securing containers - cscout · securing containers they are coming ... docker freebsd jails expand...
Post on 11-Jun-2020
7 Views
Preview:
TRANSCRIPT
SECURING
CONTAINERSThey are Coming – Are you Ready?Jessica Hoffman & Sese Bennett
July 30, 2018
[CONFIDENTIAL]
WHAT ARE CONTAINERS?
2
It depends on who you ask…
INFRASTRUCTURE
Sandboxed application processes on
a shared Linux OS kernel
Simpler, lighter, and denser than
virtual machines
Portable across different
environments
APPLICATIONS
Package my application and all
of its dependencies
Deploy to any environment in
seconds and enable CI/CD
Easily access and share
containerized components including
the OS kernel
[CONFIDENTIAL]
CONTAINERS VS. VIRTUAL MACHINES
3
CONTAINERS VIRTUAL MACHINE
Orchestrator
Orchestrator
Orchestrator
[CONFIDENTIAL]
The Rise of Containers
4
Jails
VServer
Snapshots
cgroups
Namespaces
LXC
Docker
FreeBSD Jails expand on Unix chroot to isolate files
Linux-Vserver ports kernel isolation, but requires recompilation
Solaris Zones bring the concept of snapshots
Google introduces Process Containers, merged as cgroups
Redhat adds user namespaces, limiting root access in containers
IBM creates LXC, providing user tools for cgroupsand namespaces
Docker provides simple user tools and images. Containers go mainstream
SO THAT MEANS…
[CONFIDENTIAL]
LEGACY & NEW APPS
MOVING TO CONTAINERS
5
23%Using containers
for new
applications
only
73%Using containers for new
applications and some pre-
existing “legacy” applications
4%Using containers
for pre-existing
“legacy”
applications only
Stats Courtesy: ESG
56% already in production
24% in next 12 months
[CONFIDENTIAL]
APP CONTAINERS ARE
MOVING INTO PRODUCTION
6
1% 13%
42%24%
16%
4%Yes, we have already
deployed an extensive
number of containerized
production applications
Yes, we have already
deployed a few
containerized production
applications
No, but we are testing
it and plan to start
deploying to
production in the next
12 months
No, but we intend
to start testing it
in our lab in the
next 12 months
No, and we have
no plans to
Don’t know
Stats Courtesy: ESG
[CONFIDENTIAL]
BIG HURDLE TO CONTAINER ADOPTION?
7
[CONFIDENTIAL]
WHY DEPLOY CONTAINERS?
8
Image Courtesy - The SDxCentral 2017
Container and Cloud Orchestration Report
[CONFIDENTIAL]
APPLICATION CONTAINERS
WILL BE A $2.7B MARKET BY 2020
9
[CONFIDENTIAL] 10
CONTAINERS ARE COMING
WILL YOU BE READY?
[CONFIDENTIAL]
THE UP SIDE
11
Presents a rare opportunity for security to move upstream
Containers are exceptionally light and fast.
The same hardware can support an exponentially larger number of containers than VMs
Adoption can be a catalyst for improved security overall
Can better protect against some existing threats and help you react quickly to emerging
security issues
Containers are transparent
Container security is multi-level and containers can be secure if configured correctly!
[CONFIDENTIAL]
THE DOWN SIDE
12
As awesome as containers are, they also introduce
unique new risks.
Containers were not inherently architected with security
in mind.
If containers are not on your radar, now’s the time to
get up to speed because they are probably already
deployed somewhere within your organization.
[CONFIDENTIAL]
CONTAINER SECURITY ISSUES
13
34%Inability to efficiently verify that container
registry images meet their organization’ssecurity and compliance requirements.
35%Current server workload security solutions do
no support the same functionality for
containers
30%Potential for container sprawl creates loose
access controls between containers creating
vulnerabilities
27% Portability and transient nature of containers
make them more susceptible to “in motion”
compromises
33% A lack of mature solutions available forcontainer security
Statistics Courtesy: CSO Magazine, May 2017
[CONFIDENTIAL] 14
PREPARE
FOR
THE
WORST
[CONFIDENTIAL] 15
OLD SCHOOL( SECURITY)
JUST AIN’T COOL
[CONFIDENTIAL]
OLD SCHOOL SECURITY
16
“Siloed” Security TeamsAt many organizations, security remains the province of a team of security experts. They review code after it is
written—or worse, already in production. They work in silos, isolated from the rest of the software delivery team.
This isolation (which results in part from the difficulty of integrating security review into
monolithic application development) leads to security lapses.
Perimeter-level Security Most security tools still focus on protecting the perimeter of software environments. They harden the network
using firewall rules. They lock down servers using access control policies. These practices do not help in the event
that an attacker is able to defeat perimeter-level defenses and gain access to the interior of an environment.
Manual Configuration & ManagementToday’s security tools are often capable in theory of real-time threat detection. But because they require manual
configuration, their ability to identify and react to threats in real time is limited. If you have to configure security
definitions manually to find threats, you will not be able to detect threats quickly
Rot-Prone Configuration Another crucial weakness that arises from a reliance on manual configuration is a susceptibility to configuration
“rot.” As a software environment changes, configurations that are manually updated become outdated—or in
other words, they rot.
[CONFIDENTIAL]
NEW SCHOOL CONTAINER SECURITY
17
NIST Special Publication 800-190 defines five core areas that must be considered when addressing container security
The foundation for
containerization
platforms
Image
User defined
processing
definitions
Registry
Technology that
stores/deploys
created images
Container
Rapidly deployed
& highly portable
processing
environment
Orchestrator
The “brains that
manages the
container
environment
Host OS
[CONFIDENTIAL]
NEW SCHOOL APPROACH
18
Automate
Container
Security
Manage
Image
Vulnerabilities
Minimize
Attack
Surfaces
Harden
Hosts
Tighten Access
Controls
Limit
Dependencies
Access
Existing
Practices &
Tools
Eliminate
Silos
[CONFIDENTIAL]
BOTTOM LINE
19
HOPING FOR THE
BEST IS NOT A
(GOOD) OPTION
[CONFIDENTIAL]
KEEP IN TOUCH WITH US!
20
ANY QUESTIONS?
Sese Bennett
(615) 767-7902
SBennett@provincia.io
Jessica Hoffman
(615) 917-5244
JHoffman@provincia.io
top related