Cloud Native Security. OpenShift Commons Briefing

Similar documents
Defining Security for an AWS EKS deployment

AWS Integration Guide

Kubernetes Integration Guide

Securing Microservice Interactions in Openstack and Kubernetes

Service Mesh and Microservices Networking

Getting Started with AWS Security

Cloud Security Gaps. Cloud-Native Security.

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

25 Best Practice Tips for architecting Amazon VPC

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Securing Microservices Containerized Security in AWS

1V0-642.exam.30q.

Security Considerations for Cloud Readiness

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

Stop Cyber Threats With Adaptive Micro-Segmentation. Jeff Francis Regional Systems Engineer

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

Extending Enterprise Security to Multicloud and Public Cloud

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

Cloud Security Best Practices

Security & Compliance in the AWS Cloud. Amazon Web Services

8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop

AGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Modernize Your Backup and DR Using Actifio in AWS

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Chapter 5. Security Components and Considerations.

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

CONTAINERS AND MICROSERVICES WITH CONTRAIL

PROTECT WORKLOADS IN THE HYBRID CLOUD

Architecting Microsoft Azure Solutions (proposed exam 535)

Creating your Virtual Data Centre

NSX Data Center Load Balancing and VPN Services

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Modernize Your Infrastructure

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Title DC Automation: It s a MARVEL!

FortiGate. on OCB FE Configuration Guide. 6 th December 2018 Version 1.0

Building a More Secure Cloud Architecture

Protecting Your Cloud

Which compute option is designed for the above scenario? A. OpenWhisk B. Containers C. Virtual Servers D. Cloud Foundry

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Container-Native Applications

Creating Your Virtual Data Center

How to Apply a Zero-Trust Model to Cloud, Data and Identity

SECURING THE MULTICLOUD

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

Exam Name: VMware Certified Associate Network Virtualization

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

IBM MQ Hybrid Cloud Architectures

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

New Features for ASA Version 9.0(2)

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

Cisco Container Platform


Docker Container Access Reference Design

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Designing Windows Server 2008 Network and Applications Infrastructure

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Architecting for Greater Security in AWS

A Reference Design. VPN user access and VPC networking. Version Copyright Aviatrix Systems, Inc. All rights reserved.

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

WHITE PAPER OCTOBER VMWARE NSX WITH CHECK POINT vsec. Enhancing Micro-Segmentation Security

NGINX: From North/South to East/West

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Qualys Cloud Platform

AWS Networking Fundamentals

Securely Access Services Over AWS PrivateLink. January 2019

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Secure wired and wireless networks with smart access control

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

VMware Cloud on AWS. A Closer Look. Frank Denneman Senior Staff Architect Cloud Platform BU

Cisco Cloud Application Centric Infrastructure

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Exploring Cloud Security, Operational Visibility & Elastic Datacenters. Kiran Mohandas Consulting Engineer

Securing VMware NSX-T J U N E 2018

Security oriented OpenShift within regulated environments

Segmentation. Threat Defense. Visibility

TIBCO Cloud Integration Security Overview

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

Deploying Software Defined Storage for the Enterprise with Ceph. PRESENTATION TITLE GOES HERE Paul von Stamwitz Fujitsu

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Amazon AWS-Solutions-Architect-Professional Exam

Security for the Cloud Era

Cloud Computing /AWS Course Content

NGF0502 AWS Student Slides

Running RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

Deploying and Operating Cloud Native.NET apps

BEST PRACTICES TO PROTECTING AWS CLOUD RESOURCES

Cisco Cloud Strategy. Uwe Müller. Leader PreSales Cloud & Datacenter Germany

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Transcription:

Cloud Native Security OpenShift Commons Briefing Amir Sharif Co-Founder amir@aporeto.com

Cloud Native Applications Challenge Security Change Frequency x 10x 100x 1,000x Legacy (Pets) Servers VMs Cloud Native (Cattle) Containers Serverless Microservices, distributed Monolithic, centralized Cloud Native Security Requirements: Automated and scalable Infrastructure & platform independent Part of the DevOps pipeline SDN / SW Firewalls / Middle-boxes Complex & semi static Network centric HW Firewalls Manual control x 10x 100x 1,000x End Points 1

Secure This: Cloud Native Apps in Theory Load Balancer West

Secure This: Cloud Native Apps in Practice DB Replication DB Replication Load Balancer Load Balancer Load Balancer West Central East Firewall Partner Network Legacy Infrastructure External Services

Secure This: Cloud Native Apps in Practice VPC 1 DB Replication VPC 1 DB Replication VPC 1 Virtual Appliance Virtual Appliance Virtual Appliance SDN SDN SDN KMS NAT Load Balancer ACL West VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway ACL Central VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway Complex, Fragile, Fundamentally Insecure KMS ACL East KMS VPC 2 API Gateway Firewall API Gateway Partner Network Legacy Infrastructure External Services 4

Cloud Security Pillars Segmentors ACLs Firewalls SDN VLANs Encryptors Disaggregated Tools No Established Best Practice IPSec SSL TLS VPN Secrets Managers Certificate managers KMS Vault Developers Enforcers Policy RASP Image scanners Virus scanners

How Cloud Security Should Be Solved The Open Internet Design Everything can communicate with each other unless explicitly prohibited. F A X X B C Needed: Whitelist Security No communication is allowed unless policy allows it. F A B C E X D E D Results: Existing security complexity, fragility, costs Benefits: Better security with radical simplification, commoditization Requirement: Identify, scalable, distributed policy, and enforcement 6

Micro-Identity and Policy Management Who Where What Policy Metadata Reputation Service Resource Behavior Trust Profile Security Posture

Policy: Scalable Auth-n, Auth-z in the Cloud env=prod app=payroll connect encrypt env=prod data=confidential Good companies create customer value. subject verb object context a context b context n allow read encrypt context i context j context m 8

Aporeto Operational Model on any infrastructure @ any scale Authentication Authorization Application Segmentation Encryption Encryption, Secrets Mgmt. Service / Process Monitoring Enforcement Real-Time Policy Monitoring, Enforcement Resource 9

Enterprise Cloud Security For legacy apps, microservices, and serverless architectures Isolators Unifier Encryptors Secrets Managers Enforcers

Aporeto Cloud-Native Security End-to-End Authentication, Authorization, Encryption Distributed Applications Comprehensive control Automated, application-aware policy Ext Svc Visibility and monitoring Any Infrastructure Simple Scalable Secure

Transparent Application Authorization State Information Attributes Env = Prod App = Web Image=nginx Request Sign & Attach Attributes Cluster 1 Encrypt (optional) State Information Attributes ApplicationType=Prod Instance=DataBase Policy Accept from (App = Web) & (Env = Prod) Valid Validate based on policy Cluster 2 Adding nodes is an O(1) operation source and destination identified by application context

Use Case 1: Native Kubernetes Policies Network Policies Aporeto Security Policies 13

Use Case 2: Aporeto Security Policies Network Policies Aporeto Security Policies with richer context * * Aporeto has policy superset 14

Use Case 3: Egress Network Policy Support Network Policies Aporeto Security Policies with richer context * + Egress policies * Aporeto has policy superset 15

Use Case 4: External Services Policy Support Network Policies Aporeto Security Policies with richer context * + Egress policies + Access policies for external services * Aporeto has policy superset 16

Use Case 5: Multi-Availability Zone Security ELBs, NAT, NAT6 Private Data Center Direct Connect Internet Containers Microservices Public Cloud (AWS) Existing Model Complex Security Policy Configurations Spanning Diverse Operational Models, Administrative Domains

Use Case 5: Multi-Availability Zone Security Policy Internet Containers Microservices Private Data Center Public Cloud (AWS) Aporeto Automated, Fine-Grained, End-to-End Control Workloads Identified by Properties, not Network Location

Secure This: Cloud Native Apps in Practice VPC 1 DB Replication VPC 1 DB Replication VPC 1 Virtual Appliance Virtual Appliance Virtual Appliance SDN SDN SDN KMS NAT Load Balancer ACL West VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway ACL Central VPC 2 NAT Load Balancer Firewall VPN Tunnel Firewall Gateway Gateway Complex, Fragile, Fundamentally Insecure KMS ACL East KMS VPC 2 API Gateway Firewall API Gateway Partner Network Legacy Infrastructure External Services 19

Aporeto: The End-to-End Solution Cloud Native, Legacy, and Hybrid Environments DB Replication DB Replication Load Balancer Load Balancer Load Balancer West Central East API Gateway Firewall API Gateway Partner Network Legacy Infrastructure External Services

The Benefits reduced attack surface verifiable security posture lower cost, less complexity on any cloud, at any scale

Aporeto Architecture Network APIs File System Encryption Secrets 3 rd Party Pluggable Enforcers Analytics & Policy Management Identity

23

Try it: console.aporeto.com 24

Simple, Scalable, Secure

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback