Cloud Native Security: New Approach for a New Reality
- 1. Cloud-Native Security New approach for a new reality Tsvi Korren, Aqua
- 2. 2 What do we mean by Cloud-Native? Made to run in the cloud (public, private, hybrid) App payload is decoupled from the infrastructure Orchestrated for updateability, scaling and resilience App is based on loosely-coupled microservices
- 3. 3 The rules still need to apply l Risk mitigation, vulnerabilities, integrity l Deployment authorization, visibility, inventory l Operational administration and change control l Secrets management and secure configuration l Network segmentation of microservices l SOC and incident response
- 4. 4 The Challenge Cloud-Native deployments natively lack support for effective and demonstrable security required by business-critical applications Organization: DevOps ó Security Process: Where to secure Technology: How to secure
- 5. 5 Urgent need to bridge the gap CI/CD Images Kubernetes Cloud Compliance Access Controls Intrusion Prevention Forensics
- 6. 6 Changes in process Config software Assess Risk Coding Static Analysis Compile package Deploy Get Base Image Using Servers Using Containers Deploy Fix Risks Build Image Fix Risks Scan Server Get Base Image Coding Static Analysis Deploy Build Image Fix Risks Coding Static Analysis Provision Server
- 7. 7 Diminishing ability to execute controls Container Orchestration Host Network Data Center Serverless Functions App Payload Container Orchestration Host Network Data Center Containers as service App Payload Container Orchestration Host Network Data Center Managed Containers App Payload Container Orchestration Host Network Data Center Cloud VMs App Payload Container Orchestration Host Network Data Center On Premises App Payload Packaging Development Packaging Development Packaging Development Packaging Development Packaging Development
- 8. 8 Our Goal Security as a shared responsibility Automate security as a natural part of DevOps processes Protect workloads with focus on prevention Make containers the most secure, predictable and controlled platform for running critical applications
- 9. 9 We have an opportunity to be more precise Accounting for every vulnerability and possible threat is untenable Know what to keep safe, and how to defend it
- 10. 10 We have an opportunity to simplify Too many manual security options and rules become ineffective Protect immutable workloads, with rules generated over the pipeline
- 11. Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Cluster Hygiene RBAC Minimal OS Compliance Checks
- 12. 12 The Orchestration System Easily misconfigured Handles Secrets Runs Everywhere Operates as root
- 13. 13 l Restrict network access to the Kubernetes API addresses and ports l Use separate authentication for each authorized user l Patch and upgrade Kubernetes as needed l Control access from production Kubernetes to public registries Kubernetes security checklist
- 15. Stages of Cloud Native security maturity Image acceptance Run with least privileges Network controls Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
- 16. 16 l Use the smallest image possible for your project l Avoid storing keys and other sensitive data in the image l Add the minimal number of packages required for your application l Use dedicated users, non-standard ports l Remove utilities at the end of the build (useradd, chown, curl) l Scan the finished product Image security checklist
- 17. 17 Top base container images 5.28 MB 95.93 MB 84.79 MB 192.44 MB
- 18. 18 Scanning images { "name": "CVE-2016-7444", "description": "nThe gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.nA flaw was found in the way GnuTLS validated certificates using OCSP responses. This could falsely report a certificate as valid under certain circumstances.", "nvd_score": 5, "nvd_score_version": "CVSS v2", "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "nvd_severity": "medium", "nvd_url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7444", "vendor_score": 4.3, "vendor_score_version": "CVSS v2", "vendor_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "vendor_severity": "low", "vendor_url": "https://access.redhat.com/security/cve/CVE-2016-7444", "publish_date": "2016-09-27", "modification_date": "2018-01-04", "fix_version": "3.3.26-9.el7", "solution": "Upgrade package gnutls to version 3.3.26-9.el7 or above." } Backports and fix advice NVD data and score Maintainer data and score Impact statement
- 19. 19 Beyond vulnerabilities: image content
- 20. Stages of Cloud Native security maturity Containment Image acceptance Run with least privileges Network controls Prevention Container immutability Application context authorization Immediate incident response Image Hygiene Vulnerability scanning Compliant configuration Approved base images Cluster Hygiene RBAC Minimal OS Compliance Checks
- 21. 21 Specific controls Applying Runtime controls Image authorization Runtime Policies Container profile •Non-Compliant •Unregistered •Drift Prevention •Process Blacklists •Full whitelisting General controls Secrets, Networking, Forensics NodeandKuberentesSecurity
- 23. 23 Least privilege at runtime
- 24. 24 Incident Response with servers • Suspicious activity? • Shut down service? • Requires investigation and triage • Could be an administrative action • Limited ability for narrow response • Risk of service disruption
- 25. 25 Incident Response with containers • Unauthorized action • Block specific action • Container behavior model is known • Administrative action is not allowed • Surgical preventive controls • No disruption of service
- 26. 26 l Security – Establish the policies that govern: „ Image acceptance „ Runtime behavior l DevOps – Use security advice from scanning in image builds l SOC – Receive events and respond to incidents Roles and responsibilities
- 27. 27 Same standards, escalating enforcement Sandbox Development Test/Stage Production Voluntary Mandatory Detection Enforcement Scanning as a service Scanning in the pipeline with policies Application security modeling Protecting the application
- 28. 28 Continuous discovery, image assurance Enforce immutability with drift prevention Limit user and executable use Secured secrets distribution into container Workload firewall across all interfaces Secure workload with application context Rogue deployment Malicious code injection Administration actions Compromised credentials Network connections Unknown vectors (Zero Day) Top risks addressed
- 29. 29 Where to start? n Scans Kubernetes nodes against the CIS benchmark checks n github.com/aquasecurity/ kube-bench n Scan Docker build for known vulnerabilities n Plug-in for Jenkins n github.com/aquasecurity /microscanner CIS benchmark for K8SDocker image scanner K8S penetration-testing n Tests K8s clusters against known attack vectors, both remote and internal n github.com/aquasecurity/ kube-hunter
- 30. www.aquasec.com