CarahsoftENS-Inc.Red HatPalo Alto NetworksContainer Security
We’re Proud to be a Partner with Red Hat OpenShift
Twistlock, now part of Prisma Cloud, partnered with Red Hat to support both government and enterprise customers
Numerous co -marketing efforts, including OpenShift Commons blogs, webinars, and meetup events
Prisma Cloud Defender supports RHEL and is built upon RHEL Universal Base Image (UBI)
2 | © 2020 Palo Alto Networks, Inc. All rights reserved.
The Shared Responsibility Model for Cloud -Native Applications
Cloud -Native Continues to be a Central Pillar of I&O Strategy
“Cloud -native approaches to software and service design enable enterprises to act faster , more efficiently and at greater scale : enterprises can go faster with cloud and be more efficient with microservices.”
The Cloud “OSI Model”
Physical layer: Buildings, metal, silicon
Service layer: Provider built and managed capabilities
Compute layer: Software you’re continuously making
5 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Key Challenges Every Organization is Facing
6 | © 2020 Palo Alto Networks, Inc. All rights reserved.
A Growing Number of Entities to Secure
Environments are Constantly Changing
Multi and Hybrid Cloud Environments Create
Complexity
Security controls don’t come built in. Security teams are the ones responsible for protecting
everything!
Developers, Devops, and Infra are building and deploying at a
frantic pace, often without security guidance.
Cloud services, along with growing IaaS, PaaS, and CaaS environments, lead to a huge estate for security teams to
protect.
Example Risks in Cloud -Native Applications
7 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Kubernetes' first major security hole discovered, allowing privilege escalation, with a CVSS 9.8
RunC container escape flaw enables root access to host system
February 2018
June 2018
December 2018
February 2019
Weight Watchers IT infrastructure exposed via no -password Kubernetes server
Tesla cloud resources are hacked to run cryptocurrency mining malware
Unit 42 discloses 200K insecure IaC template in use
February 2020
Today, we want to focus on how you c a n secure your cloud native applications sp a n n in g c on ta in ers , K u b ern etes, a n d on -d em a n d c on ta in ers , b oth in production a n d across the application lifecycle .
8 | © 20 20 P a lo A lto N etw ork s, In c . A ll rig h ts reserved .
Container Security
Container Characteristics
MinimalTypically
single process entities
DeclarativeBuilt from
images that are machine
readable
PredictableDo exactly the
same thing from run to
kill
What’s Difficult About Securing Containers?
Many more entities
High rate of change, much more ephemeral
Security is largely in the hands of the developer
Security must be as portable as the containers
Steps Involved with Building and Deploying Containers
Developer writes a Dockerfile, which
includes a base image, maintainer, run
instructions, etc., that is then built into an image
Image is pushed to a registry, which can hold hundreds to
thousands of images
Containers are deployed individually or in groups to any public
and private cloud services in use
Build Ship Run
Container template owned by the developer
Dockerfile: Includes the base image, run instructions, files to add, and ports that will be exposed
Where is the security team?The developer creates the Dockerfile, not security!
13 | © 2020 Palo Alto Networks, Inc. All rights reserved.
What do we see when we scan this image?
1 Critical python vulnerability
Additional High and Medium vulnerabilities: Many with vendor fixes!
No user: Image is configured to run as root
Untrusted: Twistlock shows that the image is not “Trusted”
14 | © 2020 Palo Alto Networks, Inc. All rights reserved.
15 | © 2020 Palo Alto Networks, Inc. All rights reserved.
1 DevSecOps Enablement. Integrating security across devops workflows and CI/CD pipelines.
2 Risk prioritization. Where are my microservices, what is their current risk posture, and how do I prioritize the greatest risk?
3 Protecting running workloads and apps. Ensuring my running hosts and containers are secure.
4 Network visibility and microsegmentation. Gaining real-time network visibility and securing east-west traffic flows at scale.
5 Compliance management. Achieving and maintaining compliance continuously for both internal and external frameworks.
Key Steps to Secure Containers Across the Application Lifecycle
16 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Ship
CI/CD: Scanning images combined with enforcement
Build Run
Vulnerability management: Global risk monitoring across hosts, containers, images and functions
Runtime defense: 4D policy creation,
Cloud native firewalls: Network visibility with L4, L7
Access control: FIM, log inspection, K8s AuditSink
Compliance: Implement, monitor, and enforce CIS Benchmarks along with external compliance regimes
Protecting the running application
Visibility is critical: Especially across clusters, nodes, and hosts
Baseline of behavior: Protecting your apps at scale requires automated policy creation
Forensic data and incident response: Data needs to be efficiently collected and stored for analysis
17 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Securing traffic between containers
Automatically enforce safe traffic flows between containers: This is difficult at scale, especially if you have to map everything yourself
Ensure containers only communicate in how they were designed: New connections are alerted on or blocked
Avoid manual rule creation that leads to rule rot
18 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Ensuring compliance
Ensure compliance for internal or external regimes: Needs to be customized for each environment
CIS Benchmarks are essential:Gaps need to be eliminated--a full stack approach is essential
Integrate compliance into CI/CD
19 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Integrating into CI/CD
Devs and DevOps own a huge part of container security
Accuracy meets speed: Provide results right in native tooling as well as central Console
Don’t just identify--enforce: If you can block a critical vulnerability with a vendor fix, do it now! Shift left where you can!
20 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Demo
Thank you
paloaltonetworks.com
22