Frederik Mogensen, profile picture
Uploaded byFrederik Mogensen
86 views

Securing danish healthcare using cloudnative

The document outlines the implementation of a cloud-native telemedicine platform in Denmark that assists chronically ill patients. It emphasizes the importance of security across various aspects, including network access, infrastructure as code, and runtime security. Additionally, it highlights strategies for vulnerability scanning, monitoring, and automated security analysis to ensure a robust cloud security posture.

Embed presentation

Downloaded 38 times
Securing Danish Healthcare using Cloud Native Frederik Mogensen Senior Cloud Architect at Trifork
Common Danish Telemedicine Platform
Telemedicine Platform ● Covering all of Denmark ○ 5 regions + 98 municipalities ● Helping chronically ill patients to live at home ● Defining different questionnaires for each illness ● Patients measuring and responding to questionnaires daily Photo by Jair Lázaro on Unsplash
Platform Focus ● Handling healthcare data demands a high focus on ○ Stability ○ Observability ○ Security Photo by Philipp Katzenberger on Unsplash
Cloud Native “Cloud native computing is an approach in software development that utilizes cloud computing to "build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds". Technologies such as containers, microservices, serverless functions and immutable infrastructure, deployed via declarative code are common elements of this architectural style” https://en.wikipedia.org/wiki/Cloud_native_computing
Defense-in-depth using The 4C's of Cloud Native security www.trendmicro.com
Cloud / Co-lo / Corporate Data Center
Cloud provider security Area of Concern ● Network access ● Access to Cloud Provider API ● Disk Encryption ● Database access ● Internet access ● Misconfiguration / drifting configuration Photo by Mauro Sbicego on Unsplash
Cloud provider security ● Infrastructure as code ensures systems consistent ● IaC allows for security scanning of code Short demo $ tfscan Examples are available at: https://github.com/mogensen/cloud-security-presentation/
Kubernetes Infrastructure Area of Concern ● Network access to API Server ● Network access to Nodes ● Kubernetes access to Cloud Provider API ● Access to etcd ● etcd Encryption Photo by Frank Eiffert on Unsplash
Kubernetes Infrastructure Short demo $ docker run -it --rm --network host aquasec/kube-hunter --interface $ curl -k https://172.18.0.2:6443/version Examples are available at: https://github.com/mogensen/cloud-security-presentation/
Cluster
Static Cluster Security Area of Concern ● RBAC Authorization (Access to the Kubernetes API) ● Pod Security Policies (Deprecated) ○ Run as Root? ○ Allow host paths? ○ Allow privileged? ● Quality of Service (and Cluster resource management) ● Network Policies ● TLS For Kubernetes Ingress Photo by Umberto on Unsplash
Static Cluster Security Short demo $ polaris dashboard $ kubeaudit all -f demo.yaml kubeaudit Examples are available at: https://github.com/mogensen/cloud-security-presentation/
Runtime Cluster Security ● Pod Communication ○ JWT validation ○ mTLS Data Layer encryption ○ Network policies ● Monitoring Traffic ○ Tracing specific calls ○ Graphing all traffic between services ● Secrets & Certificates ○ Service Accounts Short demo $ docker-compose up
Intruder Detection / Intruder Prevention Short demo $ docker-compose up Examples are available at: https://github.com/mogensen/cloud-security-presentation/
Container
Container Security Area of Concern ● Container Vulnerability Scanning ● OS Dependency Security ● Image Signing and Enforcement ● Disallow privileged users ● Use container runtime with stronger isolation Photo by Docker
Image Scanning and Security Short demo $ trivy nginx:latest $ trivy nginx:alpine $ docker run -it --rm nginx:latest whoami $ docker run -it --rm nginxinc/nginx-unprivileged:stable-alpine whoami Examples are available at: https://github.com/mogensen/cloud-security-presentation/
Code
● Access over TLS only ● Limiting port ranges of communication ● 3rd Party Dependency Security ● Static Code Analysis ● Dynamic probing attacks Code Scanning Examples are available at: https://github.com/mogensen/cloud-security-presentation/
Summary or Attack demo?
● Shift left on security, early focus ● Consider your vulnerabilities for all layers ○ Cloud ○ Cluster ○ Container ○ Code ● Automated scanning and analysis ● Remember that a creative mind finds stuff a machine can’t. Summary and buzzwords
Frederik Mogensen fmo@trifork.com Examples are available at: https://github.com/mogensen/cloud-security-presentation/ Thank you

More Related Content

PDF
Kubernetes meetup geneva june 2021
bySebastienSEYMARC
 
PPTX
Microservices - The good, The bad, The does and The don'ts
byFrederik Mogensen
 
PDF
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
byPhil Estes
 
PDF
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
PDF
Comparison of Current Service Mesh Architectures
byMirantis
 
PPTX
EasyStack True Private Cloud | Quek Keng Oei
byVietnam Open Infrastructure User Group
 
PPTX
Orchestrating stateful applications with PKS and Portworx
byVMware Tanzu
 
PDF
Deploying NGINX in Cloud Native Kubernetes
byKangaroot
 
Kubernetes meetup geneva june 2021
bySebastienSEYMARC
 
Microservices - The good, The bad, The does and The don'ts
byFrederik Mogensen
 
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
byPhil Estes
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
Comparison of Current Service Mesh Architectures
byMirantis
 
EasyStack True Private Cloud | Quek Keng Oei
byVietnam Open Infrastructure User Group
 
Orchestrating stateful applications with PKS and Portworx
byVMware Tanzu
 
Deploying NGINX in Cloud Native Kubernetes
byKangaroot
 

What's hot

PDF
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
byMirantis
 
PPTX
PKS - Solving Complexity for Modern Data Workloads
byCarlos Andrés García
 
PDF
Istio : Service Mesh
byKnoldus Inc.
 
PDF
NYC Kubernetes Meetup: Ambassador and Istio - Flynn, Datawire
byAmbassador Labs
 
PPTX
MRA AMA Part 6: Service Mesh Models
byNGINX, Inc.
 
PPTX
Istio Cloud Native Online Series - Intro to Istio Security
byMatt Baldwin
 
PDF
Faster safer and 100 user centric application at equifax with docker
byDocker, Inc.
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
PPTX
Modern Security Pain Points with Application Modernization - With Jermaine Ed...
byKonveyor Community
 
PDF
Replacing vCloud with OpenNebula
byOpenNebula Project
 
PDF
Securing Your Containers is Not Enough: How to Encrypt Container Data
byMirantis
 
PDF
Cisco Cloud Networking Workshop
byCisco Canada
 
PDF
The elegant way of implementing microservices with istio
byInho Kang
 
PDF
How to Build a Basic Edge Cloud
byMirantis
 
PDF
Cncf storage-final-filip
byJuraj Hantak
 
PDF
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
byNico Meisenzahl
 
PDF
VietOpenStack meetup 7th Kilo overview
byVietnam Open Infrastructure User Group
 
PDF
Container security within Cisco Container Platform
bySanjeev Rampal
 
PDF
Using Kubernetes to make cellular data plans cheaper for 50M users
byMirantis
 
PDF
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
byDocker, Inc.
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
byMirantis
 
PKS - Solving Complexity for Modern Data Workloads
byCarlos Andrés García
 
Istio : Service Mesh
byKnoldus Inc.
 
NYC Kubernetes Meetup: Ambassador and Istio - Flynn, Datawire
byAmbassador Labs
 
MRA AMA Part 6: Service Mesh Models
byNGINX, Inc.
 
Istio Cloud Native Online Series - Intro to Istio Security
byMatt Baldwin
 
Faster safer and 100 user centric application at equifax with docker
byDocker, Inc.
 
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
Modern Security Pain Points with Application Modernization - With Jermaine Ed...
byKonveyor Community
 
Replacing vCloud with OpenNebula
byOpenNebula Project
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
byMirantis
 
Cisco Cloud Networking Workshop
byCisco Canada
 
The elegant way of implementing microservices with istio
byInho Kang
 
How to Build a Basic Edge Cloud
byMirantis
 
Cncf storage-final-filip
byJuraj Hantak
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
byNico Meisenzahl
 
VietOpenStack meetup 7th Kilo overview
byVietnam Open Infrastructure User Group
 
Container security within Cisco Container Platform
bySanjeev Rampal
 
Using Kubernetes to make cellular data plans cheaper for 50M users
byMirantis
 
DCSF 19 Mitigating Legacy Windows Operating System Vulnerabilities with Docke...
byDocker, Inc.
 

Similar to Securing danish healthcare using cloudnative

PDF
Cloud-Native Security
byVMware Tanzu
 
PDF
Cloud Native Security: New Approach for a New Reality
byCarlos Andrés García
 
PDF
Bridging The Cloud and Application Security Gaps Meetup 15102024
bylior mazor
 
PDF
The Art of Cloud Native Defense on Kubernetes
byJacopo Nardiello
 
PPTX
10 tips for Cloud Native Security
byKarthik Gaekwad
 
PPTX
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
PPTX
Security for cloud native workloads
byRuncy Oommen
 
PPTX
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
PDF
Presentation ING for ISC2 Secure Summits EMEA
byThijs Ebbers
 
PPTX
Kubernetes Security
byKarthik Gaekwad
 
PDF
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
PDF
From Containerized Application to Secure and Scaling With Kubernetes
byShikha Srivastava
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
PDF
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
byDevOps.com
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
PPTX
Simplifica la seguridad en la nube y la detección de amenazas con FortiCNAPP
byCristian Garcia G.
 
PDF
A-Throwaway-Deck-for-Cloud-Security-Essentials-2.0-SL.pptx.pdf
byjblac2025
 
PDF
Best Practices to Secure Containerized Apps with Next-Gen WAF
byDevOps.com
 
PDF
Kubernetes as Infrastructure Abstraction
byKublr
 
PDF
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 
Cloud-Native Security
byVMware Tanzu
 
Cloud Native Security: New Approach for a New Reality
byCarlos Andrés García
 
Bridging The Cloud and Application Security Gaps Meetup 15102024
bylior mazor
 
The Art of Cloud Native Defense on Kubernetes
byJacopo Nardiello
 
10 tips for Cloud Native Security
byKarthik Gaekwad
 
DevSecOps in a cloudnative world
byKarthik Gaekwad
 
Security for cloud native workloads
byRuncy Oommen
 
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
Presentation ING for ISC2 Secure Summits EMEA
byThijs Ebbers
 
Kubernetes Security
byKarthik Gaekwad
 
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
From Containerized Application to Secure and Scaling With Kubernetes
byShikha Srivastava
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
byDevOps.com
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
Simplifica la seguridad en la nube y la detección de amenazas con FortiCNAPP
byCristian Garcia G.
 
A-Throwaway-Deck-for-Cloud-Security-Essentials-2.0-SL.pptx.pdf
byjblac2025
 
Best Practices to Secure Containerized Apps with Next-Gen WAF
byDevOps.com
 
Kubernetes as Infrastructure Abstraction
byKublr
 
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 

Recently uploaded

PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final.pdf
byomarbishtawi04
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
apidays New York 2025 | AI in Application Security
byapidays
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final.pdf
byomarbishtawi04
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 

Securing danish healthcare using cloudnative

  • 1.
    Securing Danish Healthcare usingCloud Native Frederik Mogensen Senior Cloud Architect at Trifork
  • 2.
  • 3.
    Telemedicine Platform ● Coveringall of Denmark ○ 5 regions + 98 municipalities ● Helping chronically ill patients to live at home ● Defining different questionnaires for each illness ● Patients measuring and responding to questionnaires daily Photo by Jair Lázaro on Unsplash
  • 4.
    Platform Focus ● Handlinghealthcare data demands a high focus on ○ Stability ○ Observability ○ Security Photo by Philipp Katzenberger on Unsplash
  • 5.
    Cloud Native “Cloud nativecomputing is an approach in software development that utilizes cloud computing to "build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds". Technologies such as containers, microservices, serverless functions and immutable infrastructure, deployed via declarative code are common elements of this architectural style” https://en.wikipedia.org/wiki/Cloud_native_computing
  • 6.
    Defense-in-depth using The 4C'sof Cloud Native security www.trendmicro.com
  • 7.
    Cloud / Co-lo/ Corporate Data Center
  • 8.
    Cloud provider security Areaof Concern ● Network access ● Access to Cloud Provider API ● Disk Encryption ● Database access ● Internet access ● Misconfiguration / drifting configuration Photo by Mauro Sbicego on Unsplash
  • 9.
    Cloud provider security ●Infrastructure as code ensures systems consistent ● IaC allows for security scanning of code Short demo $ tfscan Examples are available at: https://github.com/mogensen/cloud-security-presentation/
  • 10.
    Kubernetes Infrastructure Area ofConcern ● Network access to API Server ● Network access to Nodes ● Kubernetes access to Cloud Provider API ● Access to etcd ● etcd Encryption Photo by Frank Eiffert on Unsplash
  • 11.
    Kubernetes Infrastructure Short demo $docker run -it --rm --network host aquasec/kube-hunter --interface $ curl -k https://172.18.0.2:6443/version Examples are available at: https://github.com/mogensen/cloud-security-presentation/
  • 12.
  • 13.
    Static Cluster Security Areaof Concern ● RBAC Authorization (Access to the Kubernetes API) ● Pod Security Policies (Deprecated) ○ Run as Root? ○ Allow host paths? ○ Allow privileged? ● Quality of Service (and Cluster resource management) ● Network Policies ● TLS For Kubernetes Ingress Photo by Umberto on Unsplash
  • 14.
    Static Cluster Security Shortdemo $ polaris dashboard $ kubeaudit all -f demo.yaml kubeaudit Examples are available at: https://github.com/mogensen/cloud-security-presentation/
  • 15.
    Runtime Cluster Security ●Pod Communication ○ JWT validation ○ mTLS Data Layer encryption ○ Network policies ● Monitoring Traffic ○ Tracing specific calls ○ Graphing all traffic between services ● Secrets & Certificates ○ Service Accounts Short demo $ docker-compose up
  • 16.
    Intruder Detection /Intruder Prevention Short demo $ docker-compose up Examples are available at: https://github.com/mogensen/cloud-security-presentation/
  • 17.
  • 18.
    Container Security Area ofConcern ● Container Vulnerability Scanning ● OS Dependency Security ● Image Signing and Enforcement ● Disallow privileged users ● Use container runtime with stronger isolation Photo by Docker
  • 19.
    Image Scanning andSecurity Short demo $ trivy nginx:latest $ trivy nginx:alpine $ docker run -it --rm nginx:latest whoami $ docker run -it --rm nginxinc/nginx-unprivileged:stable-alpine whoami Examples are available at: https://github.com/mogensen/cloud-security-presentation/
  • 20.
  • 21.
    ● Access overTLS only ● Limiting port ranges of communication ● 3rd Party Dependency Security ● Static Code Analysis ● Dynamic probing attacks Code Scanning Examples are available at: https://github.com/mogensen/cloud-security-presentation/
  • 22.
  • 23.
    ● Shift lefton security, early focus ● Consider your vulnerabilities for all layers ○ Cloud ○ Cluster ○ Container ○ Code ● Automated scanning and analysis ● Remember that a creative mind finds stuff a machine can’t. Summary and buzzwords
  • 24.
    Frederik Mogensen fmo@trifork.com Examples areavailable at: https://github.com/mogensen/cloud-security-presentation/ Thank you