container security - carahsoft
TRANSCRIPT
![Page 1: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/1.jpg)
CarahsoftENS-Inc.Red HatPalo Alto NetworksContainer Security
![Page 2: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/2.jpg)
We’re Proud to be a Partner with Red Hat OpenShift
Twistlock, now part of Prisma Cloud, partnered with Red Hat to support both government and enterprise customers
Numerous co -marketing efforts, including OpenShift Commons blogs, webinars, and meetup events
Prisma Cloud Defender supports RHEL and is built upon RHEL Universal Base Image (UBI)
2 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 3: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/3.jpg)
The Shared Responsibility Model for Cloud -Native Applications
![Page 4: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/4.jpg)
Cloud -Native Continues to be a Central Pillar of I&O Strategy
“Cloud -native approaches to software and service design enable enterprises to act faster , more efficiently and at greater scale : enterprises can go faster with cloud and be more efficient with microservices.”
![Page 5: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/5.jpg)
The Cloud “OSI Model”
Physical layer: Buildings, metal, silicon
Service layer: Provider built and managed capabilities
Compute layer: Software you’re continuously making
5 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 6: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/6.jpg)
Key Challenges Every Organization is Facing
6 | © 2020 Palo Alto Networks, Inc. All rights reserved.
A Growing Number of Entities to Secure
Environments are Constantly Changing
Multi and Hybrid Cloud Environments Create
Complexity
Security controls don’t come built in. Security teams are the ones responsible for protecting
everything!
Developers, Devops, and Infra are building and deploying at a
frantic pace, often without security guidance.
Cloud services, along with growing IaaS, PaaS, and CaaS environments, lead to a huge estate for security teams to
protect.
![Page 7: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/7.jpg)
Example Risks in Cloud -Native Applications
7 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Kubernetes' first major security hole discovered, allowing privilege escalation, with a CVSS 9.8
RunC container escape flaw enables root access to host system
February 2018
June 2018
December 2018
February 2019
Weight Watchers IT infrastructure exposed via no -password Kubernetes server
Tesla cloud resources are hacked to run cryptocurrency mining malware
Unit 42 discloses 200K insecure IaC template in use
February 2020
![Page 8: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/8.jpg)
Today, we want to focus on how you c a n secure your cloud native applications sp a n n in g c on ta in ers , K u b ern etes, a n d on -d em a n d c on ta in ers , b oth in production a n d across the application lifecycle .
8 | © 20 20 P a lo A lto N etw ork s, In c . A ll rig h ts reserved .
![Page 9: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/9.jpg)
Container Security
![Page 10: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/10.jpg)
Container Characteristics
MinimalTypically
single process entities
DeclarativeBuilt from
images that are machine
readable
PredictableDo exactly the
same thing from run to
kill
![Page 11: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/11.jpg)
What’s Difficult About Securing Containers?
Many more entities
High rate of change, much more ephemeral
Security is largely in the hands of the developer
Security must be as portable as the containers
![Page 12: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/12.jpg)
Steps Involved with Building and Deploying Containers
Developer writes a Dockerfile, which
includes a base image, maintainer, run
instructions, etc., that is then built into an image
Image is pushed to a registry, which can hold hundreds to
thousands of images
Containers are deployed individually or in groups to any public
and private cloud services in use
Build Ship Run
![Page 13: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/13.jpg)
Container template owned by the developer
Dockerfile: Includes the base image, run instructions, files to add, and ports that will be exposed
Where is the security team?The developer creates the Dockerfile, not security!
13 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 14: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/14.jpg)
What do we see when we scan this image?
1 Critical python vulnerability
Additional High and Medium vulnerabilities: Many with vendor fixes!
No user: Image is configured to run as root
Untrusted: Twistlock shows that the image is not “Trusted”
14 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 15: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/15.jpg)
15 | © 2020 Palo Alto Networks, Inc. All rights reserved.
1 DevSecOps Enablement. Integrating security across devops workflows and CI/CD pipelines.
2 Risk prioritization. Where are my microservices, what is their current risk posture, and how do I prioritize the greatest risk?
3 Protecting running workloads and apps. Ensuring my running hosts and containers are secure.
4 Network visibility and microsegmentation. Gaining real-time network visibility and securing east-west traffic flows at scale.
5 Compliance management. Achieving and maintaining compliance continuously for both internal and external frameworks.
![Page 16: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/16.jpg)
Key Steps to Secure Containers Across the Application Lifecycle
16 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Ship
CI/CD: Scanning images combined with enforcement
Build Run
Vulnerability management: Global risk monitoring across hosts, containers, images and functions
Runtime defense: 4D policy creation,
Cloud native firewalls: Network visibility with L4, L7
Access control: FIM, log inspection, K8s AuditSink
Compliance: Implement, monitor, and enforce CIS Benchmarks along with external compliance regimes
![Page 17: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/17.jpg)
Protecting the running application
Visibility is critical: Especially across clusters, nodes, and hosts
Baseline of behavior: Protecting your apps at scale requires automated policy creation
Forensic data and incident response: Data needs to be efficiently collected and stored for analysis
17 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 18: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/18.jpg)
Securing traffic between containers
Automatically enforce safe traffic flows between containers: This is difficult at scale, especially if you have to map everything yourself
Ensure containers only communicate in how they were designed: New connections are alerted on or blocked
Avoid manual rule creation that leads to rule rot
18 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 19: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/19.jpg)
Ensuring compliance
Ensure compliance for internal or external regimes: Needs to be customized for each environment
CIS Benchmarks are essential:Gaps need to be eliminated--a full stack approach is essential
Integrate compliance into CI/CD
19 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 20: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/20.jpg)
Integrating into CI/CD
Devs and DevOps own a huge part of container security
Accuracy meets speed: Provide results right in native tooling as well as central Console
Don’t just identify--enforce: If you can block a critical vulnerability with a vendor fix, do it now! Shift left where you can!
20 | © 2020 Palo Alto Networks, Inc. All rights reserved.
![Page 21: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/21.jpg)
Demo
![Page 22: Container Security - Carahsoft](https://reader031.vdocuments.us/reader031/viewer/2022012508/61850ea80ec0946373222bd3/html5/thumbnails/22.jpg)
Thank you
paloaltonetworks.com
22