18
Securing the Lids on Containers in the Cloud Raymond Lay 10 th April 2017

Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

SecuringtheLidsonContainersintheCloud

RaymondLay10th April2017

Page 2: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

HelloMotto

Page 3: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

WHYContainerTechnology

HOWSecureisit

WHATelsetoconsider

Page 4: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

WHYContainerTechnology

Page 5: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

SoftwareDesignEvolution…

FromMonolithic

ToMicroservices

FastDeployment,Efficientscaling,

DesignAutonomy

FromPhysicalServers

ToVMsToContainers

Page 6: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

Speed&Scale

Page 7: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

• MoreAgile• DeliverFaster• Better@Packaging&

Deployment• LowerResource

Constraint

Page 8: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

HowSecureisContainerTechnology

Page 9: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

IsContainerTechnologyInherentlyMORESecure

Page 10: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

IsContainerTechnologyInherentlyMORESecure

• NamespacesprovideIsolation• IsolateApplicationsfromHost• IsolateApplicationsfromeachother

• Cgroups provideresourcelimiting(CPU,Memoryetc)• ReducingSurfaceAreaoftheHost(Access)• ImprovedSecuritythroughrestrictingcapabilities• EncourageadoptionofPrinciplesofLeastPrivileges• Applicationspackageincontainersare“usually”moresecure

Page 11: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT
Page 12: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

• Relianceonkernelfeaturestoisolateandcontrolresources• Assumethatcontainer(containedprocesses)areworkingas

intendedandthecodesdeployedaresecure• TheunderlyingOSiswell-secured(hardenedappropriately)• Securitypatcheshavebeenintegratedintodeployment

Itdepends…

Page 13: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

WhatelsetoConsider

Page 14: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

DevilintheDetails…

• HostLevel“RootAccess”• HostLevelProtection• ContainerSecurity– Codes&Ownership• VulnerabilityAssessments• Orchestration,Scalability&PatchManagement• Deploymentwith/withoutVMs

Page 15: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

Container

Application

OtherContainers

UnderlyingOS

EXTERNALTHREATS

Threats&Defenses

Cgroups

Namespaces

CodeReviews

TraditionalDefenses Namespaces

Page 16: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

KEYTAKEAWAYS

Page 17: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

• ContainerTechnologycanprovideSpeed,Scale&Security

• TraditionalInfoSecapproachstillapplies- CIA

• Defaults<>Deployed

Page 18: Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT