(Go: >> BACK << -|- >> HOME <<)
SlideShare a Scribd company logo

Understanding container security

Download as PPTX, PDF
John Kinsella
John Kinsella

This document discusses container security, providing a brief history of containers, security benefits and challenges of containers, and approaches to container vulnerability management and responding to attacks. It notes that while containers are not new, their adoption has increased rapidly in recent years. The document outlines security advantages like smaller surface areas but also challenges like managing vulnerabilities across many moving parts. It recommends strategies like using official images, hardening hosts, scanning for vulnerabilities, and practicing incident response for containers.

1 of 45
Understanding Container Security
Overview • A Brief History and Overview of Containers • Security Benefits of Containers • Container Vulnerability Management • Responding to Container Attacks
Survey – How familiar are you with containers? • I open them every day – gotta eat to survive • I read about them on TechCrunch • I run them on my raspi at home • We run our production workloads in containers • I contribute code to open source container-related projects
Brief History of Containers
Containers are not new, but…
Container History Timeline Unix V7 FreeBSD Jails Solaris Zones OpenVZ Process Containers cgroups AIX WPARs LXC LMCTFY Docker 1979 2000 2004 2005 2006 2007 2008 2013
How Are Organizations Using Containers?
Container Tech is Being Adopted Quickly
Source: ClusterHQ Container Security : Top # 3 Container Adoption Challenges
Containers in the Future • Phones • IOT • Maybe cars?
Survey – what container platform do you use? • Docker • LXC • LXD • rkt • Solaris/SmartOS based • Unikernel/microkernel or similar • Why didn’t you list my platform? Everyone uses it!
Brief Overview of Container Orchestration
Why Orchestration? • For “real” workloads: • How to launch 500 containers across 20 hosts? • Being aware of resources on each host • Getting storage and networking to right container on the right host • Distribution for speed, efficiency, cost, etc. • As part of a CI/CD process • How to do a rolling update of those 500 live containers to a new sw version?
Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN
Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN
Lots to Orchestrate Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN • Swarm networking • Weave networking • Project Calico networking • CoreOS Flannel networking • Flocker storage • Gluster storage • CoreOS Torus storage • … • ... We haven’t talked security, yet.
Survey – How Familiar Are You With Information Security? • It’s common for me to get viruses and ransomware • I’m paid to write code by a deadline • I learned my lesson the first time and now try my best • Due to unspecified agreements I cannot answer this question
Security Benefits of Containers and Microservices • Smaller surface area* • Shorter lifespan* – shorter period when open to attack • More automated process – easier to recreate/redeploy* *(in theory)
Security Benefits of Containers and Microservices • Containerized apps lend themselves to ”12 factor” design 12factor.net
Security Disadvantages of Containers and Microservices • Relatively new technology • Lots of moving parts • Shorter lifespan – this makes investigations more difficult
Container Security Adoption
Survey – What’s your biggest container security concern? • Image security • Host security • Vulnerability management • Container isolation
Results of Twitter Survey
Image Security • Where did an image come from? • Is it an official image? • Is it the right version? • Has somebody modified it?
Image Security • Docker Content Trust export DOCKER_CONTENT_TRUST=1 • CoreOS image signing and verification pgp based
Host Security • Follow standard hardening processes (Bastille, Center for Internet Security, etc.) but only firewall host, not it’s containers • A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network • One nasty exposure – privileged containers.
Vulnerability Management in a Container World
Managing Security Exposure in Containers
Smaller Image, Less Vulnerabilities • Avoid ”From:Debian” and similar • Software can’t be vulnerable if it’s not installed. An amazingly large percentage of public Docker images are based on Debian, Ubuntu, or CentOS.
Why? Least Privilege • We want the smallest image possible, when we load it across 100 hosts • The smaller the image, the less exposure for potential vulnerabilities • If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
Container Vulnerability Scanners • Open Source: • OpenSCAP • CoreOS Clair • Anchore • Commercial: • Why go with commercial? Might be easier, packaged.
Vulnerability Triage • Developers are being exposed to the secops work of vulnerability/patch management
Understand CVSSv2
Understand CVSS Calculator
Container Isolation
Why Isolate? • Only as secure as your weakest link • What happens if other departments are running in your private cloud? • What happens if other customers are running in your bare metal CaaS?
Understanding container security
Capabilities Worst to best: • Run with --privileged=true • Run with –cap-add ALL • Run with --cap-drop ALL --cap-add <only needed> • Run as non-root user, unprivileged Useful: capabilities section of https://docs.docker.com/engine/reference/run/
Seccomp We need to build a list of system calls called by the program… …that we want to succeed • Guess (preferably educated) • RTFM (thanks John!) • Capture behavior – maybe /usr/sbin/strace • Disassembly?
Plan For Container Attacks • Before going to production, think about how you’d investigate an attack • Containers are mostly ephemeral • Collect logs at a central location (ELK, Loggly, etc.) • Practice identifying and snapshotting problem containers • Don’t forget about data backup/recovery
Layered Insight Ozone Comprehensive container-native security Deep visibility and fine-grained control Automatic behavioral templates Machine learning based anomaly detection
Layered Insight Ozone Inside-Out Approach Workload Portability No Special Privileges (Userspace) Zero Impact to Devs / DevOps Fully Automatic LI Instrumented Containers Infrastructure Host OS Docker
Thanks – Let’s continue the conversation! @johnlkinsella https://www.layeredinsight.com Slides posted at http://www.slideshare.net/jlkinsel
Links • https://docs.docker.com/engine/security/trust/content_trust/ • https://coreos.com/rkt/docs/latest/signing-and-verification-guide.html • https://benchmarks.cisecurity.org/ • https://nvd.nist.gov/cvss/v2-calculator
Data Sources • Moments in Container History: Pivotal • Container Adoption behavior: DataDog • Container Adoption challenges: ClusterHQ • Container Security adoption rates: SDX Central • Layered container image: Ubuntu Data and some graphics provided by:

More Related Content

What's hot

Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
Amazon Web Services
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
Docker, Inc.
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
KhaqanAshraf
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
Opsta
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
inovex GmbH
 
Docker in real life
Docker in real lifeDocker in real life
Docker in real life
Nguyen Van Vuong
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
Yajushi Srivastava
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Frederik Mogensen
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
Turja Narayan Chaudhuri
 

What's hot (20)

Container Security
Container SecurityContainer Security
Container Security
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Docker in real life
Docker in real lifeDocker in real life
Docker in real life
 
Docker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and ContainersDocker 101 : Introduction to Docker and Containers
Docker 101 : Introduction to Docker and Containers
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 

Viewers also liked

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
Jim Barlow
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill
'Detola Amure
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
Lalatendu Mohanty
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container Security
FlawCheck
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
Sai Kesavamatham
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
Michael Cherny
 
Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on Kubernetes
Martin Etmajer
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Container Orchestration Wars
Container Orchestration WarsContainer Orchestration Wars
Container Orchestration Wars
Karl Isenberg
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 

Viewers also liked (19)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container Security
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on Kubernetes
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Container Orchestration Wars
Container Orchestration WarsContainer Orchestration Wars
Container Orchestration Wars
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 

Similar to Understanding container security

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
The Incredible Automation Day
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
Stephane Woillez
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
John Kinsella
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-087 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
Casey Bisson
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
DevOps.com
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
Black Duck by Synopsys
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Docker
DockerDocker
Docker
Codeister Technolgoies
 

Similar to Understanding container security (20)

stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-087 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Containers 101
Containers 101Containers 101
Containers 101
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Docker
DockerDocker
Docker
 

More from John Kinsella

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and Visibility
John Kinsella
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World Keynote
John Kinsella
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configuration
John Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
John Kinsella
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glass
John Kinsella
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
John Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
John Kinsella
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
John Kinsella
 

More from John Kinsella (10)

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and Visibility
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World Keynote
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configuration
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glass
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
 

Recently uploaded

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
Alison B. Lowndes
 
Exchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partes
Exchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partesExchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partes
Exchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partes
jorgelebrato
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and ConsiderationsChoosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
webbyacad software
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Cracking AI Black Box - Strategies for Customer-centric Enterprise Excellence
Cracking AI Black Box - Strategies for Customer-centric Enterprise ExcellenceCracking AI Black Box - Strategies for Customer-centric Enterprise Excellence
Cracking AI Black Box - Strategies for Customer-centric Enterprise Excellence
Quentin Reul
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Challenges and Strategies of Digital Transformation.pptx
Challenges and Strategies of Digital Transformation.pptxChallenges and Strategies of Digital Transformation.pptx
Challenges and Strategies of Digital Transformation.pptx
wisdomfishlee
 

Recently uploaded (20)

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
 
Exchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partes
Exchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partesExchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partes
Exchange, Entra ID, Conectores, RAML: Todo, a la vez, en todas partes
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and ConsiderationsChoosing the Best Outlook OST to PST Converter: Key Features and Considerations
Choosing the Best Outlook OST to PST Converter: Key Features and Considerations
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Cracking AI Black Box - Strategies for Customer-centric Enterprise Excellence
Cracking AI Black Box - Strategies for Customer-centric Enterprise ExcellenceCracking AI Black Box - Strategies for Customer-centric Enterprise Excellence
Cracking AI Black Box - Strategies for Customer-centric Enterprise Excellence
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Challenges and Strategies of Digital Transformation.pptx
Challenges and Strategies of Digital Transformation.pptxChallenges and Strategies of Digital Transformation.pptx
Challenges and Strategies of Digital Transformation.pptx
 

Understanding container security

  • 2. Overview • A Brief History and Overview of Containers • Security Benefits of Containers • Container Vulnerability Management • Responding to Container Attacks
  • 3. Survey – How familiar are you with containers? • I open them every day – gotta eat to survive • I read about them on TechCrunch • I run them on my raspi at home • We run our production workloads in containers • I contribute code to open source container-related projects
  • 4. Brief History of Containers
  • 5. Containers are not new, but…
  • 6. Container History Timeline Unix V7 FreeBSD Jails Solaris Zones OpenVZ Process Containers cgroups AIX WPARs LXC LMCTFY Docker 1979 2000 2004 2005 2006 2007 2008 2013
  • 7. How Are Organizations Using Containers?
  • 8. Container Tech is Being Adopted Quickly
  • 9. Source: ClusterHQ Container Security : Top # 3 Container Adoption Challenges
  • 10. Containers in the Future • Phones • IOT • Maybe cars?
  • 11. Survey – what container platform do you use? • Docker • LXC • LXD • rkt • Solaris/SmartOS based • Unikernel/microkernel or similar • Why didn’t you list my platform? Everyone uses it!
  • 12. Brief Overview of Container Orchestration
  • 13. Why Orchestration? • For “real” workloads: • How to launch 500 containers across 20 hosts? • Being aware of resources on each host • Getting storage and networking to right container on the right host • Distribution for speed, efficiency, cost, etc. • As part of a CI/CD process • How to do a rolling update of those 500 live containers to a new sw version?
  • 14. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN
  • 15. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN
  • 16. Lots to Orchestrate Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN • Swarm networking • Weave networking • Project Calico networking • CoreOS Flannel networking • Flocker storage • Gluster storage • CoreOS Torus storage • … • ... We haven’t talked security, yet.
  • 17. Survey – How Familiar Are You With Information Security? • It’s common for me to get viruses and ransomware • I’m paid to write code by a deadline • I learned my lesson the first time and now try my best • Due to unspecified agreements I cannot answer this question
  • 18. Security Benefits of Containers and Microservices • Smaller surface area* • Shorter lifespan* – shorter period when open to attack • More automated process – easier to recreate/redeploy* *(in theory)
  • 19. Security Benefits of Containers and Microservices • Containerized apps lend themselves to ”12 factor” design 12factor.net
  • 20. Security Disadvantages of Containers and Microservices • Relatively new technology • Lots of moving parts • Shorter lifespan – this makes investigations more difficult
  • 22. Survey – What’s your biggest container security concern? • Image security • Host security • Vulnerability management • Container isolation
  • 24. Image Security • Where did an image come from? • Is it an official image? • Is it the right version? • Has somebody modified it?
  • 25. Image Security • Docker Content Trust export DOCKER_CONTENT_TRUST=1 • CoreOS image signing and verification pgp based
  • 26. Host Security • Follow standard hardening processes (Bastille, Center for Internet Security, etc.) but only firewall host, not it’s containers • A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network • One nasty exposure – privileged containers.
  • 27. Vulnerability Management in a Container World
  • 28. Managing Security Exposure in Containers
  • 29. Smaller Image, Less Vulnerabilities • Avoid ”From:Debian” and similar • Software can’t be vulnerable if it’s not installed. An amazingly large percentage of public Docker images are based on Debian, Ubuntu, or CentOS.
  • 30. Why? Least Privilege • We want the smallest image possible, when we load it across 100 hosts • The smaller the image, the less exposure for potential vulnerabilities • If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
  • 31. Container Vulnerability Scanners • Open Source: • OpenSCAP • CoreOS Clair • Anchore • Commercial: • Why go with commercial? Might be easier, packaged.
  • 32. Vulnerability Triage • Developers are being exposed to the secops work of vulnerability/patch management
  • 36. Why Isolate? • Only as secure as your weakest link • What happens if other departments are running in your private cloud? • What happens if other customers are running in your bare metal CaaS?
  • 38. Capabilities Worst to best: • Run with --privileged=true • Run with –cap-add ALL • Run with --cap-drop ALL --cap-add <only needed> • Run as non-root user, unprivileged Useful: capabilities section of https://docs.docker.com/engine/reference/run/
  • 39. Seccomp We need to build a list of system calls called by the program… …that we want to succeed • Guess (preferably educated) • RTFM (thanks John!) • Capture behavior – maybe /usr/sbin/strace • Disassembly?
  • 40. Plan For Container Attacks • Before going to production, think about how you’d investigate an attack • Containers are mostly ephemeral • Collect logs at a central location (ELK, Loggly, etc.) • Practice identifying and snapshotting problem containers • Don’t forget about data backup/recovery
  • 41. Layered Insight Ozone Comprehensive container-native security Deep visibility and fine-grained control Automatic behavioral templates Machine learning based anomaly detection
  • 42. Layered Insight Ozone Inside-Out Approach Workload Portability No Special Privileges (Userspace) Zero Impact to Devs / DevOps Fully Automatic LI Instrumented Containers Infrastructure Host OS Docker
  • 43. Thanks – Let’s continue the conversation! @johnlkinsella https://www.layeredinsight.com Slides posted at http://www.slideshare.net/jlkinsel
  • 45. Data Sources • Moments in Container History: Pivotal • Container Adoption behavior: DataDog • Container Adoption challenges: ClusterHQ • Container Security adoption rates: SDX Central • Layered container image: Ubuntu Data and some graphics provided by:

Editor's Notes

  1. Data from DataDog
  2. If you talk to folks at Docker, they expect containers to be the software delivery method of choice for “the next 20 years.”
  3. Write-in: Provenance of containers
  4. We believe first compromised Docker-powered containers were running ElasticSearch