TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Similar documents
TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY

Red Hat Roadmap for Containers and DevOps

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

Red Hat Container Strategy Ahmed El-Rayess

Security oriented OpenShift within regulated environments

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

Container Deployment and Security Best Practices

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

RED HAT'S CONTAINER STRATEGY. Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Identity Management and Compliance in OpenShift

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Automating Security and Compliance for Hybrid Environments

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Container Security. Marc Skinner Principal Solutions Architect

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Cisco Cloud Strategy. Uwe Müller. Leader PreSales Cloud & Datacenter Germany

TRAINING AND CERTIFICATION UPDATE

WHEN CONTAINERS AND VIRTUALIZATION DO - AND DON T - WORK TOGETHER

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Multi-Arch Layered Image Build System

A Greybeard's Worst Nightmare

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Kubernetes Integration Guide

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Beyond 1001 Dedicated Data Service Instances

Container Management : First Looks

Containers Infrastructure for Advanced Management. Federico Simoncelli Associate Manager, Red Hat October 2016

CNA1699BU Running Docker on your Existing Infrastructure with vsphere Integrated Containers Martijn Baecke Patrick Daigle VMworld 2017 Content: Not fo

OpenShift Hyper-Converged Infrastructure Bare Metal Deployment with Containerized Gluster

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

Docker CaaS. Sandor Klein VP EMEA

Securing Microservices Containerized Security in AWS

Openshift: Key to modern DevOps

THE STATE OF CONTAINERS

S Implementing DevOps and Hybrid Cloud

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Hybrid Cloud with Container in Telco. Red Hat Korea 최종일상무

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

How Container Runtimes matter in Kubernetes?

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Allowing Users to Run Services at the OLCF with Kubernetes

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Learn. Connect. Explore.

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

EVERYTHING AS CODE A Journey into IT Automation and Standardization. Raphaël Pinson

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Defining Security for an AWS EKS deployment

Containerization Dockers / Mesospere. Arno Keller HPE

CLOUD-NATIVE APPLICATION DEVELOPMENT/ARCHITECTURE

TECHNICAL BRIEF. Scheduling and Orchestration of Heterogeneous Docker-Based IT Landscapes. January 2017 Version 2.0 For Public Use

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

VMWARE PIVOTAL CONTAINER SERVICE

Service Mesh and Microservices Networking

Running MarkLogic in Containers (Both Docker and Kubernetes)

VMware s (Open Source) Way of Container. Dr. Udo Seidel

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Microservices with Red Hat. JBoss Fuse

Red Hat Containers Roadmap. Red Hat A panel of product directors

Docker and Oracle Everything You Wanted To Know

RED HAT GLUSTER TECHSESSION CONTAINER NATIVE STORAGE OPENSHIFT + RHGS. MARCEL HERGAARDEN SR. SOLUTION ARCHITECT, RED HAT BENELUX April 2017

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Flip the Switch to Container-based Clouds

Knative: Building serverless platforms on top of Kubernetes

AWS Integration Guide

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

FISMA COMPLIANCE FOR CONTAINERIZED APPS

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

CONTAINERIZATION ARCHITECT Certification. Containerization Architect

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

Containers & Microservices For Realists. Karthik

Creating a Reproducible Build System for Docker Images

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

Investigating Containers for Future Services and User Application Support

Kuber-what?! Learn about Kubernetes

Hacking and Hardening Kubernetes

Technical Brief Distributed Trusted Computing

I keep hearing about DevOps What is it?

Microservices and Container Development

Multi-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date

Cloud Native Security. OpenShift Commons Briefing

Unify DevOps and SecOps: Security Without Friction

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

How to Keep UP Through Digital Transformation with Next-Generation App Development

The four forces of Cloud Native

Transcription:

TEN LAYERS OF CONTAINER SECURITY Kirsten Newcomer Security Strategist

WHAT ARE CONTAINERS? Containers change how we develop, deploy and manage applications INFRASTRUCTURE Sandboxed application processes on a shared Linux OS kernel Simpler, lighter, and denser than virtual machines Portable across different environments 2 APPLICATIONS Package my application and all of its dependencies Deploy to any environment in seconds and enable CI/CD Easily access and share containerized components

SECURING CONTAINERS: LAYERS & LIFECYCLE 1. Container Host & Multi-tenancy 2. Container Content 3. Container Registries 4. Building Containers 5. Deploying Containers 3 6. 7. 8. 9. 10. Container Platform Network Isolation Storage API Management Federated Clusters

1 CONTAINER HOST & MULTI-TENANCY THE OS MATTERS RED HAT ENTERPRISE LINUX RED HAT ENTERPRISE LINUX ATOMIC HOST THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel. SELinux 4 Kernel namespaces Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux.. Cgroups Seccomp

2 CONTENT: USE TRUSTED SOURCES Are there known vulnerabilities in the application layer? Are the runtime and OS layers up to date? How frequently will the container be updated and how will I know when it s updated? Red Hat rebuilds container images when security fixes are released 5

PRIVATE REGISTRIES: 3 SECURE ACCESS TO IMAGES Image governance and private registries 6 What security meta-data is available for your images? Are the images in the registry updated regularly? Are there access controls on the registry? How strong are they? CONTAINER APP RUNTIME OS HOST OS Red Hat Container Registry Policies to control who can deploy which containers Certification Catalog Trusted content with security updates CONTAINER APP RUNTIME OS HOST OS

4 MANAGING CONTAINER BUILDS Security & continuous integration 7 Layered packaging model supports separation of concerns Integrate security testing into your build / CI process Use automated policies to flag builds with issues Trigger automated rebuilds Operations Architects Application developers

5 MANAGING CONTAINER DEPLOYMENT Security & continuous deployment 8 Monitor image registry to automatically replace affected images Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment

6 SECURING THE CONTAINER PLATFORM Use a container orchestration platform with integrated security features including 9 Role-based Access Controls with LDAP and OAuth integration Platform multitenant security Image signing Secrets management Enable integration with the security ecosystem

7 NETWORK DEFENSE Use network namespaces to 10 Isolate applications from other applications within a cluster Isolate environments (Dev / Test / Prod) from other environments within a cluster

8 ATTACHED STORAGE Secure storage by using 11 SELinux access controls Secure mounts Supplemental group IDs for shared storage

9 API MANAGEMENT Container platform & application APIs 12 Authentication and authorization LDAP integration End-point access controls Rate limiting

10 FEDERATED CLUSTERS ROLES & ACCESS MANAGEMENT Securing federated clusters across data centers or environments 13 Authentication and authorization API endpoints Secrets Namespaces Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016

THE SECURITY ECOSYSTEM For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as 14 Identity and Access management / Privileged Access Management External Certificate Authorities External Vaults / Key Management solutions Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and Event Monitoring (SIEM)

BRINGING IT ALL TOGETHER Self-Service Service Catalog Web & Mobile (Language Runtimes, Middleware, Databases) Contaner Build Automation Deployment Automation OpenShift Application Lifecycle Management (CI/CD) Container Orchestration & Cluster Management (kubernetes) Networking Storage Registry Logs & Metrics Security Infrastructure Automation & Cockpit Enterprise Container Host Container Runtime & Packaging (Docker) Atomic Host 15 Physical Red Hat Enterprise Linux Data & Storage Container Virtual Integration Container Business Automation Container Private cloud Public cloud

MORE INFORMATION Red Hat OpenShift Why Choose Red Hat Containers? Ten Layers of Container Security whitepaper Security Practices in OpenShift at Amadeus KeyBank Goes Cloud-Native 16

THANK YOU & QUESTIONS Contacting me: knewcomer@redhat.com 17

SECURITY ECOSYSTEM: OPENSHIFT PRIMED nuagenetworks Sysdig NGINX f5 Tremolo big switch Contiv NeuVector Cisco Contiv Signal Sciences JFrog, Inc. 18 Sonatype Black Duck AquaSecurity dynatrace Aporeto Treasure Data

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback