Microservices docker-security
Download as PPTX, PDF0 likes180 views
This document provides 10 tips for security with new technologies like virtualization, cloud, microservices, and containers from the perspective of a security expert. It begins by noting that security is often an afterthought with new technologies and discusses specific security issues with virtual machines, cloud infrastructure, and containers. The tips are organized into three steps: understand and plan security, test and correct issues, and report and communicate security work. Specific tips include auditing infrastructure regularly, keeping technologies simple, vulnerability testing, automated security practices, and communicating security metrics to leadership.
Microservices docker-security
- 1. From virtual to cloud to microservices – 10 tips from a security perspective Sergio Loureiro, PhD CEO, Founder at SecludIT sergio@secludit.com https://secludit.com
- 2. New technology equals New security risks • Security is an after thought: Embrace change and get over it! • Virtual and Cloud are mastered, right? • Virtualization issues vs isolation: Example VENOM • Cloud Security Alliance Nefarious 12 2
- 3. New use case: Shared responsibility 3
- 4. Case Study: AWS virtual machines security • 22% of AMIs had private keys • 98% of Windows had known vulnerabilities • 2 VMs compromised in less of 1 hour • NEW: data not erased securely 4
- 5. The new kid on the block: Microservices • Applications are composed of small, independent components • Drop-in and highly decoupled blocks • Components communicate with each other using APIs • Drop-in Services are easy to replace • Developer-friendly • Nothing new -> A.K.A. SOA (Service Oriented Architecture) • Recently gained popularity thanks to REST APIs 5
- 6. Why Docker? • Simplifies packaging and deployment • Guarantees portability, flexibility, isolation (?) • Minimal requirements • Ideal for building microservice-based architectures 6
- 7. Containers to scale in the Cloud – Automation! 7
- 8. What about Container Security? • Are containers really isolated? • Are images safe? • How can we know if a container is vulnerable? • How can we assess the security of our microservice ecosystem? 8
- 9. Top 10 tips: back to the basics in 3 steps (1/3) • UNDERSTAND and PLAN 1. Audit Regularly your infrastructure, test like you test your code 2. Keep it simple… (KISS) -> containers are a good step to simplify 3. Understand and test attack surface of each technology 9
- 10. Top 10 tips: back to the basics in 3 steps (2/3) TEST and CORRECT: Operations 4. Run trusted (=tested) containers 5. Automate everything to avoid manual errors and cost reduction, use APIs, no agents 6. Perform often vulnerability assessment 7. Use tools that cope with bare metal, virtual, cloud and containers (legacy in not going to disappear) 8. Patch and Remediate rapidly or replace containers with updated versions 10
- 11. Top 10 tips: back to the basics in 3 steps (3/3) REPORT and SHOW 9. Monitor KPIs and risk, not logs and vulnerabilities -> actionable data 10. Keep C-level informed, your budget depends on that for the next new technology 11
- 12. NEW: Elastic Vulnerability Assessment for Containers • Portability of containers to improve Vulnerability Assessment 12 CLONE
- 13. Further Reading • CIS Docker Benchmark • https://docs.docker.com/engine/security/security/ • Tools: Seccomp and AppArmor • Docker Capabilities • https://opensource.com/business/14/7/docker-security-selinux • https://elastic-security.com/2016/04/11/docker-best-security-practices/ 13