Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019
Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski
Objection: “My security team is opposed to containers and Kubernetes” 3
Security people like to complain about containers and Kubernetes ● What’s a koober net ease ● I can’t use my IDS, firewall, ... ● Containers don’t contain ● I am stuck with it, help me
70% “70 percent of change programs fail to achieve their goals, largely due to employee resistance and lack of management supporu.” Changing change management, McKinsey & Co.
1 How container security is different Traditional software supply chain and Agenda 2 patch management Ideal software supply chain and best 3 practices in image maintenance, patching, and validation
How container 01 security is difgerent
… container security isn’t that difgerent from any other security
Threats seen in the wild 2018 February May June 2019 April Tesla Shopify Weight Watchers Docker Hub Docker Hub Unsecured Researcher could Unsecured Public images Database with Kubernetes access and replay Kubernetes with embedded 190k+ Docker dashboard with kubelet dashboard with cryptocurrency Hub accounts cloud account credentials sensitive data, mining malware exposed credentials including Not exploited Used to mine Unknown impact credentials Used to mine cryptocurrency cryptocurrency Not exploited
Container security threats & risks INFRASTRUCTURE SOFTWARE SUPPLY RUNTIME SECURITY SECURITY CHAIN ● Privilege escalation ● Unpatched vulnerability ● DDoS ● Credential compromise ● Supply chain ● Node compromise and vulnerability exploit ● Kubernetes API compromise ● Zero day exploit on ● Container escape common library ● Over-privileged users ● Flood event pipeline
INFRASTRUCTURE SECURITY Is my infrastructure secure for developing containers? ● How can I use Kubernetes security features to protect my identities, secrets, and network? ● How can I use native GCP functionality, like IAM, audit logging, and networking?
SOFTWARE SUPPLY CHAIN Is my container image secure to build and deploy? ● How can I make sure my container images are vulnerability-free? ● How can I make sure the images I built aren’t modifjed before they are deployed?
RUNTIME SECURITY Is my container secure to run? ● How can I identify a container acting maliciously in production? ● How can I take action to protect and isolate my workload? ● How can I securely scale my containers deployment?
How is securing a container difgerent? Surgace Resource of Atuack Isolation Permissions Lifecycle Minimalist host Host resources are Access controls Containers have a OS and limits the separated using are for app shorter, better surface of an namespaces and privileges and defined lifecycle. attack. cgroups. shared resources.
Traditional sofuware 02 supply chain and patch management
Traditional sofuware supply chain
Traditional patch management 01 02 03 Get patch Take down server n=1 Repeat for n servers, and apply patch where n is unknown From the distributor, some Test the patch in prod! Take It worked! Now do it again, random mailing list, a some unimportant workload for everything you think is vendor. Not always sent to down to make sure nothing affected. Miss a bunch of it. the security team. goes too bad.
Problems with traditional patch management ● Spreadsheet-driven management ● Down time ● 0days are scary ● Unclear what’s running in your infrastructure / what’s running where / if you even need a patch
Ideal sofuware 03 supply chain
Containers are meant to be shoru-lived frequently redeployed immutable and help you ‘shifu lefu’
DevSecOps?!?
Running containers allows you to adopt a fundamentally difgerent security model Containers give you a Containers let you Containers mean you sofuware supply patch continuously , can actually tell if chain automatically you’re afgected by a new vulnerability
Containers give you a sofuware supply chain
What's difgerent about supply chains with containers VM based Hard Debug Patch Update VM VM Monolithic Restaru application VM Production environment Manual adjustment
What's difgerent about supply chains with containers VM based Container based Hard Easy Debug Build & deploy Patch Analysis Build Scan Test QA Update VM VM Re-build & Monolithic CI/CD pipeline Restaru re-deploy application VM VM VM Production environment Pod Pod Microservice VM Pod Manual adjustment Production environment
Containers let you enforce a sofuware supply chain Base Application Code Build Deploy image image VM VM Analysis Build Scan Test QA Pod Pod Microservice VM Pod Developer CI/CD pipeline Production environment
Containers let you patch continuously, automatically
Constantly patch your registry… and roll out as normal 01 02 03 Patch the image in your Test, validate, and roll Load balance traffic over registry out Figure out what’s affected, Roll out the patch like you When testing is successful, and apply the patch would any other move traffic over to the new, everywhere you need it. infrastructure change, going patched workload, with no incrementally. downtime.
Containers enable passive patching
not just uptime, but up-to-time
Vulnerability mitigation strategies Update packages Remove packages Smaller distro Do you really need 6.022x10 23 apt-get update & upgrade In many cases, you can get gets you pretty far. Do this debian packages installed on away with a smaller distro daily. your production image? like Alpine or Debian Slim.
Moving to a smaller base Vanilla Patched Minimal Distroless
Containers mean you can actually tell if you’re afgected by a new vulnerability
Check your registry and compare to what you deployed
Figure out what’s in production Find all the containers in Find out what is in those Find out what vulnz are in containers those packages prod kubectl get pods resolve Package manifests, application Cross reference BOM with CVE everything to a digest dependencies databases
Centralize and lock down release pipeline Instead Build images from trusted sources container Streamline image scanning and security analysis should be Deploy only trusted images Monitor continuously
You have a container registry > Scan for vulnerabilities Staru here You have a mandated base image > Make it minimal You have a centralized CI/CD pipeline > Enforce what’s deployed
Running containers allows you to adopt a fundamentally difgerent security model Containers give you a Containers let you Containers mean you sofuware supply patch continuously , can actually tell if chain automatically you’re afgected by a new vulnerability
Learn more Blog post: goo.gl/Ew6hYa cloud.google.com/containers/security
Q&A
That’s a wrap. Learn more: cloud.google.com/containers/security
Recommend
More recommend