Securing danish healthcare using cloudnative

•

0 likes•76 views

Handling health care info for patients requires a high level of security and confidentiality. Running a Cloud Native platform opens a lot of possibilities, but also a lot of dangerous pitfalls. In this talk we will explore different problem areas, and some of the best practices for handling these. We will look at Open Source tools for automatic detection, enforcing security policies and security reporting for auditing. We will also talk about the easy options, the full package, and the managed package.

Technology

Securing Danish Healthcare
using Cloud Native
Frederik Mogensen
Senior Cloud Architect at Trifork

Telemedicine Platform
● Covering all of Denmark
○ 5 regions + 98 municipalities
● Helping chronically ill patients to live at
home
● Defining different questionnaires for each
illness
● Patients measuring and responding to
questionnaires daily
Photo by Jair Lázaro on Unsplash

Platform Focus
● Handling healthcare data demands a
high focus on
○ Stability
○ Observability
○ Security
Photo by Philipp Katzenberger on Unsplash

Cloud Native
“Cloud native computing is an approach in software development that utilizes
cloud computing to "build and run scalable applications in modern, dynamic
environments such as public, private, and hybrid clouds".
Technologies such as containers, microservices, serverless functions and
immutable infrastructure, deployed via declarative code are common elements
of this architectural style”
https://en.wikipedia.org/wiki/Cloud_native_computing

Defense-in-depth using
The 4C's of Cloud Native security
www.trendmicro.com

Cloud provider security
Area of Concern
● Network access
● Access to Cloud Provider API
● Disk Encryption
● Database access
● Internet access
● Misconfiguration / drifting configuration
Photo by Mauro Sbicego on Unsplash

Cloud provider security
● Infrastructure as code ensures systems consistent
● IaC allows for security scanning of code
Short demo
$ tfscan
Examples are available at: https://github.com/mogensen/cloud-security-presentation/

Kubernetes Infrastructure
Area of Concern
● Network access to API Server
● Network access to Nodes
● Kubernetes access to Cloud Provider API
● Access to etcd
● etcd Encryption
Photo by Frank Eiffert on Unsplash

Kubernetes Infrastructure
Short demo
$ docker run -it --rm --network host
aquasec/kube-hunter --interface
$ curl -k https://172.18.0.2:6443/version
Examples are available at: https://github.com/mogensen/cloud-security-presentation/

Static Cluster Security
Area of Concern
● RBAC Authorization (Access to the Kubernetes API)
● Pod Security Policies (Deprecated)
○ Run as Root?
○ Allow host paths?
○ Allow privileged?
● Quality of Service (and Cluster resource management)
● Network Policies
● TLS For Kubernetes Ingress
Photo by Umberto on Unsplash

Static Cluster Security
Short demo
$ polaris dashboard
$ kubeaudit all -f demo.yaml
kubeaudit
Examples are available at: https://github.com/mogensen/cloud-security-presentation/

Runtime Cluster Security
● Pod Communication
○ JWT validation
○ mTLS Data Layer encryption
○ Network policies
● Monitoring Traffic
○ Tracing specific calls
○ Graphing all traffic between services
● Secrets & Certificates
○ Service Accounts
Short demo
$ docker-compose up

Intruder Detection / Intruder Prevention
Short demo
$ docker-compose up
Examples are available at: https://github.com/mogensen/cloud-security-presentation/

Container Security
Area of Concern
● Container Vulnerability Scanning
● OS Dependency Security
● Image Signing and Enforcement
● Disallow privileged users
● Use container runtime with stronger isolation
Photo by Docker

Image Scanning and Security
Short demo
$ trivy nginx:latest
$ trivy nginx:alpine
$ docker run -it --rm nginx:latest whoami
$ docker run -it --rm
nginxinc/nginx-unprivileged:stable-alpine whoami
Examples are available at: https://github.com/mogensen/cloud-security-presentation/

● Access over TLS only
● Limiting port ranges of communication
● 3rd Party Dependency Security
● Static Code Analysis
● Dynamic probing attacks
Code Scanning
Examples are available at: https://github.com/mogensen/cloud-security-presentation/

● Shift left on security, early focus
● Consider your vulnerabilities for all layers
○ Cloud
○ Cluster
○ Container
○ Code
● Automated scanning and analysis
● Remember that a creative mind finds stuff a machine can’t.
Summary and buzzwords

Frederik Mogensen
fmo@trifork.com
Examples are available at: https://github.com/mogensen/cloud-security-presentation/
Thank you

The document summarizes a Kubernetes meetup that took place on June 9th 2021 in Geneva. The meetup aimed to bring together Kubernetes enthusiasts to discuss the Kubernetes ecosystem, share best practices and demonstrations. The agenda included presentations from KubeCon Europe 2021 on topics like multi-cluster, security, GitOps, service mesh and machine learning. Upcoming meetups were announced for September with the goal of meeting in person. Attendees were encouraged to propose future presentation topics.

Microservices - The good, The bad, The does and The don'ts

Frederik Mogensen

Empower Your Docker Containers with Watson - DockerCon 2017 Austin

Phil Estes

DevSecCon Singapore 2019: Preventative Security for Kubernetes

DevSecCon

Liz Rice The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess. Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers. During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes: Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark. Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)

Comparison of Current Service Mesh Architectures

Mirantis

EasyStack True Private Cloud | Quek Keng Oei

Vietnam Open Infrastructure User Group

Modern, Private, Automated Private Cloud Altera Technologies is a cloud management company founded in 2014 that focuses on private cloud software and services. It has over 500 enterprise customers and 200 employees. Altera offers a true private cloud product called ECS that provides tenants secure platforms with logical and physical network separation between domains and projects. Key benefits of private cloud over public cloud include better security, control, and predictability while avoiding high public cloud costs over time.

Orchestrating stateful applications with PKS and Portworx

VMware Tanzu

This document provides an overview of Portworx, including: 1. Portworx is a leader in providing stateful container orchestration that works across any cloud or scheduler. 2. It has an experienced team and investors, with headquarters in Los Altos, CA and 70 employees globally. 3. Portworx allows applications to run across different infrastructure types and clouds with a portable cloud stack that provides high availability, replication, security and data mobility features.

Deploying NGINX in Cloud Native Kubernetes

Kangaroot

Using cloud-native application services is easy, it “just works”. Many customers choose them without giving it a second thought. However, these app services vary from cloud to cloud, with differing levels of quality and numbers of features making visibility and control inconsistent across clouds. And then there is cost…it’s hard to know what your deployment is going to cost until after it’s been built. Often the services must be compiled in a piecemeal fashion and many products carry bloated code that increases costs. Finally, security is often an afterthought. Moreover, SecOps teams struggle to keep up with the breakneck app release cadence that has become typical. Often they are seen as DevOps viewing them as a major constraint on the ability to deliver software quickly. In this workshop, we showcase the NGINX solutions for cloud native Kubernetes that will allow you to: - Reduce tool sprawl and provide a standard set of services - Control costs with lightweight and easy solutions - Bring teams together with automation and self‑service capabilities

1. The document discusses microservices architecture and the challenges of managing independent microservices, including issues like latency, failures, and lack of visibility. 2. It introduces service meshes like Istio and Envoy as a way to automate operational tasks across microservices and reduce friction, as well as API gateways like Ambassador that can provide routing, authentication, and other capabilities for microservices. 3. Ambassador is presented as a self-service API gateway that uses Envoy and can work both standalone and with Istio to provide capabilities like routing, TLS termination, and authentication in a way that reduces operational overhead for development teams.

MRA AMA Part 6: Service Mesh Models

NGINX, Inc.

On-demand recording: https://www.nginx.com/resources/webinars/mra-ama-part-6-service-mesh-models/ Speakers: Charles Pretzer Technical Architect NGINX, Inc. Floyd Smith Director of Content Marketing NGINX, Inc. About the webinar: In this webinar, two models of the NGINX Microservices Reference Architecture, the Router Mesh Model and the Fabric Model, are shown as successively more capable implementations of a service mesh architecture. We compare the MRA models to Istio, linkerd, and other service mesh architectures, and show how the NGINX Kubernetes Ingress Controller allows direct use of these other architectures. Attendees of the live webinar will have the opportunity to ask questions. Service mesh models are an emerging standard for microservices development and deployment. Popular architectures such as Istio and linkerd use a service mesh approach, including attributes such as load balancing capability, support for authorization and authentication, and use of the circuit breaker model for resiliency. Watch this webinar to learn: - Key problems solved by using a service mesh model for microservices _ How different service mesh architectures compare to each other - How to use NGINX service mesh models - the Router Mesh Model and Fabric Model of the MRA - How the Kubernetes Ingress Controller enables the use of NGINX in Istio, linkerd, and other service mesh models

Istio Cloud Native Online Series - Intro to Istio Security

Matt Baldwin

This talk was presented by Dr. Tao Li on 11/29/2017 at the Cloud Native Online meetup. https://www.meetup.com/Cloud-Native-Online-Meetup/events/245027581/ Summary: In today's talk, Tao will cover the general Istio Security roadmap, including authentication and authorization. And then he will focus on the authentication part from CA to node identity to workload identity. Bio: Dr. Tao Li is a software engineer at Google. He has been with Google for more than 5 years. Currently he serves as a TL of Istio Security, focusing on Authentication, which includes CA, identity provisioning, service-to-service communication, etc. Organized by StackPointCloud - https://stackpoint.io

Faster safer and 100 user centric application at equifax with docker

Docker, Inc.

Equifax faced challenges around software development lifecycles, vulnerability detection, and security. They implemented Docker to improve security, reduce development cycles, and support multiple platforms. Their solution involved Docker Swarm for infrastructure, CI/CD pipelines for builds and deployments, and Dockerized applications including APIs, web apps, and mobile apps. This allowed them to deliver a new product in 3 months with greater transparency, faster deployments, improved security and scaling.

Security threats with Kubernetes - Igor Khoroshchenko

Kuberton

Modern Security Pain Points with Application Modernization - With Jermaine Ed...

Konveyor Community

Companies are preparing to modernize many business-to-consumer, business-to-business, and business-to-employee apps to the cloud in support of their digital transformation. As a result, what are apps modernization security problems to account for during Design and DevSecOps? This session will present security pain points with app modernization concerning confidentiality, integrity, and availability with a few real examples. Presented by Jermaine Edwards, Distinguished Engineer, CTO at IBM

Replacing vCloud with OpenNebula

OpenNebula Project

Securing Your Containers is Not Enough: How to Encrypt Container Data

Mirantis

Cisco Cloud Networking Workshop

Cisco Canada

This document provides an agenda and instructions for a Cisco Cloud Networking Workshop. The agenda includes demonstrations of the Cisco Meraki dashboard, MX security appliances, MS switches, MR wireless access points, and SM device management. Attendees are given instructions to log into the Meraki dashboard for a hands-on lab exploring configuration of MX firewalls, MS switches, wireless SSIDs on MR access points, and network policies. The document also provides overviews of Cisco Meraki's cloud-managed networking portfolio and features for network security, management, and device mobility.

The elegant way of implementing microservices with istio

Inho Kang

How to Build a Basic Edge Cloud

Mirantis

Cncf storage-final-filip

Juraj Hantak

This document provides an overview of cloud native storage. It discusses how storage is a key component of cloud native reference architectures and how container-based applications require persistent storage volumes. It introduces the concept of out-of-tree storage plugins that allow various storage platforms to integrate with container orchestrators. The document also outlines common cloud native storage patterns, such as giving containers persistent volumes, and how this enables portability across infrastructure providers. Finally, it provides examples of how storage classes, persistent volumes, and persistent volume claims can be used to provision storage for pods running in containers.

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...

Nico Meisenzahl

Cloud native environments are a double edged sword - used right, the benefits are immense. However, it also introduces multiple entry points for example security breaches. In this session, Nico will show how application vulnerabilities make it easy to hijack a Kubernetes cluster. He will also talk about why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster. In addition, you will learn how GitLab can protect you from being hijacked. Nico will talk about how to create more secure applications by using Static Application Security Testing (SAST) as well as how to secure your Kubernetes cluster with Container Host Security, Container Network Security or a Web Application Firewall.

VietOpenStack meetup 7th Kilo overview

Vietnam Open Infrastructure User Group

The document discusses the OpenStack Kilo release from the OpenStack Foundation. Some key points: - Kilo aimed to create a stable core platform for interoperability and integrating new technologies. - It focused on defining stable core services and saw key growth in integrated projects like Ironic for bare-metal provisioning. - Major components like Nova, Keystone, Glance, Cinder, Neutron, Ceilometer, and Horizon received new features, improvements, and bug fixes related to areas like performance, security, manageability and advanced networking services. - The discussion section raises questions about factors that would motivate upgrading to Kilo like improved stability, performance and flexibility, and challenges that may come with

Container security within Cisco Container Platform

Sanjeev Rampal

The document discusses security within Cisco Container Platform. It provides an overview of the security model and features, including platform hardening through the Cisco Secure Development Lifecycle process, role-based access control for Kubernetes, and secure multi-tenancy capabilities in Kubernetes clusters. It also covers container and Kubernetes security best practices like encryption, authentication, and network policies that are supported in Cisco Container Platform. The presentation concludes with a demo of secure multi-tenancy in Kubernetes clusters.

Using Kubernetes to make cellular data plans cheaper for 50M users

Mirantis

DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...

Docker, Inc.

Entergy, a large utility company headquartered in New Orleans, LA has launched an initiative to modernize their application infrastructure. During the initial analysis, Entergy recognized the existing legacy infrastructure’s lack of compatibility with more recent operating systems would stand in the way of progress. As a result, containerization was fast-tracked as the solution that can help them with the various tenants of their strategy: hyperconvergence, SaaS (ServiceNow), and workload portability. Docker Enterprise proved to be the right solution to migrate roughly 850 legacy applications from Windows Server 2003 and 2008 to Windows Server 2016 quickly, securely and economically. Entergy IT has now delivered the ability for the business to run applications on-premise, in the cloud, and future-proofed the applications for migration to new versions of Windows Server. In this session, Entergy will talk about how they are modernizing their infrastructure to become more agile, secure, and enable workload portability.

Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...

Cloud Native Day Tel Aviv

Traditionally, security teams have been accustomed to investigating incidents and falling back to previous code releases if they detect serious issues. With the rise of modern cloud-native applications and immutable infrastructure, however, security engineers have new solutions at their fingertips. Immutable infrastructure refers to infrastructure with components that are designed to be destroyed and replaced with new versions whenever a change is necessary. This makes immutable infrastructure different from conventional deployment technologies, in which components were typically updated while they were still running rather than being redeployed whenever a change takes place. In this session, Dima Stopel will discuss the changing security landscape and how immutable infrastructure and cloud-native technologies such as containers, can make tedious, risk-prone security workflows a thing of the past.

Disaster recovery solutions and datacentre replacements

OVHcloud

What's hot

Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes

Mirantis

PKS - Solving Complexity for Modern Data Workloads

Carlos Andrés García

Istio : Service Mesh

Knoldus Inc.

NYC Kubernetes Meetup: Ambassador and Istio - Flynn, Datawire

Ambassador Labs

MRA AMA Part 6: Service Mesh Models

NGINX, Inc.

Istio Cloud Native Online Series - Intro to Istio Security

Matt Baldwin

Faster safer and 100 user centric application at equifax with docker

Docker, Inc.

Security threats with Kubernetes - Igor Khoroshchenko

Kuberton

Modern Security Pain Points with Application Modernization - With Jermaine Ed...

Konveyor Community

Replacing vCloud with OpenNebula

OpenNebula Project

Securing Your Containers is Not Enough: How to Encrypt Container Data

Mirantis

Cisco Cloud Networking Workshop

Cisco Canada

The elegant way of implementing microservices with istio

Inho Kang

How to Build a Basic Edge Cloud

Mirantis

Cncf storage-final-filip

Juraj Hantak

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...

Nico Meisenzahl

VietOpenStack meetup 7th Kilo overview

Vietnam Open Infrastructure User Group

Container security within Cisco Container Platform

Sanjeev Rampal

Using Kubernetes to make cellular data plans cheaper for 50M users

Mirantis

DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...

Docker, Inc.

What's hot (20)

Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes

PKS - Solving Complexity for Modern Data Workloads

Istio : Service Mesh

NYC Kubernetes Meetup: Ambassador and Istio - Flynn, Datawire

MRA AMA Part 6: Service Mesh Models

Istio Cloud Native Online Series - Intro to Istio Security

Faster safer and 100 user centric application at equifax with docker

Security threats with Kubernetes - Igor Khoroshchenko

Modern Security Pain Points with Application Modernization - With Jermaine Ed...

Replacing vCloud with OpenNebula

Securing Your Containers is Not Enough: How to Encrypt Container Data

Cisco Cloud Networking Workshop

The elegant way of implementing microservices with istio

How to Build a Basic Edge Cloud

Cncf storage-final-filip

GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...

VietOpenStack meetup 7th Kilo overview

Container security within Cisco Container Platform

Using Kubernetes to make cellular data plans cheaper for 50M users

DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...

Similar to Securing danish healthcare using cloudnative

Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...

Cloud Native Day Tel Aviv

Disaster recovery solutions and datacentre replacements

OVHcloud

CDE Marketplace: SQR Systems

Defence and Security Accelerator

Edge computing PPT slides and it's benifits and drawbacks

1GV20CS058Shivaraj

Edge computing is an approach to distributed computing where computational power and data storage is located closer to the source of data generation rather than in a centralized cloud. This document discusses the rise of edge computing driven by IoT, the need for real-time processing, and inexpensive edge hardware. It outlines key applications of edge computing like smart infrastructure and autonomous vehicles. The document also introduces Eclipse ioFog and Edge Compute Network (ECN) as open source projects for edge computing and discusses challenges around resources, security, and networking at the edge.

Cryptography Final Presentation.pptx

GaneshBagul8

Cloud cryptography is encryption that protects data stored in the cloud. It allows authorized users to access encrypted data stored on cloud servers securely. The document discusses the need for cloud cryptography to safeguard data from unauthorized access or data breaches. Symmetric and asymmetric key algorithms are commonly used for encryption. The system architecture involves a data processor that encrypts data before uploading to the cloud. Authorized users can then access segments of encrypted data using tokens and credentials. Cloud cryptography provides advantages like full disk encryption, end-to-end encryption, and file encryption to enhance data security in the cloud.

Cloudcomputingoct2009 100301142544-phpapp02

abhisheknayak29

The document discusses effective and secure use of cloud computing. It provides an overview of cloud computing definitions, models, and characteristics. It analyzes key security issues in cloud computing including advantages like data fragmentation and centralized security management, as well as challenges like isolation management and exposure of data to foreign governments. The document outlines several cloud computing security components and how they relate to both advantages and challenges.

Securing Microservices in Containerized Environments

DevOps.com

Modern software development involves breaking applications up into smaller microservices deployed in containers. In this microservice world, teams focus on the higher, more abstracted tiers of the stack - the application, the container, and the orchestrator - with the cloud infrastructure provider handling everything else. That may make it seem like security should be easier for these layers; after all, there are fewer tiers in the stack to monitor. In reality, it can actually be more challenging because they rely on frequently changing, de-coupled ephemeral services communicating over unreliable networks. Cloud security requires an understanding of the movement of data into and out of the application from the internet, the movement of information between services at runtime, and the way the services run atop the abstracted layers of infrastructure (container host, container orchestrator). This webinar will explain these challenges and suggest steps that security teams can take to overcome them.

Military Edge Computing with Vault and Consul

Mitchell Pronschinske

Automate Your Container Deployments Securely

DevOps.com

Operations seeking to make their apps and APIs both performant and available to their users must bake effective application security tooling into their processes and infrastructure configurations. How can development and operations teams release at increasing velocity with app protection built into their CI/CD pipeline? A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure in any environment from cloud using containers to datacenters to a hybrid of these. Join application security expert Aneel Dadani from Signal Sciences to learn how your team can automate, deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn: What constitutes effective application security within the context of cloud adoption and an ever expanding threat landscape How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked How DevOps teams can scale their application footprint to meet demand while securing your codebase in production How to inspect request traffic at the API gateway or the ingress

Rik Ferguson

CloudExpoEurope

cncf overview and building edge computing using kubernetes

Krishna-Kumar

A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

Shannon Lietz

Container Security Using Microsoft Defender

Rahul Khengare

Microsoft Defender for Containers provides security for container workloads running on Kubernetes. It monitors clusters for misconfigurations and vulnerabilities, provides runtime threat detection, and generates alerts. It works across multiple clouds by deploying agents and daemons to collect security signals from the API server, nodes, and images. A demonstration showed Microsoft Defender in action monitoring container workloads.

A safety design of

Vishwanath Athanikar

The document proposes a safety design for cloud storage. It discusses cloud computing and cloud storage models. It then outlines security issues with cloud computing services including availability, reliability, and user data security. The proposed cloud storage architecture consists of a storage layer, management basis, application interface layer, and access layer. The cloud storage security design model includes storage cloud, control center, user interface, and client. Key technologies involve storage encryption, backup encryption, exchange encryption, and interface security. Applications include deterrent control, preventative control, corrective control, and detective control.

Cloud slide

Athulya K S

The document proposes a CloudDrop technique for securely storing files in the cloud. It divides files into fragments that are duplicated across multiple cloud nodes. This makes it difficult for attackers to retrieve meaningful data even if one node is compromised, improving security. The method also considers factors like node selection and access time to enhance performance during file retrieval from the cloud.

Multicloud - Understanding Benefits. Obstacles, and Best Approaches

Kenneth Hui

Dcs cloud architecture-high-level-design

Isaac Chiang

This document provides a high-level overview of a cloud architecture design. It discusses considerations for the design including service assurance, high availability, secure tenant segregation, and data center scalability. It then describes the proposed design which includes pods, availability zones, and regions to provide modular scalability, redundancy, and tenant isolation. Management servers and databases are separated for control and data planes.

5.cloudsecurity

DrRajapraveen

Cloud security refers to a set of policies and technologies used to protect data, applications, and infrastructure associated with cloud computing. It allows for online data protection through authentication rules for users and devices while supporting regulatory compliance. Common threats include account hijacking and DDoS attacks. Effective cloud security mechanisms leverage firewalls, encryption, identity management and threat intelligence to provide benefits like flexibility, high availability, data security and protection against attacks while following best practices around reliable providers and encryption.

Secure Application Development in the Age of Continuous Delivery

Tim Mackey

As delivered at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Secure Application Development in the Age of Continuous Delivery

Black Duck by Synopsys

As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016. Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: • How known vulnerabilities can make their way into production deployments • How deployment of vulnerable code can be minimized • How to determine the vulnerability status of a container • How to determine the risk associated with a specific package

Similar to Securing danish healthcare using cloudnative (20)

Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...

Disaster recovery solutions and datacentre replacements

CDE Marketplace: SQR Systems

Edge computing PPT slides and it's benifits and drawbacks

Cryptography Final Presentation.pptx

Cloudcomputingoct2009 100301142544-phpapp02

Securing Microservices in Containerized Environments

Military Edge Computing with Vault and Consul

Automate Your Container Deployments Securely

Rik Ferguson

cncf overview and building edge computing using kubernetes

A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016

Container Security Using Microsoft Defender

A safety design of

Cloud slide

Multicloud - Understanding Benefits. Obstacles, and Best Approaches

Dcs cloud architecture-high-level-design

5.cloudsecurity

Secure Application Development in the Age of Continuous Delivery

Recently uploaded

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

shyamraj55

JavaLand 2024: Application Development Green Masterplan

Miro Wengner

Public CyberSecurity Awareness Presentation 2024.pptx

marufrahmanstratejm

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

GNSS spoofing via SDR (Criptored Talks 2024)

Javier Junquera

In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security. This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing. The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.

FREE A4 Cyber Security Awareness Posters-Social Engineering part 3

Data Hops

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike

Hiike

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on integration of Salesforce with Bonterra Impact Management. Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

dbms calicut university B. sc Cs 4th sem.pdf

Shinana2

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Alex Pruden

Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security. Paper Link: https://eprint.iacr.org/2024/257

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

Nordic Marketo Engage User Group_June 13_ 2024.pptx

MichaelKnudsen27

SAP S/4 HANA sourcing and procurement to Public cloud

maazsz111

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

Recently uploaded (20)

June Patch Tuesday

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

JavaLand 2024: Application Development Green Masterplan

Public CyberSecurity Awareness Presentation 2024.pptx

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

GNSS spoofing via SDR (Criptored Talks 2024)

FREE A4 Cyber Security Awareness Posters-Social Engineering part 3

Best 20 SEO Techniques To Improve Website Visibility In SERP

Programming Foundation Models with DSPy - Meetup Slides

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

dbms calicut university B. sc Cs 4th sem.pdf

Columbus Data & Analytics Wednesdays - June 2024

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Choosing The Best AWS Service For Your Website + API.pptx

Building Production Ready Search Pipelines with Spark and Milvus

Nordic Marketo Engage User Group_June 13_ 2024.pptx

SAP S/4 HANA sourcing and procurement to Public cloud

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Securing danish healthcare using cloudnative

1. Securing Danish Healthcare using Cloud Native Frederik Mogensen Senior Cloud Architect at Trifork

2. Common Danish Telemedicine Platform

3. Telemedicine Platform ● Covering all of Denmark ○ 5 regions + 98 municipalities ● Helping chronically ill patients to live at home ● Defining different questionnaires for each illness ● Patients measuring and responding to questionnaires daily Photo by Jair Lázaro on Unsplash

4. Platform Focus ● Handling healthcare data demands a high focus on ○ Stability ○ Observability ○ Security Photo by Philipp Katzenberger on Unsplash

5. Cloud Native “Cloud native computing is an approach in software development that utilizes cloud computing to "build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds". Technologies such as containers, microservices, serverless functions and immutable infrastructure, deployed via declarative code are common elements of this architectural style” https://en.wikipedia.org/wiki/Cloud_native_computing

6. Defense-in-depth using The 4C's of Cloud Native security www.trendmicro.com

7. Cloud / Co-lo / Corporate Data Center

8. Cloud provider security Area of Concern ● Network access ● Access to Cloud Provider API ● Disk Encryption ● Database access ● Internet access ● Misconfiguration / drifting configuration Photo by Mauro Sbicego on Unsplash

9. Cloud provider security ● Infrastructure as code ensures systems consistent ● IaC allows for security scanning of code Short demo $ tfscan Examples are available at: https://github.com/mogensen/cloud-security-presentation/

10. Kubernetes Infrastructure Area of Concern ● Network access to API Server ● Network access to Nodes ● Kubernetes access to Cloud Provider API ● Access to etcd ● etcd Encryption Photo by Frank Eiffert on Unsplash

11. Kubernetes Infrastructure Short demo $ docker run -it --rm --network host aquasec/kube-hunter --interface $ curl -k https://172.18.0.2:6443/version Examples are available at: https://github.com/mogensen/cloud-security-presentation/

12. Cluster

13. Static Cluster Security Area of Concern ● RBAC Authorization (Access to the Kubernetes API) ● Pod Security Policies (Deprecated) ○ Run as Root? ○ Allow host paths? ○ Allow privileged? ● Quality of Service (and Cluster resource management) ● Network Policies ● TLS For Kubernetes Ingress Photo by Umberto on Unsplash

14. Static Cluster Security Short demo $ polaris dashboard $ kubeaudit all -f demo.yaml kubeaudit Examples are available at: https://github.com/mogensen/cloud-security-presentation/

15. Runtime Cluster Security ● Pod Communication ○ JWT validation ○ mTLS Data Layer encryption ○ Network policies ● Monitoring Traffic ○ Tracing specific calls ○ Graphing all traffic between services ● Secrets & Certificates ○ Service Accounts Short demo $ docker-compose up

16. Intruder Detection / Intruder Prevention Short demo $ docker-compose up Examples are available at: https://github.com/mogensen/cloud-security-presentation/

17. Container

18. Container Security Area of Concern ● Container Vulnerability Scanning ● OS Dependency Security ● Image Signing and Enforcement ● Disallow privileged users ● Use container runtime with stronger isolation Photo by Docker

19. Image Scanning and Security Short demo $ trivy nginx:latest $ trivy nginx:alpine $ docker run -it --rm nginx:latest whoami $ docker run -it --rm nginxinc/nginx-unprivileged:stable-alpine whoami Examples are available at: https://github.com/mogensen/cloud-security-presentation/

20. Code

21. ● Access over TLS only ● Limiting port ranges of communication ● 3rd Party Dependency Security ● Static Code Analysis ● Dynamic probing attacks Code Scanning Examples are available at: https://github.com/mogensen/cloud-security-presentation/

22. Summary or Attack demo?

23. ● Shift left on security, early focus ● Consider your vulnerabilities for all layers ○ Cloud ○ Cluster ○ Container ○ Code ● Automated scanning and analysis ● Remember that a creative mind finds stuff a machine can’t. Summary and buzzwords

24. Frederik Mogensen fmo@trifork.com Examples are available at: https://github.com/mogensen/cloud-security-presentation/ Thank you

Securing danish healthcare using cloudnative

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing danish healthcare using cloudnative

Similar to Securing danish healthcare using cloudnative (20)

Recently uploaded

Recently uploaded (20)

Securing danish healthcare using cloudnative