Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 25

Related Books

Free with a 30 day trial from Scribd

See all

Can Containers be Secured in a PaaS?

  1. 1. © Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Tom Kranz tkranz@pivotal.io 1
  2. 2. © Copyright 2015 Pivotal. All rights reserved. Introductions: who am I? UNIX sysadmin Technical architect Principal Field Engineer Account Manager Security person Get in touch on LinkedIn or Twitter 2
  3. 3. © Copyright 2015 Pivotal. All rights reserved. Can containers be secured in a PaaS? Maybe …. Not about features Context is important And implementation is key! And always remember: You will get hacked. Eventually. 3
  4. 4. © Copyright 2015 Pivotal. All rights reserved. So what’s the context? Who are our attackers? Where are they attacking from? What are they attacking? What data is at risk? This gives us a risk profile we can use to evaluate the security of an *implementation* Evaluating the security of a product in isolation - without context - is bad, and leads to bad risk profiles and poor decisions 4
  5. 5. © Copyright 2015 Pivotal. All rights reserved. Who are our attackers? Opportunists? Someone with a grudge? Professionals? Nation states? 5
  6. 6. © Copyright 2015 Pivotal. All rights reserved. August 2015 cyber attack stats 6 Stats from http://www.hackmageddon.com/
  7. 7. © Copyright 2015 Pivotal. All rights reserved. Where are they attacking from? Internal or external? What are they attacking? Infrastructure? Applications? Physical location? All of the above? 7 SPARTA!
  8. 8. © Copyright 2015 Pivotal. All rights reserved. What data is at risk? Can use answers to the above to work out what data is at risk and where it is This can form your risk profile This is what you can use to evaluate the security of an implemented solution Evaluate the implementation against the profile - not the product against a checklist! 8
  9. 9. © Copyright 2015 Pivotal. All rights reserved. Pivotal Cloud Foundry Architecture recap Ops Manager UI Ops Manager Director Operations Manager Service Service Broker Service Nodes Service Broker Service Nodes Service App Log Aggregator Login Server Dynamic Router Cloud Controller UAA Health Manager DEA Pool Messaging (NATS) Apps Metrics Collection Apps HA Proxy LB Elastic Runtime Containers!
  10. 10. © Copyright 2015 Pivotal. All rights reserved. Example: secure PCF implementation 10
  11. 11. © Copyright 2015 Pivotal. All rights reserved. Why? Leverage existing, tried and tested security solutions where appropriate (isolation, firewalls) Rely on platform security where appropriate (containers, immutable infrastructure) Change in application delivery also drives a change in security mindset (application centric not server centric) 11
  12. 12. © Copyright 2015 Pivotal. All rights reserved. Attack vectors - it’s the apps! 12 Stats from http://www.hackmageddon.com/
  13. 13. © Copyright 2015 Pivotal. All rights reserved. Impact of attacks Attacker compromises app, gets access to core data Nothing to do with the platform, nothing we can do to stop this Mitigation: WAF, code audit to help write secure code Attacker compromises app, gets local container access If they break anything, BOSH destroys and re-deploys the container Can’t break out the container to root VM (the DEA) Can’t sniff network traffic Can’t pivot east/west to attack other internal PCF components 13
  14. 14. © Copyright 2015 Pivotal. All rights reserved. Gentlemen, we can rebuild him. We have the technology. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_To p_Ten_Project Make Jenkins do the work: https://wiki.jenkins- ci.org/display/JENKINS/OWASP+Dependency- Check+Plugin Also look at Web Application Attack and Audit Framework: http://w3af.org/ 14
  15. 15. © Copyright 2015 Pivotal. All rights reserved. Containerception 15
  16. 16. © Copyright 2015 Pivotal. All rights reserved. Current tech: Warden 16
  17. 17. © Copyright 2015 Pivotal. All rights reserved. Future tech: Garden 17 More info at http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview
  18. 18. © Copyright 2015 Pivotal. All rights reserved. Container security in PCF: the nitty gritty Containers provide isolation of resources – CPU, memory, file system, process space, network Containers have their own private network, not accessible from outside the DEA DEA App App App App DEA App App App App
  19. 19. © Copyright 2015 Pivotal. All rights reserved. Container Isolation Routers forward requests from outside using the app’s route to the assigned port on the DEA, which does network translation to the container’s internal IP and port Apps are prevented from communicating directly with each other by container firewall rules; they must communicate through published routes DEA App App App App DEA App App App App Dynamic Router HA Proxy LB
  20. 20. © Copyright 2015 Pivotal. All rights reserved. Warden/Garden networking in detail 20
  21. 21. © Copyright 2015 Pivotal. All rights reserved. Container filesystems 21 Garden container with Buildpacks Garden container with Docker image
  22. 22. © Copyright 2015 Pivotal. All rights reserved. Why a different container tech? ie. Why not Docker? Again, context is important: PCF treats containers as disposable ie We don’t care about them, and neither should you Therefore we don’t allow access to them Fundamental difference in design principles - we can lock them down much more tightly To see the implications: http://reventlov.com/advisories/using-the-docker- command-to-root-the-host 22
  23. 23. © Copyright 2015 Pivotal. All rights reserved. To summarise - Key points Yes containers can be secured in a PaaS This can mitigate some attacks, doesn’t help with others Doesn’t mean your apps are secure Don’t rely on technology to solve security issues Build security into your apps from the start Profile the risk and mitigate what you can Remember not all risk can be mitigated Context is important! You will get hacked, response is key - whole other topic! 23
  24. 24. © Copyright 2015 Pivotal. All rights reserved. THANK YOU! tkranz@pivotal.io https://www.linkedin.com/in/tomkranz @whoopsie 24
  25. 25. © Copyright 2015 Pivotal. All rights reserved. 25

×