acsc 2018 conference · container (optional) operating system virtualization hardware iaas...
TRANSCRIPT
www.senseofsecurity.com.au © Sense of Security 2018 Page 1 – 12-APR-18
ACSC 2018 ConferenceEffective Container Security
Delivered by Murray Goldschmidt, COO
12 April 2018
www.senseofsecurity.com.au © Sense of Security 2018 Page 2 – 12-APR-18
Agenda
App Virtualisation vs
VirtualMachines
Why Containerised Apps?
Key Steps to Container Security
Vuln Mgt, Risk Mgt & Compliance
www.senseofsecurity.com.au © Sense of Security 2018 Page 3 – 12-APR-18
… & Not Discussed
❖ Control Groups(cgroups)
❖ Namespaces
❖ Capabilities
❖ Seccomp
❖ Linux Security Mechanisms
❖ The Docker daemon
www.senseofsecurity.com.au © Sense of Security 2018 Page 4 – 12-APR-18
VM’s < -- > Containers
Virtual Machine
Virtual Processor
Operating System
Libraries
Application
Physical Processor
Container
Libraries
Application
Virtual Processor
Operating System
Physical Processor
ISA
syscall
Virtual
Machine
Container
Virtual
Machine
Container
From: http://www.weblaminar.com/index.php/technologies/docker-container
www.senseofsecurity.com.au © Sense of Security 2018 Page 5 – 12-APR-18
Why App Containers?
Speed System Kernel is commonVery fast to load and operate
Contained & Repeatable
All dependencies mounted ->RepeatableSeparate Execution Environment for Multiple containers on single OS
Attack Surface Reduction
LightweightIncorporate only parts you need
Control Finer-grained execution environments
Lifecycle Ease of integration into DevOps SDLMultiple Orchestration Platforms
Support All Major OS’sAll Major Hosting Providers
www.senseofsecurity.com.au © Sense of Security 2018 Page 6 – 12-APR-18
VM
cont.
Cont.
Cont.
Cont.
ContN
cont.
Cont.
Cont.
Cont.
ContN
VM vs. Containers
Hardware
Hypervisor 1
VM
VM
VM
VM
VM
Hardware
Host OS
VM
VM
VM
VM
VM
Hypervisor 2
Hardware
Host OS
cont1
Cont2
Cont3
Cont4
ContN
Container Engine
Dep 1 Dep 2
Guest OS
Dependencies
Application
Container
App. Deps.
Application ABC
Virtualisation Containerisation
Type1 – Bare Metal Type 2
www.senseofsecurity.com.au © Sense of Security 2018 Page 7 – 12-APR-18
Containers On Bare Metal Server
Libraries
Host Operating System
Container Engine
Server
App A App B App C App D App E App F
www.senseofsecurity.com.au © Sense of Security 2018 Page 8 – 12-APR-18
Containers on VM’s or Instances
Container Engine
Libraries
App A
App B
App C
OS
Container Engine
Libraries
App D
App E
App F
OS
Virtual Machine Virtual Machine
Host Operating System
VM Hypervisor
Server
www.senseofsecurity.com.au © Sense of Security 2018 Page 9 – 12-APR-18
Microservices Architecture
https://docs.microsoft.com/en-us/azure/architecture/guide/architecture-styles/microservices
www.senseofsecurity.com.au © Sense of Security 2018 Page 10 – 12-APR-18
www.senseofsecurity.com.au © Sense of Security 2018 Page 11 – 12-APR-18
Containers as-a-Service
Functions
Application
Runtime
Container (Optional)
Operating System
Virtualization
Hardware
IaaS
Functions
Application
Runtime
Container
Operating System
Virtualization
Hardware
CaaS
Functions
Application
Runtime
Container
Operating System
Virtualization
Hardware
PaaS
Functions
Application
Runtime
Container
Operating System
Virtualization
Hardware
FaaS
Customer Managed
Customer Managed Unit
of Scale
Abstracted by Vendor
https://qph.ec.quoracdn.net/main-qimg-73dd2f0d9438e512525fc1608224dc79
www.senseofsecurity.com.au © Sense of Security 2018 Page 12 – 12-APR-18
Containers as-a-Service
Functions
Application
Runtime
Container
Operating System
Virtualization
Hardware
CaaS
www.senseofsecurity.com.au © Sense of Security 2018 Page 13 – 12-APR-18
Containers as-a-Service
Functions
Application
Runtime
Container (Optional)
Operating System
Virtualization
Hardware
IaaS
Functions
Application
Runtime
Container
Operating System
Virtualization
Hardware
CaaS
Functions
Application
Runtime
Container
Operating System
Virtualization
Hardware
PaaS
Functions
Application
Runtime
Container
Operating System
Virtualization
Hardware
FaaS
Customer Managed
Customer Managed Unit
of Scale
Abstracted by Vendor
www.senseofsecurity.com.au © Sense of Security 2018 Page 14 – 12-APR-18
Multi-Tenant CaaS
www.senseofsecurity.com.au © Sense of Security 2018 Page 15 – 12-APR-18
CaaS of the Future?
www.senseofsecurity.com.au © Sense of Security 2018 Page 16 – 12-APR-18
Containers Solve Everything?
www.senseofsecurity.com.au © Sense of Security 2018 Page 17 – 12-APR-18
End-to-End Security
DevOps is Agile
So we need to address
End-to-End Security
Security @ Source (Static)
&
Run Time Security (Dynamic)
www.senseofsecurity.com.au © Sense of Security 2018 Page 18 – 12-APR-18
Key Steps to App Container Security
1 End-to-End Vulnerability Management
2 Container Attack Surface Reduction
3 User Access Control
4 Hardening the Host OS & the Container
5 SDLC Automation (DevOps)
www.senseofsecurity.com.au © Sense of Security 2018 Page 19 – 12-APR-18
Automated Vuln Mgt
Build• API’s & Plug-ins
• Third Party
Components
• Vuln Mgt
Automation
Registry• Automated
Scan of
Pub/Priv
Registry Host• Compliance
Scanning
• OS
• CaaS
Runtime• Audit logging
• Event logging
SHIFT LEFT
Image adapted from Qualys materials
www.senseofsecurity.com.au © Sense of Security 2018 Page 20 – 12-APR-18
Attack Surface
Image by: Phil Estes, Container Security, Everything You Probably Should Know, Docker London 2016
www.senseofsecurity.com.au © Sense of Security 2018 Page 21 – 12-APR-18
Sec/Vuln Injection Points
https://www.rsaconference.com/writable/files/About/security_analysis_of_docker.pdf
www.senseofsecurity.com.au © Sense of Security 2018 Page 22 – 12-APR-18
https://www.qualys.com/apps/container-security/
www.senseofsecurity.com.au © Sense of Security 2018 Page 23 – 12-APR-18
Container Security Lifecycle Management
& Compliance Summary
Develop / Build Test / Modify Release /
Production
Use Trusted Images
Sign & Verify Images
Reduce Attack Surface
Privileged Access & Auth Mgt
Ongoing SecOps
Advanced Security Controls
Vulnerability Management
Third Party Components Mgt (SCA)
Network Segmentation
User Authentication
Vulnerability Scanning
Harden the OS
Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,
by Amy DeMartine and Dave Bartoletti April 14, 2017
www.senseofsecurity.com.au © Sense of Security 2018 Page 24 – 12-APR-18
Thank you
Head office is level 8, 66 King Street, Sydney, NSW 2000,
Australia. Owner of trademark and all copyright is Sense of
Security Pty Ltd. Neither text or images can be reproduced
without written permission.
T: 1300 922 923
T: +61 (0) 2 9290 4444
F: +61 (0) 2 9290 4455
www.senseofsecurity.com.au