red hat, secure by default€¦ · scanner by red hat scans systems and containers for: known...

Red Hat, Secure by default

Amine Al OumamiSr. Solution Architect

“The time where security was a feature belongs in the past.It is now a continuous process, and everybody’s problem”

GDPR made IT security everybody’s problem

July 2018

The ICO’s first action under the GDPR. An enforcement notice was issued to AggregateIQ Data Services Ltd as part of its investigation into the Cambridge Analytica scandal.

January 2019

The first major fine under the new law. France’s CNIL fined Google €50 million for failing to obtain a valid legal basis for processing personal data for ad personalisation. This breached the GDPR’s requirements for transparency and specific, unambiguous consent.

Pre GDPR fines Post GDPR fines

July 2019

The ICO announced its first fines under the GDPR.

It announced its intention to fine British Airways £183.39 million for a 2018 breach compromising the personal data of approximately 500,000 customers.

It stated its intention to fine Marriott International £99,200,396 when “a cyber incident” exposed approximately 339 million customer records.

August 2019

Bulgaria's Data Protection Commission (KZLD) announced its intention to fine the National Revenue Agency BGN5.1 million (approximately €2.6 million) after approximately 4 million living and 2 million dead individuals' personal data was compromised in a hacking attack.

https://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdfhttps://ico.org.uk/media/2259362/r-letter-ico-to-aiq-060718.pdfhttps://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llchttps://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llchttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-ico-announces-intention-to-fine-british-airways/https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/

2018 speech by David Hogue, a National Security Agency official, who said the NSA had not responded to an intrusion that exploited a zero-day

vulnerability in over two years.

99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the

incident3

81% of hacking-related breaches leveraged either stolen and/or weak passwords1

68% of breaches took months or longer to discover2

1 2017 Verizon Data Breach Investigations Report22018 Verizon Data Breach Investigations Report3Gartner, “Focus on the Biggest Security Threats, Not the Most Publicized,” November, 2017

https://www.cyberscoop.com/dod-apache-struts-equifax-david-hogue-nsa/

Vulnerabilities are growing… so do their exploits

https://www.cvedetails.com

The Cybersecurity challenges

The Security Challenge is not Getting Easier

Reported increasedSeverity of attacks

65% 57% 29% 5%

Said the time to resolve an incident has grown

Have their ideal security-skilled staffing level,

making it the #2 barrier toCyber resilience

Portion of alerts coming inthat the average securityteam examines every day

Source:1 The Third Annual Study on the Cyber Resilient Organization - Ponemon Institute, 2018 (Sponsored by IBM)

2 https://venturebeat.com/2017/12/16/the-lesson-behind-2017s-biggest-enterprise-security-story/

http://www-03.ibm.com/press/us/en/pressrelease/53800.wsshttps://venturebeat.com/2017/12/16/the-lesson-behind-2017s-biggest-enterprise-security-story/

The Challenges

Compliance & Security

ConfusionSkills & Talent Gap

?Perimeter

Transformation

Confusion: Open Source

Source: 2019 The State of Enterprise Open Source, A Red Hat Reporthttps://www.redhat.com/en/enterprise-open-source-report/2019

38%Enterprises cited “Security of the code” as a barrier to using enterprise open source

37% US 42% UK 37% APAC 37% LATAM

https://www.redhat.com/en/enterprise-open-source-report/2019

96+% of all codebases contain

upstream open source software or libraries

Source: 2019 Open Source Security and Risk Analysis Author: Synopsys

Through 2020

99% of vulnerabilities exploited will be known for 1+ years

Source: Top Security Predictions Through 2020Author: Gartner

Confusion: Open Source

Confusion: The global picture

https://momentumcyber.com

Security practices, policies, and tools haven’t fully caught up with Cloud Technologies

“According to analyst firm McKinsey, a full 78 percent of more than 100 firms recently surveyed are NOT

reconfiguring their security tools when migrating to the cloud ”

Source: B. Cameron Gain for thenewstack.io, Microservices Security: Probably Not What You Think It Is, Mar 2018 https://thenewstack.io/microservices-security-probably-not-what-you-think-it-is/

The journey to “security” is long, hard, full of risks, needs everybody’s involvement,

continuous… But is Achievable!

Security in Red Hat Portfolio

SECURITY THROUGHOUT THE STACK + LIFECYCLE

TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFTWARE

RED HAT SECURITY ADVISORIES

DESIGN BUILD RUN MANAGE & AUTOMATE

ADAPT

Service Mesh

API Management

Runtime Framework Security Features

RBAC across Middleware

APP RUNTIMESecuring Business

Code

APP BUILDFoundational App

Elements

FOUNDATIONTrusted & Secure

Platform

Enterprise Container Registry with Vulnerability ScanTrusted Content

OpenShift CI/CD Pipelines Security-focused Application Templates

Red Hat Portfolio - Defence in depth Security

Application Services (Messaging, Integration, BPM, SSO)

Developer Tools & Best Practices

Application Business Logic

AUTO

MATE, M

ANAGE, ADAPT

Securing the foundations

Simplifying your open source security journey

Run on Security-Enhanced PlatformsWITH RED HAT ENTERPRISE LINUX AS A COMMON FOUNDATION

Server Infrastructure Hybrid CLOUD

● System-wide crypto policy● SELinux● Volume encryption● Network layer security● Identity Management● Audit and Compliance

● FIPS support ● sVirt for VM isolation● Selectable ciphers for

encryption ● End-to-End VNC

encryption for VM consoles

● OSP Security Guide● Encrypted volume support● Glance image signing● Advanced Intrusion

Detection Environment (AIDE)

● TLS endpoints

● Data encrypted at rest and in-flight● Secured multi-tenancy● Authentication, Authorization, Auditing

● Pre-configured Jenkins to build secure CI/CD pipeline

● Security focused application templates

● Access to certified container images

● RBAC, Integrated SDN, Project Namespaces,etc


Focus:1. Red Hat Enterprise Linux

2. Red Hat OpenShift

3. Red Hat Automation & Management


Red Hat Enterprise Linux

BUILT-IN SECURITY TECHNOLOGIES IN RED HAT ENTERPRISE LINUX

Policies, Procedures, Awareness● OpenSCAP● Auditd● Aide

Physical● USB Guard● SecureBoot

Perimeter● firewalld

Internal Network● IPSec● MACSec

Host● System Roles● Identity Management● Crypto policy

Application● SELinux process isolation● libseccomp

Data● LUKS filesystem● Policy based decryption

○ Network-Bound Disk Encryption (NBDE)

○ Trusted Platform Module


Data

Policies, Procedures, & Awareness

Application

HostInternal Network

PerimeterPhysical

Security Automation with OpenSCAP ● NIST validated and certified Security Content Automation Protocol (SCAP)

scanner by Red Hat● Scans systems and containers for:

○ known vulnerabilities = unpatched software○ compliance with security policies (PCI-DSS, US Gov baselines, etc)

● Red Hat supported and provided Ansible remediation playbooks ● Included in Red Hat Enterprise Linux base channel● Red Hat natively ships NIST validated National Checklist content ● SCAP Workbench

○ GUI front end tool for OpenSCAP that serves as an SCAP scanner ○ Provides tailoring functionality for SCAP content○ Local or Remote scanning of a single machine


Red Hat OpenShift

Comprehensive Container Security with Red Hat Openshift

Container Content

Container Registry

CI/CD Pipeline

Deployment Policies

Security Ecosystem

CONTROLApplication

Security

DEFENDInfrastructure

EXTEND

Container Host Multi-tenancyContainer Platform

Network Isolation Storage

Audit & Logging API Management

26

Red Hat OpenShift

Red Hat OpenShift

Linux container host (kernel)

Kubernetes kubelet

Identity Audits and logs sVirt

Security-Enhanced Linux (SELinux) Namespaces

Secure computing mode (seccomp)

Control groups (cgroups)

ContainerApplication

Linux operating system dependency





• Security in the host operating system applies to containers.

• SELinux and kernel namespaces form a powerful combination that protects the host and isolates containers.

• Red Hat Enterprise Linux—including the container framework—is Common Criteria-certified.

Security at the container level

Securing the container platform (1)

Red Hat OpenShift

● Host & Runtime security

○ Immutable OS (CoreOS) versionned with Openshift

○ OS managed by the Cluster

○ Runtime Security Policies

● Identity and Access Management

● Role-based Access Controls

RHEL CoreOS RHEL

RHEL CoreOS RHEL

RHEL CoreOS

Securing the container platform (2)

Red Hat OpenShift

● Project namespaces

● Integrated SDN - Network Policies is default

● Integrated & extensible secrets management

● Logging, Monitoring, Metrics

Securing the container platform: Service Mesh

Red Hat OpenShift

Red Hat Automation & Management

Buy

Red Hat Insights

Now included with all Red Hat Enterprise Linux subscriptions

Get

+


Insights plans with Ansible playbooksSolve common issues through Ansible Automation

Vulnerability & Compliance Scanning + Remediations on Hosts at Scale with

Red Hat Ansible Tower + Satellite


https://galaxy.ansible.com/RedHatOfficial

https://galaxy.ansible.com/RedHatOfficial

Securing the build


Trusted Certified Content from Red Hat

● Base images for all middleware (e.g. Distributed Data Grid, Messaging, SSO Provider)

● Image Signature Verification● Required Permissions● Container Health Index● Support Lifecycle / SLAs (e.g. for

CVEs)


OpenShift Pipelines for secure DevOps● Pre-configured Jenkins deployment wired to OpenShift Authentication● Enables automated security scanning, analysis, validation throughout

CI/CD cycle


DevSecOps CI/CD Pipeline in OpenShiftAutomated ‘Secure Software Factory’ Example

Ansible playbook to deploy this entire DevSecOps pipeline can be found here: http://tiny.cc/80hjbzSee the full documentation here: https://red.ht/securitylabs2 additional example pipelines can be found in the resources section @ end of deck (Dept of Homeland Security + Red Hat Innovation Labs pipelines)

L


http://tiny.cc/80hjbzhttps://red.ht/securitylabs

Securing the runtime


Security-Focused Application Templates

● Pre-configured OpenShift templates

● Wires applications together with Red Hat SSO

● Defaults out of the box implement best practices○ HTTPS everywhere○ Credentials and keystores

using secrets○ No default “admin/admin”


App Runtime Framework Security● Developer APIs for integrating with

○ Red Hat SSO (Keycloak)○ SSL/TLS servers/clients○ Spring Security○ OpenSSL (Node.js)○ Java EE Security (JBoss EAP / Thorntail)○ OpenShift Audit Logging Integration

● OpenJDK○ Heavy upstream work

■ OpenJDK Vulnerability Group■ Kerberos cross-realm referrals■ SunPKCS11 memory leak fix■ TLS 1.2 Master Secret extension work


OpenShift Service Mesh

● Relieves developers of securing microservice traffic, enforcing policy

● Automatic transport encryption● Ingress, Egress,

Service-to-service mutual authentication

● Traceability of east / west traffic● Application observability via Kiali● Pluggable authentication and

policy enforcement


Cross-Zone OpenShift Cluster

Application pods run on one OpenShift Cluster.

Micro Segmented with Network Security policies.

Infra Nodes in each zone run Ingress and Egress pods for specific zones.

If required, physical isolation of pods to specific nodes is possible with node-selectors. But that can reduce worker node density.


Getting you there: Consulting & Trainings



Built-in Security

Services, Training, Support &

Technologies

Compliance & SecurityOpen Source Confusion Skills & Talent

?

Trusted Advisor

Security & Red Hat Consulting Services

Red Hat Security Training and Certification Offerings

1. D0500: DevOps Culture and Practice Enablement

2. D0700: Container Adoption Boot Camp

3. D0426: Securing Containers and OpenShift (with exam)

64

Questions?

CONFIDENTIAL Designator

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHat

Red Hat is the world’s leading provider of

enterprise open source software solutions.

Award-winning support, training, and consulting

services make

Red Hat a trusted adviser to the Fortune 500.

Thank you

65

red hat, secure by default€¦ · scanner by red hat scans systems and containers for: known...

Documents