enhance your SpiraPlan experience. The webinar emphasized how SpiraPlan's REST API allows you to: • Automate Workflows: Streamline your processes by automating repetitive tasks. • Integrate with Existing Tools: Seamlessly connect SpiraPlan with your existing software ecosystem. • Build Custom Solutions: Tailor SpiraPlan to your unique needs by developing custom applications and integrations. • Gain Deeper Insights: Extract valuable data from SpiraPlan for advanced reporting and analysis.

From Theory to Practice: Utilizing SpiraPlan's REST API

Inflectra

Unlock the secrets to success in the competitive world of food delivery app development with our comprehensive guide for 2024. From innovative features to cutting-edge technologies, discover the strategies that will elevate your food delivery business to new heights. Download now for expert insights and actionable tips for more visit, https://foodorderingwebsite.com/food-delivery-app-development/.

Food Delivery Business App Development Guide 2024

Chirag Panchal

Spring into AI presented by Dan Vega 5/14

VMware Tanzu

These are the slides of my OpenSIPS Summit 2024 presentation about automating your test calls. It dives into why automated call testing is crucial, how to integrate it into your CI/CD pipeline and how to extend testing of single calls into load testing and testing of other protocols. The presentation also provides details how open source components such as sipp, asterisk and rtpengine are used to implement agents to generate test calls for SIP, Fax and WebRTC at scale.

Automate your OpenSIPS config tests - OpenSIPS Summit 2024

Andreas Granig

If you weren't able to make it to Florida Dreamin' last Fall, then you are in luck. We are bringing you one of the most talked about sessions during the conference. You won't want to miss this insightful presentation from Cyndy Ferguson, Team Lead, Client Success Manager, Craftsman Technology Group titled: Why I hire and train Junior Admins, and why you should too! Presentation Description: You say you don't have time to hire, train and mentor Junior Admins? But you have time to interview 50 people, none of whom fit your current Salesforce Admin job description? Let me show you how to hire, train, and retain Freshies or Junior Admins, while saving time, money and your sanity. I have developed 30-day, 60-day, 90-day, and 180-day plans to skill up new Admins and make your life easier. Also, join us to get some key highlights for the Summer '24 Release that will impact and provide value to most Orgs. These updates will be available in your Sandbox and Production Orgs during the months of May and June presented by Marc Lester, Engagement Manager, Coastal. Did you know most new features are included with your initial purchase? Explore the latest innovations in the release to maximize your ROI from Salesforce. Some features in Summer ’24 will affect all users immediately after the release goes live, which are already available in your Sandbox and Production Orgs. If you haven't already done so, consider communicating these changes to your users so they understand the updates and know how to best take advantage of them. Other features require direct action by an administrator before users can benefit from the new functionality. Learn about some of each of these features and enhancements and which ones will benefit your organization the most.

Jax, FL Admin Community Group 05.14.2024 Combined Deck

Marc Lester

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan

Neo4j

COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...

naitiksharma1124

Recently uploaded (20)

Auto Affiliate AI Earns First Commission in 3 Hours..pdf

Transformer Neural Network Use Cases with Links

Secure Software Ecosystem Teqnation 2024

Evolving Data Governance for the Real-time Streaming and AI Era

^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto

What is a Recruitment Management Software?

Lessons Learned from Building a Serverless Notifications System.pdf

Optimizing Operations by Aligning Resources with Strategic Objectives Using O...

The mythical technical debt. (Brooke, please, forgive me)

Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...

Effective Strategies for Wix's Scaling challenges - GeeCon

StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf

^Clinic ^%[+27788225528*Abortion Pills For Sale In harare

From Theory to Practice: Utilizing SpiraPlan's REST API

Food Delivery Business App Development Guide 2024

Spring into AI presented by Dan Vega 5/14

Automate your OpenSIPS config tests - OpenSIPS Summit 2024

Jax, FL Admin Community Group 05.14.2024 Combined Deck

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan

COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...

Running security service in gcloud

2. 2 WHO AM I  Head of Security Research at Aqua Security, a leader in container security  20 years of building security products, development and research  Held senior security research positions at Microsoft, Aorato and Imperva.  Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.

3. 3 PEEKR  Scans for known vulnerabilities (CVEs)  Profiles container activities on host and network  Automatically runs the image and checks it against malicious behaviors  Highlights suspicious container behavior  Free (no credit card needed for registration)  https://peekr.aquasec.com

4. 4 PEEKR

5. 5 YOU WERE SAYING...  Automatically runs the image and checks it against malicious behaviors  Meaning we are running arbitrary, unknown containers on our infrastructure  Every time we consulted people and organizations, we got same response...

6. 6 YOU ARE CRAZY INSANE, NUTS, KOOKY, WACKY...

7. 7 ARCHITECTURAL REQUIREMENTS  Scalable web front end  Scalable Scanner workers  Asynchronous processing  Security

8. 8 SECURITY CONCERNS  Web front end  Malicious containers  Exploding containers  Lateral movement  Attacking from our infrastructure

9. 9 MALICIOUS CONTAINERS  Local behavior  Fork Bomb  Fallocate  Resource consumption  Network  East-West  North-East

10. 10 IMPLEMENTATION  Kubernetes  Security  Kubernetes  Aqua

11. 11 PEEKR ARCHITECTURE OVERVIEW Front end cluster Front end Service Web Queue CVEs Back end cluster Scanner

12. 12 OVERALL SECURITY  Log everything  Use Kubectl to access containers, to limit ssh access  Apply resource quota and limits with Kubernetes namespaces  Network segregation through Kubernetes clusters

13. 13 PROTECTING AGAINST MALICIOUS CONTAINERS  Local  Run unprivileged  Run with user namespace  Containers data (volumes) on separate partition  Aqua  Network  Deny network access  No internet access to backend cluster  Communication between clusters is limited to absolute minimum

14. 14 FORK BOMB  :(){ :|:& };:  Exhausts PIDs  System freezes

15. 15 FORK BOMB PROTECTION  nproc  ulimit –u 100  Limit per user per session  Can be done either for docker daemon or per container  Doesn’t enforce for root  PID cgroup  Future, kernel 4.3

16. FORK BOMB DEMO

17. 17 SO WITH A LITTLE HELP

18. THANK YOU Michael Cherny cherny@aquasec.com @chernymi

Editor's Notes

Two words about me, one word about Aqua

Running security service in gcloud

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (13)

Recently uploaded

Recently uploaded (20)

Running security service in gcloud

Editor's Notes