Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Securing Docker on AWS
Docker on AWS
Securing Docker on AWS
Container Architecture – How to Secure?
Physical Hardware
Host OS
Container Runtime
Physical Hardware
Host OS
Container Runtime
Physical Hardware
Virtual Machine Manager
Container Runtime 1
Guest OS 1
Guest OS 2
Container Runtime 2
Image A
Image B
Image C
Registry
Run MyApp (4x Image A, 2x Image B, 3x Image C)
Con
tain
er 1
Con
tain
er 2
Con
tain
er 3
Con
tain
er 4
Con
tain
er 5
Con
tain
er 6
Con
tain
er 7
Con
tain
er 8
Con
tain
er 9
Microservice A Microservice C Microservice B
Orchestration
1. Deploy separate VMs or even physical hosts for separate workload types (i.e., PCI vs web traffic)
2. Bastion hosts, security groups3. Keep kernel patches up-to-date…
remember WannaCry ransomware? 4. Deploy a hardened and patched OS.5. Need a container-specific mechanism
that also takes into account image security – can’t use generic tools
6. Integrate with CI/CD pipeline7. Understand networking implications8. Embrace immutable infrastructures9. Secure all five layers in diagram at
right
Docker Adoption & Container Lifetime
= Need for Continuous Security
OS containers are not inherently unsecure, but are being deployed unsecurely, driven by developers and a need for agility in service development and deployment. Security and risk management leaders must address container security issues around vulnerabilities, visibility, compromise and compliance.
Continuous Security Assessment and Remediation for Hybrid Workloads
CI/CD System
3: CommitsCode
Public or Private
Registry
4: Sends signedimages
Staging
5: Triggers update
6: Pulls lateststable image
FeedbackLoop
FeedbackLoop
Image ScanningCavirin
BenchmarkContainer Hardening
inc. host, VM, and imageCIS Benchmarks
Production
8: Verified Container Deployed
2: Image assessed and
corrected
7: Container assessed and
corrected
Optional:Rancher & Kubernetes
DockerContent
Trust
EC2ContainerRegistry
PublicRegistry
ElasticBeanstalk
EC2 w/ Docker
EC2ContainerService
CloudFormationDocker Datacenter
Quick StartPCI DSS Quick Start
CloudTrail
1: Pulls latest signed image
OrchestrationCIS Benchmark
Direct
Develop/Build Test/Modify Release/Production
Best Practices
ReduceClutter
UseTrustedImage
SignImagesandVerify
EnforceSecretsManagement
NetworkSegmentation
UserAuthentication
OperationsGovernance
IntrusionDetection
ContainerOrchestration
ContainerNetwork
Segmentation
ContainerUserAccess
HostoperatingSystem
Containerruntime
environment