SlideShare a Scribd company logo

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris

OW2, profile picture
OW2

The document details the evolution of container technology from the 1970s to the modern day, highlighting key developments like FreeBSD jails, Google’s process containers, and Docker's emergence. It discusses the security challenges associated with containers, emphasizing the shared responsibility model and the need for comprehensive security solutions, including tools for vulnerability management and behavior monitoring. The future of container security remains uncertain, with calls for next-generation solutions and the challenges posed by a fragmented ecosystem.

Technology
Related topics:
Open Source Software
1 of 21
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
1 Applied Security For Containers Jesus ESCOLAR CEO EXELERYS NextGen CyberSecurity & CyberIntelligence
2 Infrastructure “Changes” Physical Virtual Cloud Containers Serverless 1011010 0100111 0010011
3 The history of “Containers” – Everything started in… • 1970’s!!! • Unix V7: chroot! All was about process isolation at that time! • 2000: • FreeBSD: “Jails” was invented to share resources in a shared environment independently. • 2001: • Linux-VServer: Introduced the FreeBSD “Jails” logic into the Linux world through the “VPS” concept. • 2004: • Sun Microsystems: They invented the “Zones” long before being acquired by Oracle. Their isolation logic allowed a better implementation of Disk, RAM & CPU access.
4 The history of “Containers” – Continued in… • 2005: • OpenVZ: Now we have the first “open-to-public” pre- Dark Ages isolation implementation. <- We ‘ed it! • 2006: • Google: Introduced “Process Containers” as an isolation logical model for CPU, memory, Disk I/O & Network. • 2008: • LXC: Halleluiah! A team of private companies along with individuals developed the “Linux Containers”, the first real implementation of a the container technology in an open- source model with all the fully features that makes a container what a container had to be! (LXC would evolve to become LXD in its 2.0 version…)
5 The history of “Containers” – And concluded… • 2011: • CloudFoundry: Implemented an evolved version of LXC called “Warden” isolating environments in any OS with a daemon and… an API! • 2013: • LMCTFY: An open-source implementation of Google Container Stack. Now applications can be made “container aware”. This moved to the Open Container Foundation in 2015. • 2013: • Docker: Here is the Saint Grail! It developed from LXC but ended up having its own platform and architecture. The successes were: API, container management platform, and obviously, the apps ecosystem.
6 Logic behind Containers
7 Security Landscape = Customer Pain! Evolving Infrastructure Threat Sophistication Speed of App Changes Lack of resources, need to simplify Threat protection & audit Performance across hybrid clouds Customer PainTechnical Dynamics
8 Security Landscape = Shared Responsibility Data Encryption Network Traffic Protection Platform, Applications Operating System, Network & Firewall Configuration Content and Applications Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Cloud Provider or You? Consumer ! The Shared Responsibility Model
9 Securing Containers – What? • So the magical question comes into play: What do I need to secure when I am running containers? • The Host? • The Apps? • The Images? • The permissions? • The users? • The consumers? • All of them? • None of them? Note: Choose all the right answers that apply…
10 Security Paradigm for Containers • Containers are running on top of an existing OS, whether we like it or not. • Containers are still running either an OS or either apps. • Containers are still running workloads with libraries. • And those libraries are shared across all the containers in the same host. • We still have all the security responsibilities from the traditional virtualization landscape into our hands: • Multi-tenancy / Multi-User responsibilities. • App Packaging sources. • Vulnerabilities / Patching. • Accountability. • Accessibility. • Firewalling / Traffic management. • RBAC. • etc, etc, etc…
11 Securing Containers – How? • Resource Control: cgroups • Discretionary Access: namespaces • Mandatory Access: AppArmor / SELinux • Fine Grained Access: seccomp Is that all…? Nothing else? SecDevOps? DevSecOps? No! There are few NextGen solutions with more in-depth approach to cover all possible conditions. Let’s see them together!
12 Security Solutions for Containers – Vulnerabilities • NeuVector Open Source CIS Kubernetes Benchmark https://github.com/neuvector/kubernetes-cis-benchmark
13 Security Solutions for Containers – Vulnerabilities • Aquasec Open Source Tools: https://github.com/aquasecurity/kube-bench Automates the CIS Benchmark for Kubernetes, making it easy for operators to check whether each node in their Kubernetes cluster is configured according to security best practices.
14 Security Solutions for Containers – Vulnerabilities • CoreOS Open Source Clair: https://github.com/coreos/clair/ https://coreos.com/clair/docs/latest/ Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. Since Clair image analysis is static, containers never need to be actually executed, so you can detect a security threat before is already running in your systems. Clair is the security engine that CoreOS Quay registry uses internally.
15 Security Solutions for Containers – Vulnerabilities • Twistlock Developer Edition Container Security : https://www.twistlock.com/products/enterprise-container-security/ https://www.twistlock.com/2016/02/17/free-developer-edition-is- here/ Vulnerability management: Scanning container images to discover vulnerabilities that may exist in the various layers of the image. Access control: Fine-grained access control capabilities to guard access to Docker commands. Runtime defence: Policy-based protection for running containers on production servers.
16 Security Solutions for Containers – Analysis • Anchore Open Source Container Analysis https://anchore.com/opensource/ • Pre-production analysis, vulnerability newsfeed. • Submit an Image to be analysed • See if your images have any known CVE vulnerabilities • List all of the files in a particular image • Evaluate your image against your custom security policy • Subscribe to receive notifications when an image is updated
17 Security Solutions for Containers – Behaviour • Sysdig Open Source Falco : https://sysdig.com/opensource/falco/ Open source, behavioural monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco also works as a intrusion detection system on any Linux host. Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices. Complete container visibility through a single daemon. Easily build rules and get informed immediately.
18 Security Solutions for Containers – Distribution • Notary Open Source : https://github.com/theupdateframework/notary Image forgery and tampering is one major security concern for Docker- based deployments. Notary is a tool for publishing and managing trusted collections of content. You can approve trusted published and create signed collections, in a similar fashion to the software repository management tools present in modern Linux systems, but for Docker images. Some of Notary goals include guaranteeing image freshness (most up to date content, to avoid known vulnerabilities), trust delegation between users or trusted distribution over untrusted mirrors or transport channels. Note: See this implementation of Notary. https://theupdateframework.github.io/
19 What’s next…? • The future is unclear… • Hosts can be infected, images can be infected, apps can be vulnerated. • Docker images, as an example, is vulnerable to malware infection as demonstrated in last Black Hat Conference in 2017. • There’s a need for a full open source security solution for containers based on a next generation security logic: • AM + IPS + WR (mandatory) • Behaviour Monitoring (necessary) • ML + AI (optional) • Sandboxing (highly desired) • There are no open source NextGen Anti-Malware, Firewalls or IPS/IDS tools for containers today. • Why? The container ecosystem is too sparse, the CNF presents dozens of vendors/companies building solutions and standards for containers, there’s no homogeneity. There’s no alignment across the ecosystem. There’s no standard practice.
20 20
21 THANK YOU! Follow us at: @EXELERYS LINKEDIN.COM/COMPANY/EXELERYS

More Related Content

PDF
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
PPTX
An In-depth look at application containers
John Kinsella
 
PPT
Securing the Cloud
John Kinsella
 
PPTX
Understanding container security
John Kinsella
 
PPTX
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
PDF
Is Docker Secure?
Manideep Konakandla
 
PPT
Container security
Anthony Chow
 
PDF
How secure is your Docker Container pipeline?
Manideep Konakandla
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
An In-depth look at application containers
John Kinsella
 
Securing the Cloud
John Kinsella
 
Understanding container security
John Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
Is Docker Secure?
Manideep Konakandla
 
Container security
Anthony Chow
 
How secure is your Docker Container pipeline?
Manideep Konakandla
 

What's hot (20)

PDF
Practical Approaches to Container Security
Shea Stewart
 
PDF
Dockercon EU 2015 Recap
Lee Calcote
 
PDF
Docker and kernel security
smart_bit
 
PDF
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
PDF
Docker Containers Security
Stephane Woillez
 
PPTX
Equifax cyber attack contained by containers
Aqua Security
 
PPTX
SW Docker Security
Stephane Woillez
 
PDF
Cisco Cloud Networking Workshop
Cisco Canada
 
PDF
Container Security Deep Dive & Kubernetes
Aqua Security
 
PDF
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
PDF
Docker Enterprise Deployment Planning
Stephane Woillez
 
PDF
Docker en kernel security
smart_bit
 
PPTX
SS Introduction to Docker
Stephane Woillez
 
PDF
VMware@Night: Container & Virtualisierung
Digicomp Academy AG
 
PDF
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
PDF
Containerization Principles Overview for app development and deployment
Dr Ganesh Iyer
 
PDF
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
Casey Bisson
 
PPTX
Containers vs. VMs: It's All About the Apps!
Steve Wilson
 
PDF
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
PDF
Automated Security Hardening with OpenStack-Ansible
Major Hayden
 
Practical Approaches to Container Security
Shea Stewart
 
Dockercon EU 2015 Recap
Lee Calcote
 
Docker and kernel security
smart_bit
 
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Docker Containers Security
Stephane Woillez
 
Equifax cyber attack contained by containers
Aqua Security
 
SW Docker Security
Stephane Woillez
 
Cisco Cloud Networking Workshop
Cisco Canada
 
Container Security Deep Dive & Kubernetes
Aqua Security
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Docker Enterprise Deployment Planning
Stephane Woillez
 
Docker en kernel security
smart_bit
 
SS Introduction to Docker
Stephane Woillez
 
VMware@Night: Container & Virtualisierung
Digicomp Academy AG
 
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
Containerization Principles Overview for app development and deployment
Dr Ganesh Iyer
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
Casey Bisson
 
Containers vs. VMs: It's All About the Apps!
Steve Wilson
 
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Automated Security Hardening with OpenStack-Ansible
Major Hayden
 
Ad

Similar to Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris (20)

PDF
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
PDF
Finding Your Way in Container Security
Ksenia Peguero
 
PPTX
BRKSDN-2115
Rohit Agarwalla
 
PPTX
Moby Open Source Summit North America 2017
Patrick Chanezon
 
PPTX
Microservices and containers for the unitiated
Kevin Lee
 
PDF
Dockers and kubernetes
Dr Ganesh Iyer
 
PDF
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
PDF
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
PPTX
Oscon 2017: Build your own container-based system with the Moby project
Patrick Chanezon
 
PDF
Immutable Infrastructure Security
Ricky Sanders
 
PPTX
Openstack components as containerized microservices
Miguel Zuniga
 
PDF
Finding Your Way in Container Security
Ksenia Peguero
 
PPTX
The How and Why of Container Vulnerability Management
Tim Mackey
 
PPTX
The How and Why of Container Vulnerability Management
Black Duck by Synopsys
 
PPTX
SummerStudent17_HandsOn Data Cloud Computing.pptx
ssuserb53446
 
PPTX
Platform as a Service with Kubernetes and Mesos
Miguel Zuniga
 
PPTX
Built in NM - Meetup Talk - CTL Labs
Ross Jimenez
 
PDF
20220406 - SDAN_Presentation1_SDANOverview.pdf
ssuser34f58c1
 
PDF
DockerCon SF 2015: Keynote Day 1
Docker, Inc.
 
PPTX
State of the Container Ecosystem
Vinay Rao
 
Demystifying Containerization Principles for Data Scientists
Dr Ganesh Iyer
 
Finding Your Way in Container Security
Ksenia Peguero
 
BRKSDN-2115
Rohit Agarwalla
 
Moby Open Source Summit North America 2017
Patrick Chanezon
 
Microservices and containers for the unitiated
Kevin Lee
 
Dockers and kubernetes
Dr Ganesh Iyer
 
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Oscon 2017: Build your own container-based system with the Moby project
Patrick Chanezon
 
Immutable Infrastructure Security
Ricky Sanders
 
Openstack components as containerized microservices
Miguel Zuniga
 
Finding Your Way in Container Security
Ksenia Peguero
 
The How and Why of Container Vulnerability Management
Tim Mackey
 
The How and Why of Container Vulnerability Management
Black Duck by Synopsys
 
SummerStudent17_HandsOn Data Cloud Computing.pptx
ssuserb53446
 
Platform as a Service with Kubernetes and Mesos
Miguel Zuniga
 
Built in NM - Meetup Talk - CTL Labs
Ross Jimenez
 
20220406 - SDAN_Presentation1_SDANOverview.pdf
ssuser34f58c1
 
DockerCon SF 2015: Keynote Day 1
Docker, Inc.
 
State of the Container Ecosystem
Vinay Rao
 
Ad

More from OW2 (20)

PDF
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2
 
PDF
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
OW2
 
PDF
GLPi v.10, les fonctionnalités principales et l'offre cloud
OW2
 
PDF
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
OW2
 
PDF
FusionIAM : la gestion des identités et des accés open source
OW2
 
PDF
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2
 
PDF
SFScon'20 Bringing the User into the Equation
OW2
 
PDF
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
OW2
 
PDF
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
OW2
 
PDF
Open Source governance and the Eclipse Foundation, OW2online, June 2020
OW2
 
PDF
Open source contribution policies, OW2online, June 2020
OW2
 
PDF
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
OW2
 
PDF
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
OW2
 
PDF
Open Source Compliance at Orange, OW2online, June 2020
OW2
 
PDF
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
OW2
 
PDF
Intelligent package management with FASTEN, OW2online, June 2020
OW2
 
PDF
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
OW2
 
PDF
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
OW2
 
PDF
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
OW2
 
PDF
Cacti and Big Data at Orange France, OW2online, June 2020
OW2
 
OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma
OW2
 
The Open Source Good Governance Initiative presented at RIOS OS Week, Nov. 20...
OW2
 
GLPi v.10, les fonctionnalités principales et l'offre cloud
OW2
 
Centreon: superviser le Cloud et le Legacy à partir d'une même plateforme, po...
OW2
 
FusionIAM : la gestion des identités et des accés open source
OW2
 
OW2 Association Européenne aux racines grenobloises, transformer l'industrie ...
OW2
 
SFScon'20 Bringing the User into the Equation
OW2
 
Towards a sustainable solution to open source sustainability, OW2online20, Ju...
OW2
 
Advanced proactive and polymorphing cloud application adaptation with MORPHEM...
OW2
 
Open Source governance and the Eclipse Foundation, OW2online, June 2020
OW2
 
Open source contribution policies, OW2online, June 2020
OW2
 
Software development at scale, pandemic lockdown and oss ecosystems, OW2onlin...
OW2
 
Overview of the OpenChain Reference Tooling Work Group, OW2online20, June 2020
OW2
 
Open Source Compliance at Orange, OW2online, June 2020
OW2
 
Ideas, methods and tools for OSS Compliance assessment, OW2online, June 2020
OW2
 
Intelligent package management with FASTEN, OW2online, June 2020
OW2
 
DECODER, a Smarter Environment for DevOps Teams , OW2online, June 2020
OW2
 
Enabling DevOps for IoT software development, powered by Open Source, OW2onli...
OW2
 
Upcoming Challenges in Artificial Intelligence Research and Development, OW2o...
OW2
 
Cacti and Big Data at Orange France, OW2online, June 2020
OW2
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris

  • 1. 1 Applied Security For Containers Jesus ESCOLAR CEO EXELERYS NextGen CyberSecurity & CyberIntelligence
  • 3. 3 The history of “Containers” – Everything started in… • 1970’s!!! • Unix V7: chroot! All was about process isolation at that time! • 2000: • FreeBSD: “Jails” was invented to share resources in a shared environment independently. • 2001: • Linux-VServer: Introduced the FreeBSD “Jails” logic into the Linux world through the “VPS” concept. • 2004: • Sun Microsystems: They invented the “Zones” long before being acquired by Oracle. Their isolation logic allowed a better implementation of Disk, RAM & CPU access.
  • 4. 4 The history of “Containers” – Continued in… • 2005: • OpenVZ: Now we have the first “open-to-public” pre- Dark Ages isolation implementation. <- We ‘ed it! • 2006: • Google: Introduced “Process Containers” as an isolation logical model for CPU, memory, Disk I/O & Network. • 2008: • LXC: Halleluiah! A team of private companies along with individuals developed the “Linux Containers”, the first real implementation of a the container technology in an open- source model with all the fully features that makes a container what a container had to be! (LXC would evolve to become LXD in its 2.0 version…)
  • 5. 5 The history of “Containers” – And concluded… • 2011: • CloudFoundry: Implemented an evolved version of LXC called “Warden” isolating environments in any OS with a daemon and… an API! • 2013: • LMCTFY: An open-source implementation of Google Container Stack. Now applications can be made “container aware”. This moved to the Open Container Foundation in 2015. • 2013: • Docker: Here is the Saint Grail! It developed from LXC but ended up having its own platform and architecture. The successes were: API, container management platform, and obviously, the apps ecosystem.
  • 7. 7 Security Landscape = Customer Pain! Evolving Infrastructure Threat Sophistication Speed of App Changes Lack of resources, need to simplify Threat protection & audit Performance across hybrid clouds Customer PainTechnical Dynamics
  • 8. 8 Security Landscape = Shared Responsibility Data Encryption Network Traffic Protection Platform, Applications Operating System, Network & Firewall Configuration Content and Applications Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Foundation Services Compute Storage Database Networking Global Infrastructure Regions Domains, Availability Zones Cloud Provider or You? Consumer ! The Shared Responsibility Model
  • 9. 9 Securing Containers – What? • So the magical question comes into play: What do I need to secure when I am running containers? • The Host? • The Apps? • The Images? • The permissions? • The users? • The consumers? • All of them? • None of them? Note: Choose all the right answers that apply…
  • 10. 10 Security Paradigm for Containers • Containers are running on top of an existing OS, whether we like it or not. • Containers are still running either an OS or either apps. • Containers are still running workloads with libraries. • And those libraries are shared across all the containers in the same host. • We still have all the security responsibilities from the traditional virtualization landscape into our hands: • Multi-tenancy / Multi-User responsibilities. • App Packaging sources. • Vulnerabilities / Patching. • Accountability. • Accessibility. • Firewalling / Traffic management. • RBAC. • etc, etc, etc…
  • 11. 11 Securing Containers – How? • Resource Control: cgroups • Discretionary Access: namespaces • Mandatory Access: AppArmor / SELinux • Fine Grained Access: seccomp Is that all…? Nothing else? SecDevOps? DevSecOps? No! There are few NextGen solutions with more in-depth approach to cover all possible conditions. Let’s see them together!
  • 12. 12 Security Solutions for Containers – Vulnerabilities • NeuVector Open Source CIS Kubernetes Benchmark https://github.com/neuvector/kubernetes-cis-benchmark
  • 13. 13 Security Solutions for Containers – Vulnerabilities • Aquasec Open Source Tools: https://github.com/aquasecurity/kube-bench Automates the CIS Benchmark for Kubernetes, making it easy for operators to check whether each node in their Kubernetes cluster is configured according to security best practices.
  • 14. 14 Security Solutions for Containers – Vulnerabilities • CoreOS Open Source Clair: https://github.com/coreos/clair/ https://coreos.com/clair/docs/latest/ Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. Since Clair image analysis is static, containers never need to be actually executed, so you can detect a security threat before is already running in your systems. Clair is the security engine that CoreOS Quay registry uses internally.
  • 15. 15 Security Solutions for Containers – Vulnerabilities • Twistlock Developer Edition Container Security : https://www.twistlock.com/products/enterprise-container-security/ https://www.twistlock.com/2016/02/17/free-developer-edition-is- here/ Vulnerability management: Scanning container images to discover vulnerabilities that may exist in the various layers of the image. Access control: Fine-grained access control capabilities to guard access to Docker commands. Runtime defence: Policy-based protection for running containers on production servers.
  • 16. 16 Security Solutions for Containers – Analysis • Anchore Open Source Container Analysis https://anchore.com/opensource/ • Pre-production analysis, vulnerability newsfeed. • Submit an Image to be analysed • See if your images have any known CVE vulnerabilities • List all of the files in a particular image • Evaluate your image against your custom security policy • Subscribe to receive notifications when an image is updated
  • 17. 17 Security Solutions for Containers – Behaviour • Sysdig Open Source Falco : https://sysdig.com/opensource/falco/ Open source, behavioural monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco also works as a intrusion detection system on any Linux host. Build rules specific to your Kubernetes clusters to enforce policy across all your containers & microservices. Complete container visibility through a single daemon. Easily build rules and get informed immediately.
  • 18. 18 Security Solutions for Containers – Distribution • Notary Open Source : https://github.com/theupdateframework/notary Image forgery and tampering is one major security concern for Docker- based deployments. Notary is a tool for publishing and managing trusted collections of content. You can approve trusted published and create signed collections, in a similar fashion to the software repository management tools present in modern Linux systems, but for Docker images. Some of Notary goals include guaranteeing image freshness (most up to date content, to avoid known vulnerabilities), trust delegation between users or trusted distribution over untrusted mirrors or transport channels. Note: See this implementation of Notary. https://theupdateframework.github.io/
  • 19. 19 What’s next…? • The future is unclear… • Hosts can be infected, images can be infected, apps can be vulnerated. • Docker images, as an example, is vulnerable to malware infection as demonstrated in last Black Hat Conference in 2017. • There’s a need for a full open source security solution for containers based on a next generation security logic: • AM + IPS + WR (mandatory) • Behaviour Monitoring (necessary) • ML + AI (optional) • Sandboxing (highly desired) • There are no open source NextGen Anti-Malware, Firewalls or IPS/IDS tools for containers today. • Why? The container ecosystem is too sparse, the CNF presents dozens of vendors/companies building solutions and standards for containers, there’s no homogeneity. There’s no alignment across the ecosystem. There’s no standard practice.
  • 20. 20 20
  • 21. 21 THANK YOU! Follow us at: @EXELERYS LINKEDIN.COM/COMPANY/EXELERYS