SlideShare une entreprise Scribd logo

Security for cloud native workloads

Télécharger en tant que PPTX, PDF
Runcy Oommen
Runcy Oommen

Session on security for cloud native workloads at the DevSecOps conf (Virtual) 2021

Technologie
1  sur  36
Security for Cloud Native Workloads 22-May-2021 | DevSecOps Conf 2020 Runcy Oommen
|In brief| Generic cloud native & cloud security overview Shared responsibility model Microservices security Containers v/s Serverless Securing the container lifecycle Kubernetes security improvements
Career  Principal SDE, SONICWALL, 18+ yrs. industry experience primarily in systems, cloud (private/public), security, networking  10x multi-cloud certified (GCP, AWS, Azure, CNCF)  Patent (India) in cloud security around distributed data storage  Interested in serverless, containers and cloud native offerings. Firm believer of a multi-hybrid cloud future Community  Organizer of GDG Cloud, AWS user Group and Cloud Native meetup groups in Bangalore  Regular speaker at domestic and international cloud, tech & security conferences  Multiple hackathon wins in cloud/security topics.  Recognized by Google as a community influencer [~]$ whoami runcyoommen https://runcy.me
What does “Cloud Native” mean? A cloud computing approach to build & run scalable apps in modern environments such as public, private and hybrid clouds. Technologies such as containers, microservices, serverless and immutable infrastructure, deployed are elements of this architecture. Reference: https://en.wikipedia.org/wiki/Cloud_native_computin
IT infrastructure & landscape has undergone a paradigm shift…
Traditional view runcyoommen
Modern view PaaS
So, how exactly should cloud native security differ from traditional network security?
Ubiquitous The cloud is always reachable from anywhere, any time, any device Scalable You can add new features and support users without breaking a sweat Integrated Security and other services talk to each other for full visibility Comprehensive The Cloud scans every byte – ingress and egress – including SSL & CDN Intelligent The cloud learns from every user, network and traffic Important facets of cloud Available Capabilities can be guaranteed to remain accessible runcyoommen
Cloud Features v/s Security Balances  Agility  Self service  Scale  Automation  Gatekeeper  Standards  Control  Centralized  Pay as you go  Timely alerts
Shared Responsibility Model
MONOLITH M-I-C-R-O-S-E-R-V-I-C-E-S Let’s begin the journey… from to
VM Container
 Portability – By abstracting applications from host, it’s easier to run on any platform or cloud  Scalability – Containerized applications holds the ability to handle increasing workloads  Fast Development – Allows developers to change and track changes in the platform’s source code ensuring high productivity  Security – App isolation ensures that separate containers run independently  Continuity – Failure of one will not influence the state of others  Easy Management – Orchestration performs application management, automated installation and workload management runcyoommen
How did we get here?
The stack of *SECURITY* responsibilities… Sys Admin DevOps Develope r
SECURING THE CONTAINER LIFECYCLE BUILD SHIP DEPLOY RUN Image Quality, Exposure Risk Trust, Integrity Assurance Resource, Access Control Process, Network, Secrets VISIBILITY ►Risk posture of the images is not completely understood ►Unclear as to where security should fit in the process ►Containers are not visible with current security tools ►Reliance on open source and external components used
SECURITY STARTS IN THE BUNDLE PHASE BUILD SHIP DEPLOY RUN • Make sure base images are secure • Scan for vulnerabilities on the finished product • Maintain configuration standards • Share info between Dev, Ops, Sec
ADD ENFORCEMENT OF IMAGE USAGE BUILD SHIP DEPLOY RUN • Deny unknown images or registries • Accept images based on risk • Maintain integrity of images
LIMIT ACCESS TO CONTAINER ENGINE BUILD SHIP DEPLOY RUN • Separate automation from human actions • Control parameters that elevate privilege • Permissions on volumes, network etc… • Maintain audit trail with accountable user
GRANULAR RUNNING OF CONTAINERS BUILD SHIP DEPLOY RUN • Resource management • Protect sensitive data • Network segmentation • Fine-grained app controls
Let’s summarize container security • Prevent unknown images Production Host • Stop user privilege escalation • Stop suspicious processes • Enforce network isolation • Encrypt sensitive vars/params • Swear by automation and tools • Visibility across the environment runcyoomme
KUBERNETES SECURITY IMPROVEMENTS Disable Anonymous Authentication Configure Admission Controllers Pod Security Policies Enable Authz with RBAC Network Policies for Segmentation
• Disable anonymous authentication Generally two types of users exist: – Normal Users (managed by outside entities like LDAP, AD etc.) – Service Accounts (managed by K8s API with credentials as secrets) Anything else is treated as anonymous request – Given a username system:anonymous and group system:unauthenticated For e.g. with token authentication & anonymous access enabled, a request with an invalid bearer token would receive a 401 error; a request providing no bearer token would be treated as an anonymous request. Recommendation: Disable this mode by passing --anonymous-auth=false option to API server
• Configure admission controllers – Intercepts requests to create, delete, modify or connect to proxy – “validating” or “mutating” (able to modify the object they admit) Syntax: Replace what appears after = with name of the admission controller --enable-admission-plugins=NameOfController,NameOfController2 Recommendation: * Enable below admission controllers by default LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,Names paceLifecycle,ServiceAccount,MutatingAdmissionWebhook,Validati ngAdmissionWebhook,Priority,ResourceQuota,PodSecurityPolicy * Enable ValidatingAdmissionWebhook to validate K8s resources during create, update, and delete operations * Ensure AlwaysPullImages is set to make sure private images are only pulled by those who have the credentials.
• Disable public access to cluster • Pod security policies – Defined as a cluster level resource that controls security sensitive aspects – Conditions for pod to be admitted in system – Target pod’s service account must be authorized for this policy – Implemented as an optional (but recommended) admission controller – Never expose remote connectivity to your nodecluster – Use a bastion host in your management VPC – Ensure it is peered with the cluster network for connectivity
• Enable authorization with RBAC – Method of regulating access to resources based on the roles of individual users – RBAC uses the rbac.authorization.k8s.io API group to drive authz decisions Syntax: Start the API server with the authorization-mode flag for RBAC kube-apiserver --authorization-mode=RBAC Potential Mistakes: – Make sure cluster-admin role is not granted unnecessarily (especially during the transition from legacy ABAC controller to RBAC) – Role aggregation (K8s v1.9), if not carefully reviewed can lead to improper usage – Duplicated role grant may happen; subjects get same access in more than one way – Unused roles to subjects that do not exist (deleted service accounts) can make it difficult to see configurations that do matter.
• Network policies for segmentation – Specification of how groups of pods can communicate with each other and other network endpoints – When no network policies are applied, then all connections to and from it are permitted – Notion of “pod isolation” which means that pods are isolated if at least one network policy applies to them – Intricate and difficult to understand for proper usage. Network plugins recommended from Calico, Cilium, Kube-router, Romana and Weave Net
Conclusion  Think security early and anticipate for future growth. Honestly, it’s nothing but a mindset!  Focus on logical and organizational structure to engrave it into your environment  Enablement to move fast and break things but protect from themselves  Apply security controls at the layers that make the most sense  Security is no longer about a “layer on top”. Ensure it at every step of the SDLC and throughout the stack
Questions | Comments | Discussions runcyoommen https://runcy.me Runcy Oommen

Recommandé

Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security IntroductionGLC Networks
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemRuncy Oommen
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security IssuesHTS Hosting
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 

Recommandé

Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security IntroductionGLC Networks
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
Designing A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemDesigning A Platform Agnostic HA System
Designing A Platform Agnostic HA SystemRuncy Oommen
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security IssuesHTS Hosting
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
Cloud security
Cloud securityCloud security
Cloud securityJhanvi Dattani
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)Maganathin Veeraragaloo
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and predictionVishwas Manral
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureMarketingArrowECS_CZ
 
Cloud Security
Cloud Security Cloud Security
Cloud Security Giovanni Mazzeo
 
Cloud security
Cloud securityCloud security
Cloud securityTushar Kayande
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 

Contenu connexe

Tendances

Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and predictionVishwas Manral
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureMarketingArrowECS_CZ
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 

Tendances (20)

Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Cloud security
Cloud securityCloud security
Cloud security
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud Infrastructure
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Cloud security
Cloud securityCloud security
Cloud security
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
 

Similaire à Security for cloud native workloads

12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...DevOps.com
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsAbdul Khan
 
Open shift and docker - october,2014
Open shift and docker - october,2014Open shift and docker - october,2014
Open shift and docker - october,2014Hojoong Kim
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Orchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverlessOrchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverlessOrchestrated.
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Docker, Inc.
 
TransitioningToMicroServonDocker_MS
TransitioningToMicroServonDocker_MSTransitioningToMicroServonDocker_MS
TransitioningToMicroServonDocker_MSLana Kalashnyk
 
Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017Kyle Bassett
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...AlgoSec
 
Cloud security introduction
Cloud security introductionCloud security introduction
Cloud security introductionCalvin Lee
 
Operational Visibiliy and Analytics - BU Seminar
Operational Visibiliy and Analytics - BU SeminarOperational Visibiliy and Analytics - BU Seminar
Operational Visibiliy and Analytics - BU SeminarCanturk Isci
 
Kubernetes from the Ground Up
Kubernetes from the Ground UpKubernetes from the Ground Up
Kubernetes from the Ground UpDustin Humphries
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017Patrick Chanezon
 
8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the box8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the boxKangaroot
 

Similaire à Security for cloud native workloads (20)

12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
 
Open shift and docker - october,2014
Open shift and docker - october,2014Open shift and docker - october,2014
Open shift and docker - october,2014
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Orchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverlessOrchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverless
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...
 
TransitioningToMicroServonDocker_MS
TransitioningToMicroServonDocker_MSTransitioningToMicroServonDocker_MS
TransitioningToMicroServonDocker_MS
 
Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017Halifax DevOps - Meet-up - July.19 2017
Halifax DevOps - Meet-up - July.19 2017
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
 
Cloud security introduction
Cloud security introductionCloud security introduction
Cloud security introduction
 
Operational Visibiliy and Analytics - BU Seminar
Operational Visibiliy and Analytics - BU SeminarOperational Visibiliy and Analytics - BU Seminar
Operational Visibiliy and Analytics - BU Seminar
 
Kubernetes from the Ground Up
Kubernetes from the Ground UpKubernetes from the Ground Up
Kubernetes from the Ground Up
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
 
8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the box8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the box
 

Plus de Runcy Oommen

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Security enhancements for popular GCP services
Security enhancements for popular GCP servicesSecurity enhancements for popular GCP services
Security enhancements for popular GCP servicesRuncy Oommen
 
Serverless solution architecture in AWS
Serverless solution architecture in AWSServerless solution architecture in AWS
Serverless solution architecture in AWSRuncy Oommen
 
Europe Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesEurope Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesRuncy Oommen
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloadsRuncy Oommen
 
Building AWS native serverless website
Building AWS native serverless websiteBuilding AWS native serverless website
Building AWS native serverless websiteRuncy Oommen
 
GCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingGCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingRuncy Oommen
 
Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Runcy Oommen
 
Get your Git on GitHub
Get your Git on GitHubGet your Git on GitHub
Get your Git on GitHubRuncy Oommen
 
Run C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRun C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRuncy Oommen
 
Effective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesEffective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesRuncy Oommen
 
Rajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRuncy Oommen
 
Arvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaArvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaRuncy Oommen
 
Intro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewIntro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewRuncy Oommen
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshopRuncy Oommen
 
Accenture Hack Forward - Finals
Accenture Hack Forward - FinalsAccenture Hack Forward - Finals
Accenture Hack Forward - FinalsRuncy Oommen
 
Unilever Hackathon
Unilever HackathonUnilever Hackathon
Unilever HackathonRuncy Oommen
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmRuncy Oommen
 

Plus de Runcy Oommen (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Security enhancements for popular GCP services
Security enhancements for popular GCP servicesSecurity enhancements for popular GCP services
Security enhancements for popular GCP services
 
Serverless solution architecture in AWS
Serverless solution architecture in AWSServerless solution architecture in AWS
Serverless solution architecture in AWS
 
Europe Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesEurope Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud services
 
Cloud & GCP 101
Cloud & GCP 101Cloud & GCP 101
Cloud & GCP 101
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloads
 
Building AWS native serverless website
Building AWS native serverless websiteBuilding AWS native serverless website
Building AWS native serverless website
 
Get to know Git
Get to know GitGet to know Git
Get to know Git
 
GCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingGCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth Hacking
 
Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)
 
Get your Git on GitHub
Get your Git on GitHubGet your Git on GitHub
Get your Git on GitHub
 
Run C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRun C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud Functions
 
Effective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesEffective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best Practices
 
Rajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon Finals
 
Arvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaArvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution Idea
 
Intro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewIntro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet view
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
 
Accenture Hack Forward - Finals
Accenture Hack Forward - FinalsAccenture Hack Forward - Finals
Accenture Hack Forward - Finals
 
Unilever Hackathon
Unilever HackathonUnilever Hackathon
Unilever Hackathon
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker Swarm
 

Dernier

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Security for cloud native workloads

  • 1. Security for Cloud Native Workloads 22-May-2021 | DevSecOps Conf 2020 Runcy Oommen
  • 2. |In brief| Generic cloud native & cloud security overview Shared responsibility model Microservices security Containers v/s Serverless Securing the container lifecycle Kubernetes security improvements
  • 3. Career  Principal SDE, SONICWALL, 18+ yrs. industry experience primarily in systems, cloud (private/public), security, networking  10x multi-cloud certified (GCP, AWS, Azure, CNCF)  Patent (India) in cloud security around distributed data storage  Interested in serverless, containers and cloud native offerings. Firm believer of a multi-hybrid cloud future Community  Organizer of GDG Cloud, AWS user Group and Cloud Native meetup groups in Bangalore  Regular speaker at domestic and international cloud, tech & security conferences  Multiple hackathon wins in cloud/security topics.  Recognized by Google as a community influencer [~]$ whoami runcyoommen https://runcy.me
  • 4. What does “Cloud Native” mean? A cloud computing approach to build & run scalable apps in modern environments such as public, private and hybrid clouds. Technologies such as containers, microservices, serverless and immutable infrastructure, deployed are elements of this architecture. Reference: https://en.wikipedia.org/wiki/Cloud_native_computin
  • 5. IT infrastructure & landscape has undergone a paradigm shift…
  • 8. So, how exactly should cloud native security differ from traditional network security?
  • 9. Ubiquitous The cloud is always reachable from anywhere, any time, any device Scalable You can add new features and support users without breaking a sweat Integrated Security and other services talk to each other for full visibility Comprehensive The Cloud scans every byte – ingress and egress – including SSL & CDN Intelligent The cloud learns from every user, network and traffic Important facets of cloud Available Capabilities can be guaranteed to remain accessible runcyoommen
  • 10. Cloud Features v/s Security Balances  Agility  Self service  Scale  Automation  Gatekeeper  Standards  Control  Centralized  Pay as you go  Timely alerts
  • 13.
  • 14.
  • 16.
  • 17.  Portability – By abstracting applications from host, it’s easier to run on any platform or cloud  Scalability – Containerized applications holds the ability to handle increasing workloads  Fast Development – Allows developers to change and track changes in the platform’s source code ensuring high productivity  Security – App isolation ensures that separate containers run independently  Continuity – Failure of one will not influence the state of others  Easy Management – Orchestration performs application management, automated installation and workload management runcyoommen
  • 18.
  • 19.
  • 20. How did we get here?
  • 21.
  • 22. The stack of *SECURITY* responsibilities… Sys Admin DevOps Develope r
  • 23. SECURING THE CONTAINER LIFECYCLE BUILD SHIP DEPLOY RUN Image Quality, Exposure Risk Trust, Integrity Assurance Resource, Access Control Process, Network, Secrets VISIBILITY ►Risk posture of the images is not completely understood ►Unclear as to where security should fit in the process ►Containers are not visible with current security tools ►Reliance on open source and external components used
  • 24. SECURITY STARTS IN THE BUNDLE PHASE BUILD SHIP DEPLOY RUN • Make sure base images are secure • Scan for vulnerabilities on the finished product • Maintain configuration standards • Share info between Dev, Ops, Sec
  • 25. ADD ENFORCEMENT OF IMAGE USAGE BUILD SHIP DEPLOY RUN • Deny unknown images or registries • Accept images based on risk • Maintain integrity of images
  • 26. LIMIT ACCESS TO CONTAINER ENGINE BUILD SHIP DEPLOY RUN • Separate automation from human actions • Control parameters that elevate privilege • Permissions on volumes, network etc… • Maintain audit trail with accountable user
  • 27. GRANULAR RUNNING OF CONTAINERS BUILD SHIP DEPLOY RUN • Resource management • Protect sensitive data • Network segmentation • Fine-grained app controls
  • 28. Let’s summarize container security • Prevent unknown images Production Host • Stop user privilege escalation • Stop suspicious processes • Enforce network isolation • Encrypt sensitive vars/params • Swear by automation and tools • Visibility across the environment runcyoomme
  • 29. KUBERNETES SECURITY IMPROVEMENTS Disable Anonymous Authentication Configure Admission Controllers Pod Security Policies Enable Authz with RBAC Network Policies for Segmentation
  • 30. • Disable anonymous authentication Generally two types of users exist: – Normal Users (managed by outside entities like LDAP, AD etc.) – Service Accounts (managed by K8s API with credentials as secrets) Anything else is treated as anonymous request – Given a username system:anonymous and group system:unauthenticated For e.g. with token authentication & anonymous access enabled, a request with an invalid bearer token would receive a 401 error; a request providing no bearer token would be treated as an anonymous request. Recommendation: Disable this mode by passing --anonymous-auth=false option to API server
  • 31. • Configure admission controllers – Intercepts requests to create, delete, modify or connect to proxy – “validating” or “mutating” (able to modify the object they admit) Syntax: Replace what appears after = with name of the admission controller --enable-admission-plugins=NameOfController,NameOfController2 Recommendation: * Enable below admission controllers by default LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,Names paceLifecycle,ServiceAccount,MutatingAdmissionWebhook,Validati ngAdmissionWebhook,Priority,ResourceQuota,PodSecurityPolicy * Enable ValidatingAdmissionWebhook to validate K8s resources during create, update, and delete operations * Ensure AlwaysPullImages is set to make sure private images are only pulled by those who have the credentials.
  • 32. • Disable public access to cluster • Pod security policies – Defined as a cluster level resource that controls security sensitive aspects – Conditions for pod to be admitted in system – Target pod’s service account must be authorized for this policy – Implemented as an optional (but recommended) admission controller – Never expose remote connectivity to your nodecluster – Use a bastion host in your management VPC – Ensure it is peered with the cluster network for connectivity
  • 33. • Enable authorization with RBAC – Method of regulating access to resources based on the roles of individual users – RBAC uses the rbac.authorization.k8s.io API group to drive authz decisions Syntax: Start the API server with the authorization-mode flag for RBAC kube-apiserver --authorization-mode=RBAC Potential Mistakes: – Make sure cluster-admin role is not granted unnecessarily (especially during the transition from legacy ABAC controller to RBAC) – Role aggregation (K8s v1.9), if not carefully reviewed can lead to improper usage – Duplicated role grant may happen; subjects get same access in more than one way – Unused roles to subjects that do not exist (deleted service accounts) can make it difficult to see configurations that do matter.
  • 34. • Network policies for segmentation – Specification of how groups of pods can communicate with each other and other network endpoints – When no network policies are applied, then all connections to and from it are permitted – Notion of “pod isolation” which means that pods are isolated if at least one network policy applies to them – Intricate and difficult to understand for proper usage. Network plugins recommended from Calico, Cilium, Kube-router, Romana and Weave Net
  • 35. Conclusion  Think security early and anticipate for future growth. Honestly, it’s nothing but a mindset!  Focus on logical and organizational structure to engrave it into your environment  Enablement to move fast and break things but protect from themselves  Apply security controls at the layers that make the most sense  Security is no longer about a “layer on top”. Ensure it at every step of the SDLC and throughout the stack
  • 36. Questions | Comments | Discussions runcyoommen https://runcy.me Runcy Oommen