Evolution of Container Security - What's Next?
3 likes377 views
The presentation covers the evolution of container security, emphasizing the importance of understanding containers within their larger context and market trends. It discusses various phases in the container lifecycle, highlighting security considerations during the build, ship, and run phases, as well as the challenges posed by emerging technologies like service meshes and serverless functions. Key recommendations include focusing beyond runtime security, integrating with DevOps, and utilizing open-source tools for vulnerability scanning and hardening.
Evolution of Container Security - What's Next?
- 1. EVOLUTION OF CONTAINER SECURITY: WHAT'S NEXT? BSides Toronto 2018 Fernando Montenegro (@fsmontenegro)
- 2. Key Objectives • Present containers in context • Touch on key market trends • Discuss what’s next Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 2
- 3. Disclaimer Opinions as Analyst (i.e. “Reserve right to be wrong”) Vendor names not endorsements Vendor list representative not comprehensive Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 3
- 4. Research Methodology • 451 Voice of the Enterprise • Briefings, Inquiries, Research 60,000+ members ▪Quarterly insights: ▪Workloads & Projects ▪Organizational Dynamics ▪Vendor Evaluations ▪Budgets & Insights ▪ 100s of hours • Enterprise IT • Service Providers • Security vendors • Finance professionals ▪ Qualitative research ▪ Independent 4
- 5. •Source: 451 Research, Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2018 •Q4. Which of the following IaaS features is your organization using in connection with your IaaS/public cloud deployment? Please select all that apply. • 45% 42% 41% 37% 33% 30% 25% 23% 22% 21% 16% 14% 5% 8% Relational database Data/business analytics Containers Auto-scaling Data warehouse Serverless compute/function as a service NoSQL database Real-time/streaming data processing Machine learning Mobile services IoT platform Large-scale/batch data transfer Other None % of respondents (n = 322) IaaS features currently in use IaaS/public cloud users 5
- 6. •Source: 451 Research, Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2018 •Q5. Which of the following IaaS features is your organization planning to begin using in connection with IaaS/public cloud services during the next year? Please select all that apply. • 27% 19% 18% 16% 16% 15% 15% 13% 12% 12% 12% 10% 2% 18% Machine learning Containers Data/business analytics Serverless compute/function as a service Real-time/streaming data processing Auto-scaling IoT platform Relational database Data warehouse Mobile services NoSQL database Large-scale/batch data transfer Other None % of respondents (n = 268) IaaS features planned for implementation IaaS/public cloud users 6
- 7. •Source: 451 Research, Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2018 •Q15. When developing cloud-native software, which, if any, of the following approaches does your organization take to designing that software? • 32% 30% 22% 17% Design it to run effectively on any cloud environment Design it to run on a specific public cloud environment Design it to run effectively on any public cloud environment Design it to run on our own private cloud % of respondents (n = 266) Approaches to cloud-native software development Respondents developing cloud-native or cloud-enabled software 7
- 8. Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 8
- 9. Container Lifecycle Technology Considerations Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 9
- 10. Container Architecture/Security Src:xebia.comSrc:xebia.com Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 10
- 11. CI/CD pipeline Artifact Download Container Registries Container Runtime Environments Build Ship Run Host Runtime Workload at Runtime Orchestrator Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 11
- 12. Build time considerations • Application Security • Secure Coding Practices • SAST / DAST • Image Scanning on Build/Pull • Vulnerability Management • Software Composition Analysis • Policy Compliance • Issues as Defects • Image signing • Attack Surface Reduction • Multi-stage builds Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 12
- 13. Ship time considerations • Image Registries: • Vulnerability Management • Regular Scans • Maintain deployment info • Flag age & vulnerability • RBAC • Limit user privileges • Orchestrator (k8s): • Configuration management • Open APIs • Secrets management integration • RBAC • Traffic segregation • Networking • Docker bridge vs Kubernetes CNI • L4/L7 policies Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 13
- 14. Run time considerations • Host protection • Hardening • CIS Benchmarks • Container-friendly OS • Network segregation • Protect APIs • Patching • Logging and auditing • Container runtime • Least privilege • Container firewalls • Alternate runtimes • CRI-O • kata containers (clear containers) • gVisor • Windows Hyper-V containers • Activity monitoring, logging & auditing • Vulnerability tracking Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 14
- 15. Container Security Trends Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 15
- 16. Evolving Container Governance • 800-190 Container Security Guidance • Sep 2017 • Docker • Kubernetes • * • Image Spec • Runtime Spec • Kubernetes • Networking • Monitoring Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 16
- 17. Key points NIST 800-190 • Fix organizational aspects • Container-specific OS vs general purpose • Group containers by sensitivity • Container-specific tooling (vulnerability, runtime) • Hardware-based root of trust Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 17
- 18. Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 18
- 19. Rise of ‘Managed’ Runtime Orchestrator (ECS/EKS, AKS, GKE) requests container execution CSP transparently instantiates container Security challenges: • No host to monitor from • Ephemeral workloads (by design) • Code issues remain (input sanitization, 3rd party libraries, …) Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 19
- 20. Competing Commercial Offerings Benefits Drawbacks Richer container- specific features Additional vendor to manage. Benefits Drawbacks Opportunities for consolidation More limited function set Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 20
- 21. Competing Commercial Offerings Benefits Drawbacks Overarching platforms with rich feature sets Usually limited support for newer features Benefits Drawbacks Ease of deployment and integration Limited portability Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 21
- 22. Moving Forward – What’s Next? Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 22
- 23. Service Mesh (Istio/Linkerd/…) • Mission-critical functions • Traffic Management • Routing, Access Control, … • Observability • Security • Security • Traffic Encryption • Mutual TLS & fine-grained Policies • Auditing Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 23 Src:Istio
- 24. CI/CD pipeline Artifact Download Container Registries Container Runtime Environments Build Ship Run Host Runtime Workload at Runtime Orchestrator Service Mesh Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 24
- 25. Event-driven Functions as a Service (aka “Serverless”) • No visible footprint • Instantiated as provider-managed containers • Examples • AWS Lambda • Azure Functions • Google Functions • OpenWhisk • Kubeless • Security challenges: • No host to monitor from • Ephemeral workloads (by design) • Code issues remain (input sanitization, 3rd party libraries, …) Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 25 Src:AWS
- 26. Recap - Key Objectives • Present containers in context • Container adoption trends • Build, Ship, Run • Touch on key market trends • Governance, Competition, Services • Discuss what’s next • Service Mesh, Serverless • Recommendations Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 26
- 27. Recommendations for security • A LOT more to “securing containers” than “container security” • Look beyond container runtime security • Consider diminishing control over runtime environment • DevOps Integration is essential • How to split your time 50-60 20-30 10-20 Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 27
- 28. Open Source and News References Project Name Type URL Clair Vulnerability Scanning https://github.com/coreos/clair Microscanner Vulnerability Scanning https://github.com/aquasecurity/microscanner Dagda Vulnerability Scanning https://github.com/eliasgranderubio/dagda Docker-bench Hardening https://github.com/docker/docker-bench-security Kube-bench Hardening https://github.com/aquasecurity/kube-bench Falco Monitoring https://github.com/draios/falco/ Kube-hunter Other https://github.com/aquasecurity/kube-hunter Cilium Other https://cilium.io/ Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 28
- 29. @fsmontenegro Evolution of Container Security - BSidesTO 2018 - F.Montenegro 9/29/2018 29