Microservices a security nightmare? GOTO Nights Zürich - March 3, 2016 Maximilian Container Solutions Switzerland

Transcription

1

2 Microservices a security nightmare? GOTO Nights Zürich - March 3, 2016 Maximilian Container Solutions Switzerland

3

4

5

6

7 Microservices (2016) small, hence many services talking over the network built with different technologies by autonomous teams with end-to-end responsibility doing DevOps and Continuous Delivery using containers

8 Microservices (2016) small, hence many services talking over the network built with different technologies by autonomous teams with end-to-end responsibility doing DevOps and Continuous Delivery using containers

9 Microservices are the result of combining architectural ideas from lightweight SOA and Domain Driven Design, organisational approaches like DevOps and Agile Software Development, and technology innovations like Containers and Programmable Infrastructure

10 Technology Architecture Organisation

11 Monolith

12 many small services

13 Monolith - method calls

14 Microservices - talking over the network

15 Monolith - few technologies Java 7 (1.7.0_03)

16 Microservices - built with different technologies Java 8 nodejs 0.9 Java 7 Ruby 2.1 Go 1.4

17 Security Gates vs

18 autonomous teams with end-to-end responsibility

19 dedicated security experts vs (ISC) 2

20 doing DevOps OWASP??

21 classic Security Sandwich vs Specification Implementation Validation

22 Continuous Delivery

23 well isolated real server vs

24 using containers

25 Attack surface - VMs vs containers XEN Hypervisor - 10^5 LOC Linux Kernel - 10^7 LOC

26

27

28 Highly coupled services No clear boundaries

29 Loosely coupled services Clear boundaries

30 many small services

31 impact of breach can be contained locally

32 Clear service boundaries limit the impact of breaches

33 Keep APIs minimal

34 Microservices have their own data store user_db payment_ data cat_ pictures (stateless) (stateless)

35 Microservices have their own data store user_db payment_ data cat_ pictures (stateless) (stateless)

36 Let the need-to-know principle guide your API design

37 different security levels should require different security properties in services, e.g. encryption, auth, security testing user_db payment_ data cat_ pictures (stateless) (stateless)

38 Classify services into distinct security levels

39 API Gateways API Gateway Access control Rate limiting HTTPS termination...

40 API Gateways API Gateway WAF Payment Svc.

41 Isolate services with different security levels through gateways

42 Authorization & Authentication

43 Authorization & Authentication

44 Use scalable auth techniques without single points of failure

45

46 Secrets management vaultproject.io square.github.io/keywhiz

47 Manage secrets with special purpose services

48

49 Freeze image for analysis payment service instance #2 docs upload service instance #1 payment service instance #1 payment service instance #1 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

50 Or even the running container (criu.org) payment service instance #2 docs upload service instance #1 payment service instance #1 payment service instance #1 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

51 Leverage container features for forensics

52 Scheduling constraints payment service instance #2 docs upload service instance #1 payment service instance #1 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

53 Run services of different security levels on different hosts

54 Replace containers on deploy payment service instance #2 docs upload service instance #1 payment service instance #3 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

55 Embrace immutable infrastructure

56 built with different technologies Java 8 nodejs 0.9 Java 7 Ruby 2.1 Go 1.4

57 Monocultures

58 Scanning images at rest Nautilus (Docker Inc.) Clair (CoreOS)

59 Scan images already during the build process

60 Container technology BSD Jails 2000 Solaris Zones 2004 LXC 2008 rkt chroot 2001 Virtuozzo Linux-VServer 2007 cgroups 2013 Docker

61 Docker security hardening read-only containers minimal base images drop capabilities traditional hardening (AppArmor, SELinux )... container-solutions.com/security

62 Minimise the attack surface of images and hosts

63 Unify & secure deployment methods Simple to add TLS Authentication Authorisation Logging & Auditing Image verification scp git rsync

64 Have a single, hardened method to deploy

65

66 end-to-end responsibility

67 Gates and Accountability

68 Security Sandwich and Autonomy Specification Implementation Validation

69 Security Sandwich and Autonomy

70 Trust Accountability Expertise Trust Autonomy & Entrepreneurship Collaboration & Support Idea from A.T. Kearny Analysis

71 Security aspects must become part of the Definition of Done

72 Rugged Software Manifesto ruggedsoftware.org

73 SecDevOps? SecOps? DevSec?

74

75 The role of IT Architects is already changing Now, the role of the Security Team needs to change

76 Accountability ensures security is built in, not bolted on

77 Avg: 103 days to fix a vulnerability

78 CD reduces reaction time

79 Leverage Continuous Delivery as a security feature

80 Test pyramid confidence UI tests Service Tests faster feedback Unit Tests from Succeeding with Agile (Mike Cohn)

81 Security-Test pyramid / AppSec pipeline confidence E2E security tests Vulnerability scanning faster feedback static code analysis

82 BDD style gauntlt.org continuumsecurity.net/bdd-intro.html

83 Have your test pyramid reflect security

84 Technology Architecture Organisation

85 Architecture Clear service boundaries limit the impact of breaches Let the need-to-know principle guide your API design Classify services into distinct security levels, which mandate different security properties Use scalable auth techniques without single points of failure Isolate services with different security levels with gateways Manage secrets in specialised services

86 Technology Run services of different security levels on different hosts Leverage container features for forensics Embrace immutable infrastructure Scan images as part of the build process Have a single, hardened method to deploy Minimise the attack surface of images and hosts

87 Organisation Leverage Continuous Delivery as a security feature Have your test pyramid reflect security Accountability ensures security is built in, not bolted on

88 Nightmare?

89 @schoefmann container-solutions.com