SECURING

CONTAINERSThey are Coming – Are you Ready?Jessica Hoffman & Sese Bennett

July 30, 2018

[CONFIDENTIAL]

WHAT ARE CONTAINERS?

2

It depends on who you ask…

INFRASTRUCTURE

Sandboxed application processes on

a shared Linux OS kernel

Simpler, lighter, and denser than

virtual machines

Portable across different

environments

APPLICATIONS

Package my application and all

of its dependencies

Deploy to any environment in

seconds and enable CI/CD

Easily access and share

containerized components including

the OS kernel

[CONFIDENTIAL]

CONTAINERS VS. VIRTUAL MACHINES

3

CONTAINERS VIRTUAL MACHINE

Orchestrator

Orchestrator

Orchestrator

[CONFIDENTIAL]

The Rise of Containers

4

Jails

VServer

Snapshots

cgroups

Namespaces

LXC

Docker

FreeBSD Jails expand on Unix chroot to isolate files

Linux-Vserver ports kernel isolation, but requires recompilation

Solaris Zones bring the concept of snapshots

Google introduces Process Containers, merged as cgroups

Redhat adds user namespaces, limiting root access in containers

IBM creates LXC, providing user tools for cgroupsand namespaces

Docker provides simple user tools and images. Containers go mainstream

SO THAT MEANS…

[CONFIDENTIAL]

LEGACY & NEW APPS

MOVING TO CONTAINERS

5

23%Using containers

for new

applications

only

73%Using containers for new

applications and some pre-

existing “legacy” applications

4%Using containers

for pre-existing

“legacy”

applications only

Stats Courtesy: ESG

56% already in production

24% in next 12 months

[CONFIDENTIAL]

APP CONTAINERS ARE

MOVING INTO PRODUCTION

6

1% 13%

42%24%

16%

4%Yes, we have already

deployed an extensive

number of containerized

production applications

Yes, we have already

deployed a few

containerized production

applications

No, but we are testing

it and plan to start

deploying to

production in the next

12 months

No, but we intend

to start testing it

in our lab in the

next 12 months

No, and we have

no plans to

Don’t know

Stats Courtesy: ESG

[CONFIDENTIAL]

BIG HURDLE TO CONTAINER ADOPTION?

7

[CONFIDENTIAL]

WHY DEPLOY CONTAINERS?

8

Image Courtesy - The SDxCentral 2017

Container and Cloud Orchestration Report

[CONFIDENTIAL]

APPLICATION CONTAINERS

WILL BE A $2.7B MARKET BY 2020

9

[CONFIDENTIAL] 10

CONTAINERS ARE COMING

WILL YOU BE READY?

[CONFIDENTIAL]

THE UP SIDE

11

Presents a rare opportunity for security to move upstream

Containers are exceptionally light and fast.

The same hardware can support an exponentially larger number of containers than VMs

Adoption can be a catalyst for improved security overall

Can better protect against some existing threats and help you react quickly to emerging

security issues

Containers are transparent

Container security is multi-level and containers can be secure if configured correctly!

[CONFIDENTIAL]

THE DOWN SIDE

12

As awesome as containers are, they also introduce

unique new risks.

Containers were not inherently architected with security

in mind.

If containers are not on your radar, now’s the time to

get up to speed because they are probably already

deployed somewhere within your organization.

[CONFIDENTIAL]

CONTAINER SECURITY ISSUES

13

34%Inability to efficiently verify that container

registry images meet their organization’ssecurity and compliance requirements.

35%Current server workload security solutions do

no support the same functionality for

containers

30%Potential for container sprawl creates loose

access controls between containers creating

vulnerabilities

27% Portability and transient nature of containers

make them more susceptible to “in motion”

compromises

33% A lack of mature solutions available forcontainer security

Statistics Courtesy: CSO Magazine, May 2017

[CONFIDENTIAL] 14

PREPARE

FOR

THE

WORST

[CONFIDENTIAL] 15

OLD SCHOOL( SECURITY)

JUST AIN’T COOL

[CONFIDENTIAL]

OLD SCHOOL SECURITY

16

“Siloed” Security TeamsAt many organizations, security remains the province of a team of security experts. They review code after it is

written—or worse, already in production. They work in silos, isolated from the rest of the software delivery team.

This isolation (which results in part from the difficulty of integrating security review into

monolithic application development) leads to security lapses.

Perimeter-level Security Most security tools still focus on protecting the perimeter of software environments. They harden the network

using firewall rules. They lock down servers using access control policies. These practices do not help in the event

that an attacker is able to defeat perimeter-level defenses and gain access to the interior of an environment.

Manual Configuration & ManagementToday’s security tools are often capable in theory of real-time threat detection. But because they require manual

configuration, their ability to identify and react to threats in real time is limited. If you have to configure security

definitions manually to find threats, you will not be able to detect threats quickly

Rot-Prone Configuration Another crucial weakness that arises from a reliance on manual configuration is a susceptibility to configuration

“rot.” As a software environment changes, configurations that are manually updated become outdated—or in

other words, they rot.

[CONFIDENTIAL]

NEW SCHOOL CONTAINER SECURITY

17

NIST Special Publication 800-190 defines five core areas that must be considered when addressing container security

The foundation for

containerization

platforms

Image

User defined

processing

definitions

Registry

Technology that

stores/deploys

created images

Container

Rapidly deployed

& highly portable

processing

environment

Orchestrator

The “brains that

manages the

container

environment

Host OS

[CONFIDENTIAL]

NEW SCHOOL APPROACH

18

Automate

Container

Security

Manage

Image

Vulnerabilities

Minimize

Attack

Surfaces

Harden

Hosts

Tighten Access

Controls

Limit

Dependencies

Access

Existing

Practices &

Tools

Eliminate

Silos

[CONFIDENTIAL]

BOTTOM LINE

19

HOPING FOR THE

BEST IS NOT A

(GOOD) OPTION

[CONFIDENTIAL]

KEEP IN TOUCH WITH US!

20

ANY QUESTIONS?

Sese Bennett

(615) 767-7902

SBennett@provincia.io

Jessica Hoffman

(615) 917-5244

JHoffman@provincia.io