container security - carahsoft

CarahsoftENS-Inc.Red HatPalo Alto NetworksContainer Security

We’re Proud to be a Partner with Red Hat OpenShift

Twistlock, now part of Prisma Cloud, partnered with Red Hat to support both government and enterprise customers

Numerous co -marketing efforts, including OpenShift Commons blogs, webinars, and meetup events

Prisma Cloud Defender supports RHEL and is built upon RHEL Universal Base Image (UBI)

2 | © 2020 Palo Alto Networks, Inc. All rights reserved.

The Shared Responsibility Model for Cloud -Native Applications

Cloud -Native Continues to be a Central Pillar of I&O Strategy

“Cloud -native approaches to software and service design enable enterprises to act faster , more efficiently and at greater scale : enterprises can go faster with cloud and be more efficient with microservices.”

The Cloud “OSI Model”

Physical layer: Buildings, metal, silicon

Service layer: Provider built and managed capabilities

Compute layer: Software you’re continuously making


Key Challenges Every Organization is Facing


A Growing Number of Entities to Secure

Environments are Constantly Changing

Multi and Hybrid Cloud Environments Create

Complexity

Security controls don’t come built in. Security teams are the ones responsible for protecting

everything!

Developers, Devops, and Infra are building and deploying at a

frantic pace, often without security guidance.

Cloud services, along with growing IaaS, PaaS, and CaaS environments, lead to a huge estate for security teams to

protect.

Example Risks in Cloud -Native Applications


Kubernetes' first major security hole discovered, allowing privilege escalation, with a CVSS 9.8

RunC container escape flaw enables root access to host system

February 2018

June 2018

December 2018

February 2019

Weight Watchers IT infrastructure exposed via no -password Kubernetes server

Tesla cloud resources are hacked to run cryptocurrency mining malware

Unit 42 discloses 200K insecure IaC template in use

February 2020

Today, we want to focus on how you c a n secure your cloud native applications sp a n n in g c on ta in ers , K u b ern etes, a n d on -d em a n d c on ta in ers , b oth in production a n d across the application lifecycle .

8 | © 20 20 P a lo A lto N etw ork s, In c . A ll rig h ts reserved .

Container Security

Container Characteristics

MinimalTypically

single process entities

DeclarativeBuilt from

images that are machine

readable

PredictableDo exactly the

same thing from run to

kill

What’s Difficult About Securing Containers?

Many more entities

High rate of change, much more ephemeral

Security is largely in the hands of the developer

Security must be as portable as the containers

Steps Involved with Building and Deploying Containers

Developer writes a Dockerfile, which

includes a base image, maintainer, run

instructions, etc., that is then built into an image

Image is pushed to a registry, which can hold hundreds to

thousands of images

Containers are deployed individually or in groups to any public

and private cloud services in use

Build Ship Run

Container template owned by the developer

Dockerfile: Includes the base image, run instructions, files to add, and ports that will be exposed

Where is the security team?The developer creates the Dockerfile, not security!


What do we see when we scan this image?

1 Critical python vulnerability

Additional High and Medium vulnerabilities: Many with vendor fixes!

No user: Image is configured to run as root

Untrusted: Twistlock shows that the image is not “Trusted”



1 DevSecOps Enablement. Integrating security across devops workflows and CI/CD pipelines.

2 Risk prioritization. Where are my microservices, what is their current risk posture, and how do I prioritize the greatest risk?

3 Protecting running workloads and apps. Ensuring my running hosts and containers are secure.

4 Network visibility and microsegmentation. Gaining real-time network visibility and securing east-west traffic flows at scale.

5 Compliance management. Achieving and maintaining compliance continuously for both internal and external frameworks.

Key Steps to Secure Containers Across the Application Lifecycle


Ship

CI/CD: Scanning images combined with enforcement

Build Run

Vulnerability management: Global risk monitoring across hosts, containers, images and functions

Runtime defense: 4D policy creation,

Cloud native firewalls: Network visibility with L4, L7

Access control: FIM, log inspection, K8s AuditSink

Compliance: Implement, monitor, and enforce CIS Benchmarks along with external compliance regimes

Protecting the running application

Visibility is critical: Especially across clusters, nodes, and hosts

Baseline of behavior: Protecting your apps at scale requires automated policy creation

Forensic data and incident response: Data needs to be efficiently collected and stored for analysis


Securing traffic between containers

Automatically enforce safe traffic flows between containers: This is difficult at scale, especially if you have to map everything yourself

Ensure containers only communicate in how they were designed: New connections are alerted on or blocked

Avoid manual rule creation that leads to rule rot


Ensuring compliance

Ensure compliance for internal or external regimes: Needs to be customized for each environment

CIS Benchmarks are essential:Gaps need to be eliminated--a full stack approach is essential

Integrate compliance into CI/CD


Integrating into CI/CD

Devs and DevOps own a huge part of container security

Accuracy meets speed: Provide results right in native tooling as well as central Console

Don’t just identify--enforce: If you can block a critical vulnerability with a vendor fix, do it now! Shift left where you can!


Thank you

paloaltonetworks.com

22

container security - carahsoft

Documents