Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Container Security via Monitoring and Orchestration - Container Security Summit

721 views

Published on

Security is a basic requirement of modern applications, and developers are increasingly using containers in their development work. In this presentation, we explore the basic components of secure design (preparation, detection, and containment), how containers facilitate that work today (verification), and how container orchestration ought to support models of the future, especially ones that are hard to roll manually (PKI).

Published in: Technology
  • Be the first to comment

Container Security via Monitoring and Orchestration - Container Security Summit

  1. 1. Orchestration and Monitoring Containers as a Foundation for Fast Vulnerability Responses, Rapid Compromise Detection, and Containment
  2. 2. About Me ● Drupal ○ Infrastructure (drupal.org) ○ Security ○ Performance/scalability, especially databases ● Systemd ○ Committer ○ Scalable cgroups management ○ Structured logging integration ○ Launch-on-demand adapter maintainer ● Pantheon ○ CTO and Co-founder ○ Billions of monthly page views ○ Millions of containers
  3. 3. ContainmentDetectionPreparation
  4. 4. ContainmentDetectionPreparation
  5. 5. Container Hosts Container Container Preparation: Reducing Exposure Traditional Model Extra Work to Configure Firewalls Containers Model Explicit Services Made Public Server or Virtual Machine Port 23 (Telnet) Port 22 (SSH) Port 80 (HTTP) Port 443 (HTTPS) Port 80 (HTTP) Port 443 (HTTPS) KubeIngress
  6. 6. Preparation: Patching with Rolling Updates Container Hosts Container (Old) KubeIngress HTTPS Container Hosts Container (New) KubeIngress HTTPS Container (Old)
  7. 7. Preparation: Identifying Vulnerable Applications Container Hosts Runtime + Libraries (Old) Runtime + Libraries (New) Container Container Container Hosts Runtime + Libraries (Old) Runtime + Libraries (New) Container Container
  8. 8. ContainmentDetectionPreparation
  9. 9. Detection: Suspicious Behavior Container Host Container Daemon PID 1 Container Daemon PID 1 PID or Container Supervisor Container Host Container Daemon PID 1 Container Daemon PID 1 PID or Container Supervisor Container Host Container Daemon SEGV’d PID 1 Container Daemon PID 1 PID 1 or Container Supervisor Centralized Monitoring
  10. 10. Detection: Integrity Verification Container Trusted Party Signature
  11. 11. ContainmentDetectionPreparation
  12. 12. Containment Antipattern: Mandatory Access Control (MAC) as an Afterthought
  13. 13. Containment: Containers Setting the Boundaries First
  14. 14. Containment: Resource Management with Control Groups Container Host Container Container ControlGroups
  15. 15. Containment: Isolation of Statefulness Container Host Container Persistence Container
  16. 16. Containment: Containers as a Public Key Infrastructure (PKI) Substrate Container Host Container LoadBalancer X.509 Server Cert HTTPS Configuration Management and Certificate Authority Services X.509 Server Cert X.509 Client Cert PersistenceX.509 Server Cert Container X.509 Cert X.509 Cert X.509 Client Cert
  17. 17. Questions? @DavidStrauss david@pantheon.io linkedin.com/in/davidstrauss

×