TEN LAYERS OF CONTAINER SECURITY

Similar documents
TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

TEN LAYERS OF CONTAINER SECURITY

Red Hat Roadmap for Containers and DevOps

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

Container Deployment and Security Best Practices

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

TRAINING AND CERTIFICATION UPDATE

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

OpenShift Hyper-Converged Infrastructure Bare Metal Deployment with Containerized Gluster

Identity Management and Compliance in OpenShift

WHEN CONTAINERS AND VIRTUALIZATION DO - AND DON T - WORK TOGETHER

Security oriented OpenShift within regulated environments

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

Container Security. Marc Skinner Principal Solutions Architect

Learn. Connect. Explore.

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

A Greybeard's Worst Nightmare

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

THE STATE OF CONTAINERS

Red Hat Container Strategy Ahmed El-Rayess

VMWARE PIVOTAL CONTAINER SERVICE

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Multi-Arch Layered Image Build System

CONTAINERS AND MICROSERVICES WITH CONTRAIL

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

FISMA COMPLIANCE FOR CONTAINERIZED APPS

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Microservices with Red Hat. JBoss Fuse

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

Service Mesh and Microservices Networking

OPENSTACK AGILITY. RED HAT RELIABILITY.

MOBILIZING AND SECURING RED HAT JBOSS BPM SUITE & BRMS

VMWARE ENTERPRISE PKS

RED HAT'S CONTAINER STRATEGY. Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

Defining Security for an AWS EKS deployment

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

The future of data centers

Securing Microservices Containerized Security in AWS

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Kubernetes Performance-Sensitive Application Platform

Beyond 1001 Dedicated Data Service Instances

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Hacking and Hardening Kubernetes

RED HAT QUAY. As part of OCP Architecture Workshop. Technical Deck

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Continuous Integration and Deployment (CI/CD)

Automating Security and Compliance for Hybrid Environments

S Implementing DevOps and Hybrid Cloud

OpenShift Dedicated 3 Release Notes

INTRODUCING CONTAINER-NATIVE VIRTUALIZATION

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

Automating, Securing, and Managing Cox Automotive's (AutoTrader) Big Data Infrastructure

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Containers Infrastructure for Advanced Management. Federico Simoncelli Associate Manager, Red Hat October 2016

CONTAINERIZATION ARCHITECT Certification. Containerization Architect

S Automating security compliance for physical, virtual, cloud, and container environments

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager

Love Containers, Love Devops, Love Openshift, Where's my business case?

Docker CaaS. Sandor Klein VP EMEA

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Red Hat Containers Roadmap. Red Hat A panel of product directors

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

P a g e 1. Teknologisk Institut. Online kursus k SysAdmin & DevOps Collection

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Red Hat CloudForms 4.6

Allowing Users to Run Services at the OLCF with Kubernetes

Contrail Networking: Evolve your cloud with Containers

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

Microservices and Container Development

ISTIO 1.0 INTRODUCTION & OVERVIEW OpenShift Commons Briefing Brian redbeard Harrington Product Manager, Istio

Build an open hybrid cloud and paint it red and blue

Container Management : First Looks

EVERYTHING AS CODE A Journey into IT Automation and Standardization. Raphaël Pinson

Red Hat Container Catalog Consuming Container Images from Red Hat and its Ecosystem. Dirk Herrmann Product Owner Container Catalog May 2nd 2017

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

Hitachi & Red Hat collaborate: Container migration guide

Overview of Container Management

TECHNICAL BRIEF. Scheduling and Orchestration of Heterogeneous Docker-Based IT Landscapes. January 2017 Version 2.0 For Public Use

Kubernetes Integration Guide

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

Technical Brief Distributed Trusted Computing

Red Hat Cloud Platforms with Dell EMC. Quentin Geldenhuys Emerging Technology Lead

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

How Container Runtimes matter in Kubernetes?

Transcription:

TEN LAYERS OF CONTAINER SECURITY Tim Hunt Kirsten Newcomer May 2017

ABOUT YOU Are you using containers? What s your role? Security professionals Developers / Architects Infrastructure / Ops Who considers security part of their job? 2

VALUE OF CONTAINERS INFRASTRUCTURE Sandboxed application processes on a shared Linux OS kernel Simpler, lighter, and denser than virtual machines Portable across different environments 3 APPLICATIONS Package my application and all of its dependencies Deploy to any environment in seconds and enable CI/CD Easily access and share containerized components

WHY ARE WE HAVING THIS CONVERSATION? 4

SECURING CONTAINERS: THE TOP TEN LIST 1. Container Host & Multi-tenancy 2. Container Content 3. Container Registries 4. Building Containers 5. Deploying Containers 5 6. 7. 8. 9. 10. Container Platform Network Isolation Storage API Management Federated Clusters

1 CONTAINER HOST & MULTI-TENANCY THE OS MATTERS RED HAT ENTERPRISE LINUX RED HAT ENTERPRISE LINUX ATOMIC HOST THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel. SELinux Kernel namespaces Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux.. Cgroups Capabilities SECURITY FEATURES ON BY DEFAULT IN OPENSHIFT 6 Seccomp

2 CONTENT: USE TRUSTED SOURCES Are there known vulnerabilities in the application layer? Are the runtime and OS layers up to date? How frequently will the container be updated and how will I know when it s updated? Red Hat rebuilds container images when security fixes are released 7

2 CONTENT: USE TRUSTED SOURCES Standardization makes security & ops work easier Developers want latest & greatest for best features Consider breadth and diversity of your software content 8

PRIVATE REGISTRIES: 3 SECURE ACCESS TO IMAGES Image governance & private registries 9 Are there access controls on the registry? How strong are they? What security meta-data is available for your images? How is the data kept up-to-date? CONTAINER APP RUNTIME OS HOST OS Red Hat Container Registry Policies to control who can deploy which containers Certification Catalog Trusted content with security updates CONTAINER APP RUNTIME OS HOST OS

4 MANAGING CONTAINER BUILDS Security & continuous integration 10 Layered packaging model supports separation of concerns Integrate security testing into your build / CI process Use automated policies to flag builds with issues Ensure builds always use the latest base image Trigger automated CI process Operations Architects Application developers

5 MANAGING CONTAINER DEPLOYMENT Security & continuous deployment 11 Monitor image registry to automatically replace affected images Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment Monitor application health & behavior

6 CONTAINER ORCHESTRATION & SECURITY CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT (KUBERNETES) NETWORKING STORAGE REGISTRY LOGS & METRICS INFRASTRUCTURE AUTOMATION & COCKPIT 12 SECURITY

6 CONTAINER ORCHESTRATION & SECURITY LOGS & METRICS Auditing Monitoring Integration with external logging systems in 3.4 13 PAM + SECURITY RBAC All access to master over TLS / API server is X.509 certificate or token based Secrets Management Certificate Management Enhancements targeted for 3.6 Enhanced in 3.5

CONTAINER MULTITENANCY & 7 NETWORK DEFENSE 14 Segment traffic to isolate users, teams, applications within a single cluster Manage egress traffic to meet existing firewall policies Tech-preview network policy plug-in allows isolation policies to be configured for individual pods

8 ATTACHED STORAGE Secure storage by using 15 SELinux access controls Secure mounts Supplemental group IDs for shared storage

9 API MANAGEMENT Container platform & application APIs 16 Authentication and authorization LDAP integration End-point access controls Rate limiting

10 FUTURE: FEDERATED CLUSTERS ROLES & ACCESS MANAGEMENT Securing federated clusters across data centers or environments 17 Authentication and authorization API endpoints Secrets Namespaces Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016

BRINGING IT ALL TOGETHER Self-Service Service Catalog Web & Mobile (Language Runtimes, Middleware, Databases) Contaner Build Automation Deployment Automation OpenShift Application Lifecycle Management (CI/CD) Container Orchestration & Cluster Management (kubernetes) Networking Storage Registry Logs & Metrics Security Infrastructure Automation & Cockpit Enterprise Container Host Container Runtime & Packaging (Docker) Atomic Host 18 Physical Red Hat Enterprise Linux Data & Storage Container Virtual Integration Container Business Automation Container Private cloud Public cloud

READ THE WHITEPAPER Ten Layers of Container Security 19

THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback