TEN LAYERS OF CONTAINER SECURITY Kirsten Newcomer Security Strategist
WHAT ARE CONTAINERS? Containers change how we develop, deploy and manage applications INFRASTRUCTURE Sandboxed application processes on a shared Linux OS kernel Simpler, lighter, and denser than virtual machines Portable across different environments 2 APPLICATIONS Package my application and all of its dependencies Deploy to any environment in seconds and enable CI/CD Easily access and share containerized components
SECURING CONTAINERS: LAYERS & LIFECYCLE 1. Container Host & Multi-tenancy 2. Container Content 3. Container Registries 4. Building Containers 5. Deploying Containers 3 6. 7. 8. 9. 10. Container Platform Network Isolation Storage API Management Federated Clusters
1 CONTAINER HOST & MULTI-TENANCY THE OS MATTERS RED HAT ENTERPRISE LINUX RED HAT ENTERPRISE LINUX ATOMIC HOST THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel. SELinux 4 Kernel namespaces Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux.. Cgroups Seccomp
2 CONTENT: USE TRUSTED SOURCES Are there known vulnerabilities in the application layer? Are the runtime and OS layers up to date? How frequently will the container be updated and how will I know when it s updated? Red Hat rebuilds container images when security fixes are released 5
PRIVATE REGISTRIES: 3 SECURE ACCESS TO IMAGES Image governance and private registries 6 What security meta-data is available for your images? Are the images in the registry updated regularly? Are there access controls on the registry? How strong are they? CONTAINER APP RUNTIME OS HOST OS Red Hat Container Registry Policies to control who can deploy which containers Certification Catalog Trusted content with security updates CONTAINER APP RUNTIME OS HOST OS
4 MANAGING CONTAINER BUILDS Security & continuous integration 7 Layered packaging model supports separation of concerns Integrate security testing into your build / CI process Use automated policies to flag builds with issues Trigger automated rebuilds Operations Architects Application developers
5 MANAGING CONTAINER DEPLOYMENT Security & continuous deployment 8 Monitor image registry to automatically replace affected images Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
6 SECURING THE CONTAINER PLATFORM Use a container orchestration platform with integrated security features including 9 Role-based Access Controls with LDAP and OAuth integration Platform multitenant security Image signing Secrets management Enable integration with the security ecosystem
7 NETWORK DEFENSE Use network namespaces to 10 Isolate applications from other applications within a cluster Isolate environments (Dev / Test / Prod) from other environments within a cluster
8 ATTACHED STORAGE Secure storage by using 11 SELinux access controls Secure mounts Supplemental group IDs for shared storage
9 API MANAGEMENT Container platform & application APIs 12 Authentication and authorization LDAP integration End-point access controls Rate limiting
10 FEDERATED CLUSTERS ROLES & ACCESS MANAGEMENT Securing federated clusters across data centers or environments 13 Authentication and authorization API endpoints Secrets Namespaces Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016
THE SECURITY ECOSYSTEM For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as 14 Identity and Access management / Privileged Access Management External Certificate Authorities External Vaults / Key Management solutions Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and Event Monitoring (SIEM)
BRINGING IT ALL TOGETHER Self-Service Service Catalog Web & Mobile (Language Runtimes, Middleware, Databases) Contaner Build Automation Deployment Automation OpenShift Application Lifecycle Management (CI/CD) Container Orchestration & Cluster Management (kubernetes) Networking Storage Registry Logs & Metrics Security Infrastructure Automation & Cockpit Enterprise Container Host Container Runtime & Packaging (Docker) Atomic Host 15 Physical Red Hat Enterprise Linux Data & Storage Container Virtual Integration Container Business Automation Container Private cloud Public cloud
MORE INFORMATION Red Hat OpenShift Why Choose Red Hat Containers? Ten Layers of Container Security whitepaper Security Practices in OpenShift at Amadeus KeyBank Goes Cloud-Native 16
THANK YOU & QUESTIONS Contacting me: knewcomer@redhat.com 17
SECURITY ECOSYSTEM: OPENSHIFT PRIMED nuagenetworks Sysdig NGINX f5 Tremolo big switch Contiv NeuVector Cisco Contiv Signal Sciences JFrog, Inc. 18 Sonatype Black Duck AquaSecurity dynatrace Aporeto Treasure Data