lessons learned securing microservices and …...data is the “new oil” of the 21st century •...
TRANSCRIPT
![Page 1: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/1.jpg)
Lessons learned securing microservices and containers
Emil Man Product Security Leader
Honeywell Safety and Productivity Systems
![Page 2: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/2.jpg)
Image Courtesy of: https://blog.netapp.com/blogs/containers-vs-vms/
![Page 3: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/3.jpg)
• Containers share host kernel• Have own bins/libs for application• Run in namespace on Linux kernel• Run only what is necessary for
their application• Should run only processes directly
necessary for their application execution• Containers should be stateless• ”Cattle not Pets”
![Page 4: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/4.jpg)
Complexity
![Page 5: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/5.jpg)
Holistic Security and securing the ecosystem of
software development
Source: Gartner Inc
![Page 6: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/6.jpg)
The components or code you are re-using from othersThe code repository or laptop
Role Based Access controls
Discretionary Access control based on projects
Least Privilege Access
The Build serverThe deployment server
The test infrastructure
All major targets for attackers
Container Repositories
![Page 7: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/7.jpg)
• Sniff for sensitive data• Extract data from storage• Dead Container = LOST
Forensics
![Page 8: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/8.jpg)
• Rate Limiting• Authentication• Load Balancing• API Gateway and Web Application
Firewalls• Data Input and Output validation
through said API
![Page 9: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/9.jpg)
Service Mesh• Service mesh is an array of proxies
alongside containers• Each proxy provides a gateway of
interactions between containers• Encrypts traffic between them• Can verify machine identity to ensure it
is talking to a “trusted” container.• Central controller orchestrates
connections. • Control pane knows each interaction
![Page 10: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/10.jpg)
A wide variety of products that have varying business needs
Maturity takes time
Individual function needs such as Devops, Security, Marketing, Finance – etc – all need to be satisfied
Starting too big, with something far too complex
Adding microservice containers around monolith software
![Page 11: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/11.jpg)
![Page 12: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/12.jpg)
Vaulting
• No passwords stored in plaintext or in source code inside containers
• Regenerated or revoked if compromised• Can be easily rotated if needed
![Page 13: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/13.jpg)
• Identity and access management around everything• Integrated IAM at all steps of our software supply chain• East to transition people in and out of projects
I am George P. Burdell
![Page 14: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/14.jpg)
Gartner Security Controls in Containers
![Page 15: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/15.jpg)
Data is the “new Oil” of the 21st century
• How are you securing my data• Persistence of data outside of the container• Storage that has proper controls• Multi-tenancy through customer-controlled
encryption keys• Encryption and Personally Identifiable
Information identified from the beginning• Regulatory compliance & data privacy
![Page 16: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/16.jpg)
Security aware people embedded in engineering teams
![Page 17: Lessons learned securing microservices and …...Data is the “new Oil” of the 21st century • How are you securing my data • Persistence of data outside of the container •](https://reader034.vdocuments.net/reader034/viewer/2022042303/5ece35bf74250b1b7f4e27b2/html5/thumbnails/17.jpg)
FIN