Container Deployment and Security Best Practices

Similar documents
TEN LAYERS OF CONTAINER SECURITY

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

RED HAT CONTAINER CATALOG

S Automating security compliance for physical, virtual, cloud, and container environments

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Red Hat Roadmap for Containers and DevOps

Automating Security and Compliance for Hybrid Environments

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

THE STATE OF CONTAINERS

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Red Hat Container Catalog Consuming Container Images from Red Hat and its Ecosystem. Dirk Herrmann Product Owner Container Catalog May 2nd 2017

TEN LAYERS OF CONTAINER SECURITY

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

RED HAT QUAY. As part of OCP Architecture Workshop. Technical Deck

Identity Management and Compliance in OpenShift

HOW TO MAKE THE CASE TO MANAGEMENT: PAYING FOR OPEN SOURCE

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

CS 356 Operating System Security. Fall 2013

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Overcoming the Challenges of Automating Security in a DevOps Environment

SYMANTEC DATA CENTER SECURITY

Security Configuration Assessment (SCA)

Datacenter Security: Protection Beyond OS LifeCycle

RED HAT CLOUDFORMS. Chris Saunders Cloud Solutions

Title DC Automation: It s a MARVEL!

AWS Reference Design Document

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

FISMA COMPLIANCE FOR CONTAINERIZED APPS

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

Automating Security Practices for the DevOps Revolution

ENTERPRISE-GRADE MANAGEMENT FOR OPENSTACK WITH RED HAT CLOUDFORMS

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

MODERNIZING TRADITIONAL SECURITY:

Vulnerability Management

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

Solution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and

Defining Security for an AWS EKS deployment

A10 HARMONY CONTROLLER

Carbon Black PCI Compliance Mapping Checklist

Secure VFX in the Cloud. Microsoft Azure

Reinvent Your 2013 Security Management Strategy

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

T22 - Industrial Control System Security

Service Mesh and Microservices Networking

McAfee Embedded Control

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

McAfee Embedded Control

Security & Compliance in the AWS Cloud. Amazon Web Services

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Automating, Securing, and Managing Cox Automotive's (AutoTrader) Big Data Infrastructure

Securing Your Cloud Introduction Presentation

McAfee Public Cloud Server Security Suite

Kubernetes Performance-Sensitive Application Platform

Getting Started with AWS Security

Will your application be secure enough when Robots produce code for you?

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Kubernetes Integration Guide

VMWARE ENTERPRISE PKS

Total Security Management PCI DSS Compliance Guide

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Security Compliance and Data Governance: Dual problems, single solution CON8015

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

McAfee Embedded Control for Retail

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Technical Brief Distributed Trusted Computing

Microsoft Security Management

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CLOUD WORKLOAD SECURITY

Mapping BeyondTrust Solutions to

A Greybeard's Worst Nightmare

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

NIST Special Publication

Security and Compliance at Mavenlink

Twilio cloud communications SECURITY

CyberPosture Intelligence for Your Hybrid Infrastructure

Qualys Cloud Platform

Closing the Hybrid Cloud Security Gap with Cavirin

Architecting Microsoft Azure Solutions (proposed exam 535)

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Managing Microsoft 365 Identity and Access

Symantec Endpoint Protection Family Feature Comparison

VMWARE PIVOTAL CONTAINER SERVICE

Ansible for Incident Response

Building a More Secure Cloud Architecture

Transcription:

Container Deployment and Security Best Practices How organizations are leveraging OpenShift, Quay, and Twistlock to deploy, manage, and secure a cloud native environment. John Morello CTO Twistlock Dirk Herrmann OpenShift PM

Who We Are 2 John Morello Dirk Herrmann CTO, Twistlock Openshift & Quay PM

What We Will Cover Today The what / why of NIST Special Publications SP800-190 and why it matters if you have containers deployed How Red Hat and Twistlock can help you achieve the SP800-190 recommendations Takeaways & Q + A

The What and Why of NIST

What is a NIST Special Publication? Created for significant advancements in technology Vendor-agnostic, high level recommendations Designed for government and private sector use The foundation of a collaborative effort between Red Hat and Twistlock to address items inside this publication for our customers.

NIST SP 800-190: Why This Matters If You Have Containers Deployed

The Challenges of Securing Containers Why Create a new NIST SP? Containers have altered how applications are built, packaged and deployed. Containers scale up and down far more significantly Development cycles have shrunk from months to days Automation has shifted security across the SDLC Traditional security guidance does not account for this scale, speed and automation

Many organizations struggle with the burden of managing security across hundreds of VMs. As container-centric architectures become the norm and these organizations are responsible for thousands or tens of thousands of containers, their security practices should emphasize automation and efficiency to keep up. Source: NIST Special Publication 800-190 - Application Container Security Guide 8

SP 800-190 Looks at 5 Risk Areas Image Registry Orchestrator Container Host OS

Image Countermeasures Use container-specific technology for vulnerability, compliance and secrets management Integrate checks and monitoring across the image lifecycle Automated, policy-driven enforcement Mitigate risks with trusted images

Registry Countermeasures Configure development tools, orchestrators, runtimes to require encryption when connecting to registries Identify and prevent use of stale images within registries Require authentication for read/write access to registries

Orchestrator Countermeasures Use least privilege access model Separate network traffic by sensitivity level Isolate workloads by sensitivity levels Build resilience for each node

Container Countermeasures Automatically monitor for and remediate CVEs in the container runtime Dynamically generate network filtering policy to control inter-container traffic Automate compliance checks and leverage technologies like SELinux and seccomp profiles Use behavioral learning to profile applications and prevent anomalies Full audit trail for container deployment and activity

Host Countermeasures Use a container-specific OS when possible Do not mix containerized / non-containerized workloads on a host Automate vulnerability detection for host OS and its components Leverage orchestrators when possible to distribute container jobs across hosts monitor access patterns Run containers with a minimal set of file system permissions

How Redhat and Twistlock help you achieve the SP 800-190 recommendations

Container Technology Architecture The five tiers of the container technology architecture according to NIST 800-190 Developer Systems Testing & Accreditation Registry Orchestrator Hosts Self-service Provisioning Vuln Scanning Whitelists Container Host OS Image Signing RBAC / Auditing Secure by default Network traffic control Over-the-air Updates Multi-tenant RHEL hardening tools & docs Consistent Environments Automated build & deploy CI/CD pipelines Workload separation

Container Host OS What Red Hat and Twistlock offer Use container-specific host OSs instead of general-purpose ones to reduce attack surfaces. Red Hat CoreOS as container-specific host OS Immutable host, delivered with OpenShift Minimal, secure OS designed to only run containers and one-touch provisioning RHEL as an alternative host OS (including all its security features and tooling around) Twistlock helps securing the hosts as well (vulnerability & compliance mgt, runtime def)

Container Host OS What Red Hat and Twistlock offer However, it is important to note that container-specific host OSs will still have vulnerabilities over time that require remediation. Automated updates and CVE remediation (over-the-air-updates) Centrally managed or via cluster console Updates delivered via OCI images and could be secured as all other workload images

Image Specific Countermeasures What Red Hat and Twistlock offer Use container-specific technology for vulnerability, compliance and secrets mgt Integrate checks and monitoring across the image lifecycle Automated, policy-driven enforcement Continuous vulnerability scanning (Clair) Multiple metadata sources for Red Hat and other content Scalability up to millions of images battle tested over years (Quay.io) Notifications and Reporting / Dashboards* Policy enforcement in OpenShift based on various attestations (incl. vulnerabilities)* * coming soon

Vulnerability Scanners What Red Hat and Twistlock offer Detects vulnerabilities and malware in containers and hosts at every stage of the lifecycle for Linux and Windows (4.1.1, 4.4.1, 4.5.3, 4.2.2, 4.1.3) Environmental context and other risk factors are used to generate a custom risk score for each CVE 30+ upstream sources are combined for the lowest possible false positive rate Risk tree + per-layer views help pinpoint patching efforts

Registry Countermeasures How Red Hat Quay, OpenShift and Twistlock address them Host can only connect to the registry over encrypted channels all access requires authentication, especially write access (push) all write access is audited and read actions are logged auto-pruning of (outdated / vulnerable) stale images* context-aware authorization control to actions integrated automated scanning of images * implementation not based on pruning but on restricting their usage via policies, coming soon

Image Countermeasures - Untrusted Images Capability to centrally control exactly what images and registries are trusted in their environment Discrete identification of each image by cryptographic signature Enforcement that all hosts only run images from these approved lists Validation of image signatures before image execution to ensure images are from trusted sources and have not been tampered with Ongoing monitoring and maintenance of these repositories to ensure images within them are maintained and updated as vulnerabilities and configuration requirements change

At Build..What Are The Considerations? What Red Hat and Twistlock offer Red Hat Container Catalog & Health Index Red Hat Quay as the content ingress point for all containerized applications Only import trusted images (whitelists) Automated vuln scanning after push attestations for policy mgt / enforcement Centrally define trusted image and enforcement policies to block non-trusted deployments (4.1.5,4.2.1) Full-lifecycle compliance checking for misconfigurations, unencrypted secrets, and industry best practices (PCI, GDPR, etc) (4.1.2,4.1.4) Build Pipeline part of OpenShift Webhooks, triggers and notifications

I m Moving Code to Production...Now What? What Red Hat and Twistlock offer Several technologies and tools to harden environments and clusters Environment specific policies to ensure highest level of protection for production* Policy enforcement based on various attestations (signatures, vuln s, labels)* Continuous vulnerability scanning and notifications (including rebuild triggers) Automatically enforced whitelist-based models to prevent anomalous behavior across containers and hosts (4.4.2, 4.4.4, 4.4.5, 4.5.1) East west firewalling that uses machine learning to microsegment your environment (4.4.2) Running containers and hosts are continually re-assessed for new vulnerabilities (4.4.1, 4.5.3) Automated operations across the stack * coming soon

Container-Aware Runtime Defense Tools What Red Hat and Twistlock offer Automatically enforced whitelist-based models (process, network, filesystem, system calls) to prevent anomalous behavior across containers and hosts (4.4.2, 4.4.4, 4.4.5, 4.5.1) East west firewalling that uses machine learning to microsegment your environment and container-aware L7 firewalls (4.4.2) Running containers and hosts are continually re-assessed for new vulnerabilities (4.4.1, 4.5.3)

NIST 800-190 Key Take-Aways Adapt your IT organization and operational model to reflect new paradigms Use container host operating system variants for smaller attack surface Keep workloads separated by sensitivity levels Use tools and processes built for the new paradigms and technologies Carefully select content and implement a content governance process Choose tools that give you visibility into your full stack - containers, hosts and orchestration.

Takeaways + Q&A

Q&A

THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhat youtube.com/user/redhatvideos

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback