red hat, secure by default€¦ · scanner by red hat scans systems and containers for: known...
TRANSCRIPT
-
Red Hat, Secure by default
Amine Al OumamiSr. Solution Architect
-
“The time where security was a feature belongs in the past.It is now a continuous process, and everybody’s problem”
-
GDPR made IT security everybody’s problem
July 2018
The ICO’s first action under the GDPR. An enforcement notice was issued to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica scandal.
January 2019
The first major fine under the new law. France’s CNIL fined Google €50 million for failing to obtain a valid legal basis for processing personal data for ad personalisation. This breached the GDPR’s requirements for transparency and specific, unambiguous consent.
Pre GDPR fines Post GDPR fines
July 2019
The ICO announced its first fines under the GDPR.
It announced its intention to fine British Airways £183.39 million for a 2018 breach compromising the personal data of approximately 500,000 customers.
It stated its intention to fine Marriott International £99,200,396 when “a cyber incident” exposed approximately 339 million customer records.
August 2019
Bulgaria's Data Protection Commission (KZLD) announced its intention to fine the National Revenue Agency BGN5.1 million (approximately €2.6 million) after approximately 4 million living and 2 million dead individuals' personal data was compromised in a hacking attack.
https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdfhttps://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdfhttps://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llchttps://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llchttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-ico-announces-intention-to-fine-british-airways/https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/
-
2018 speech by David Hogue, a National Security Agency official, who said the NSA had not responded to an intrusion that exploited a zero-day
vulnerability in over two years.
99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the
incident3
81% of hacking-related breaches leveraged either stolen and/or weak passwords1
68% of breaches took months or longer to discover2
1 2017 Verizon Data Breach Investigations Report22018 Verizon Data Breach Investigations Report3Gartner, “Focus on the Biggest Security Threats, Not the Most Publicized,” November, 2017
https://www.cyberscoop.com/dod-apache-struts-equifax-david-hogue-nsa/
-
Vulnerabilities are growing… so do their exploits
https://www.cvedetails.com
-
The Cybersecurity challenges
-
The Security Challenge is not Getting Easier
Reported increasedSeverity of attacks
65% 57% 29% 5%
Said the time to resolve an incident has grown
Have their ideal security-skilled staffing level,
making it the #2 barrier toCyber resilience
Portion of alerts coming inthat the average securityteam examines every day
Source:1 The Third Annual Study on the Cyber Resilient Organization - Ponemon Institute, 2018 (Sponsored by IBM)
2 https://venturebeat.com/2017/12/16/the-lesson-behind-2017s-biggest-enterprise-security-story/
http://www-03.ibm.com/press/us/en/pressrelease/53800.wsshttps://venturebeat.com/2017/12/16/the-lesson-behind-2017s-biggest-enterprise-security-story/
-
The Challenges
Compliance & Security
ConfusionSkills & Talent Gap
?Perimeter
Transformation
-
Confusion: Open Source
Source: 2019 The State of Enterprise Open Source, A Red Hat Reporthttps://www.redhat.com/en/enterprise-open-source-report/2019
38%Enterprises cited “Security of the code” as a barrier to using enterprise open source
37% US 42% UK 37% APAC 37% LATAM
https://www.redhat.com/en/enterprise-open-source-report/2019
-
96+% of all codebases contain
upstream open source software or libraries
Source: 2019 Open Source Security and Risk Analysis Author: Synopsys
Through 2020
99% of vulnerabilities exploited will be known for 1+ years
Source: Top Security Predictions Through 2020Author: Gartner
Confusion: Open Source
-
Confusion: The global picture
https://momentumcyber.com
-
Security practices, policies, and tools haven’t fully caught up with Cloud Technologies
“According to analyst firm McKinsey, a full 78 percent of more than 100 firms recently surveyed are NOT
reconfiguring their security tools when migrating to the cloud ”
Source: B. Cameron Gain for thenewstack.io, Microservices Security: Probably Not What You Think It Is, Mar 2018 https://thenewstack.io/microservices-security-probably-not-what-you-think-it-is/
-
The journey to “security” is long, hard, full of risks, needs everybody’s involvement,
continuous… But is Achievable!
-
Security in Red Hat Portfolio
-
SECURITY THROUGHOUT THE STACK + LIFECYCLE
TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFTWARE
RED HAT SECURITY ADVISORIES
DESIGN BUILD RUN MANAGE & AUTOMATE
ADAPT
-
Service Mesh
API Management
Runtime Framework Security Features
RBAC across Middleware
APP RUNTIMESecuring Business
Code
APP BUILDFoundational App
Elements
FOUNDATIONTrusted & Secure
Platform
Enterprise Container Registry with Vulnerability ScanTrusted Content
OpenShift CI/CD Pipelines Security-focused Application Templates
Red Hat Portfolio - Defence in depth Security
Application Services (Messaging, Integration, BPM, SSO)
Developer Tools & Best Practices
Application Business Logic
AUTO
MATE, M
ANAGE, ADAPT
-
Securing the foundations
Simplifying your open source security journey
-
Run on Security-Enhanced PlatformsWITH RED HAT ENTERPRISE LINUX AS A COMMON FOUNDATION
Server Infrastructure Hybrid CLOUD
● System-wide crypto policy● SELinux● Volume encryption● Network layer security● Identity Management● Audit and Compliance
● FIPS support ● sVirt for VM isolation● Selectable ciphers for
encryption ● End-to-End VNC
encryption for VM consoles
● OSP Security Guide● Encrypted volume support● Glance image signing● Advanced Intrusion
Detection Environment (AIDE)
● TLS endpoints
● Data encrypted at rest and in-flight● Secured multi-tenancy● Authentication, Authorization, Auditing
● Pre-configured Jenkins to build secure CI/CD pipeline
● Security focused application templates
● Access to certified container images
● RBAC, Integrated SDN, Project Namespaces,etc
Simplifying your open source security journey
-
Focus:1. Red Hat Enterprise Linux
2. Red Hat OpenShift
3. Red Hat Automation & Management
Simplifying your open source security journey
-
Red Hat Enterprise Linux
-
BUILT-IN SECURITY TECHNOLOGIES IN RED HAT ENTERPRISE LINUX
Policies, Procedures, Awareness● OpenSCAP● Auditd● Aide
Physical● USB Guard● SecureBoot
Perimeter● firewalld
Internal Network● IPSec● MACSec
Host● System Roles● Identity Management● Crypto policy
Application● SELinux process isolation● libseccomp
Data● LUKS filesystem● Policy based decryption
○ Network-Bound Disk Encryption (NBDE)
○ Trusted Platform Module
Red Hat Enterprise Linux
Data
Policies, Procedures, & Awareness
Application
HostInternal Network
PerimeterPhysical
-
Security Automation with OpenSCAP ● NIST validated and certified Security Content Automation Protocol (SCAP)
scanner by Red Hat● Scans systems and containers for:
○ known vulnerabilities = unpatched software○ compliance with security policies (PCI-DSS, US Gov baselines, etc)
● Red Hat supported and provided Ansible remediation playbooks ● Included in Red Hat Enterprise Linux base channel● Red Hat natively ships NIST validated National Checklist content ● SCAP Workbench
○ GUI front end tool for OpenSCAP that serves as an SCAP scanner ○ Provides tailoring functionality for SCAP content○ Local or Remote scanning of a single machine
Red Hat Enterprise Linux
-
Red Hat OpenShift
-
Comprehensive Container Security with Red Hat Openshift
Container Content
Container Registry
CI/CD Pipeline
Deployment Policies
Security Ecosystem
CONTROLApplication
Security
DEFENDInfrastructure
EXTEND
Container Host Multi-tenancyContainer Platform
Network Isolation Storage
Audit & Logging API Management
26
Red Hat OpenShift
-
Red Hat OpenShift
Linux container host (kernel)
Kubernetes kubelet
Identity Audits and logs sVirt
Security-Enhanced Linux (SELinux) Namespaces
Secure computing mode (seccomp)
Control groups (cgroups)
ContainerApplication
Linux operating system dependency
ContainerApplication
Linux operating system dependency
ContainerApplication
Linux operating system dependency
• Security in the host operating system applies to containers.
• SELinux and kernel namespaces form a powerful combination that protects the host and isolates containers.
• Red Hat Enterprise Linux—including the container framework—is Common Criteria-certified.
Security at the container level
-
Securing the container platform (1)
Red Hat OpenShift
● Host & Runtime security
○ Immutable OS (CoreOS) versionned with Openshift
○ OS managed by the Cluster
○ Runtime Security Policies
● Identity and Access Management
● Role-based Access Controls
RHEL CoreOS RHEL
RHEL CoreOS RHEL
RHEL CoreOS
-
Securing the container platform (2)
Red Hat OpenShift
● Project namespaces
● Integrated SDN - Network Policies is default
● Integrated & extensible secrets management
● Logging, Monitoring, Metrics
-
Securing the container platform: Service Mesh
Red Hat OpenShift
-
Red Hat Automation & Management
-
Buy
Red Hat Insights
Now included with all Red Hat Enterprise Linux subscriptions
Get
+
Simplifying your open source security journey
-
Insights plans with Ansible playbooksSolve common issues through Ansible Automation
-
Vulnerability & Compliance Scanning + Remediations on Hosts at Scale with
Red Hat Ansible Tower + Satellite
Simplifying your open source security journey
-
https://galaxy.ansible.com/RedHatOfficial
https://galaxy.ansible.com/RedHatOfficial
-
Securing the build
Simplifying your open source security journey
-
Trusted Certified Content from Red Hat
● Base images for all middleware (e.g. Distributed Data Grid, Messaging, SSO Provider)
● Image Signature Verification● Required Permissions● Container Health Index● Support Lifecycle / SLAs (e.g. for
CVEs)
Simplifying your open source security journey
-
OpenShift Pipelines for secure DevOps● Pre-configured Jenkins deployment wired to OpenShift Authentication● Enables automated security scanning, analysis, validation throughout
CI/CD cycle
Simplifying your open source security journey
-
DevSecOps CI/CD Pipeline in OpenShiftAutomated ‘Secure Software Factory’ Example
Ansible playbook to deploy this entire DevSecOps pipeline can be found here: http://tiny.cc/80hjbzSee the full documentation here: https://red.ht/securitylabs2 additional example pipelines can be found in the resources section @ end of deck (Dept of Homeland Security + Red Hat Innovation Labs pipelines)
L
Simplifying your open source security journey
http://tiny.cc/80hjbzhttps://red.ht/securitylabs
-
Securing the runtime
Simplifying your open source security journey
-
Security-Focused Application Templates
● Pre-configured OpenShift templates
● Wires applications together with Red Hat SSO
● Defaults out of the box implement best practices○ HTTPS everywhere○ Credentials and keystores
using secrets○ No default “admin/admin”
Simplifying your open source security journey
-
App Runtime Framework Security● Developer APIs for integrating with
○ Red Hat SSO (Keycloak)○ SSL/TLS servers/clients○ Spring Security○ OpenSSL (Node.js)○ Java EE Security (JBoss EAP / Thorntail)○ OpenShift Audit Logging Integration
● OpenJDK○ Heavy upstream work
■ OpenJDK Vulnerability Group■ Kerberos cross-realm referrals■ SunPKCS11 memory leak fix■ TLS 1.2 Master Secret extension work
Simplifying your open source security journey
-
OpenShift Service Mesh
● Relieves developers of securing microservice traffic, enforcing policy
● Automatic transport encryption● Ingress, Egress,
Service-to-service mutual authentication
● Traceability of east / west traffic● Application observability via Kiali● Pluggable authentication and
policy enforcement
Simplifying your open source security journey
-
Cross-Zone OpenShift Cluster
Application pods run on one OpenShift Cluster.
Micro Segmented with Network Security policies.
Infra Nodes in each zone run Ingress and Egress pods for specific zones.
If required, physical isolation of pods to specific nodes is possible with node-selectors. But that can reduce worker node density.
Simplifying your open source security journey
-
Getting you there: Consulting & Trainings
Simplifying your open source security journey
-
Simplifying your open source security journey
Built-in Security
Services, Training, Support &
Technologies
Compliance & SecurityOpen Source Confusion Skills & Talent
?
Trusted Advisor
-
Security & Red Hat Consulting Services
-
Red Hat Security Training and Certification Offerings
1. D0500: DevOps Culture and Practice Enablement
2. D0700: Container Adoption Boot Camp
3. D0426: Securing Containers and OpenShift (with exam)
-
64
Questions?
-
CONFIDENTIAL Designator
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
Red Hat is the world’s leading provider of
enterprise open source software solutions.
Award-winning support, training, and consulting
services make
Red Hat a trusted adviser to the Fortune 500.
Thank you
65