securing applications in containers pdfs/dd 18 präsentat… · securing applications in containers...
TRANSCRIPT
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Securing Applications in ContainersAqua Container Security Platform
2
In 5 years ALL new software deployments will be based on containers, running in a hybrid environment
3
GARTNER PREDICTS
By 2020, more than 50% of global organizations will be
running containerized applications in production, up from less
than 20% today.
Gartner’s 6 Best Practices for Creating a Container Platform Strategy
Copyright @ 2017 Aqua Security Software Ltd. 4
Copyright @ 2017 Aqua Security Software Ltd. 5
6
What Are Containers?
New form of lightweight virtualization.
Makes applications think they have a
complete operating system for
themselves.
Container[kuhn-TAY-ner] , noun
7
Containers: A New Approach to Computing
Host OS
App
Host
Host OS
App App
VOS VOS
Host
Host OS
Container engine
Host
SCALABILITY, DENSITY, COMPLEXITY
VIRTUALIZATION CONTAINERIZATION
8
MAKING A CONTAINERIZED APPLICATION
< / >
.NET
Docker Image Docker Host
9
MAKING A CONTAINERIZED APPLICATION
< / >
.NET
Docker Image Docker Host
10
CHALLENGE #1: VISIBILITY
What is in the image?
What will it do?
Who made it?
Is Development making infrastructure decisions?
11
CONTAINER DEPLOYMENTS
12
CHALLENGE #2: PROCESS
Where to add security in the pipeline?
Is the image still the same when it gets to the hosts?
Who can run containers and manage them?
How to get inventory of what is running?
13
RUNNING CONTAINERS ON THE HOST
14
RUNNING CONTAINERS ON THE HOST
CPU
15
CHALLENGE #3: CONTROL
What is each container doing? Is it what it’s supposed to?
How to limit user context and permissions?
What network connections is the container making?
How to give specific, sensitive, information to a container?
16
CONTAINERS HAVE GREAT BENEFITS
Runs AnywhereUp in Seconds Massive Scale
17
SECURITY IS A BARRIER TO ADOPTION
18
BRIDGING THE GAP
Shift Left Automate Prevent
19
SHIFT-LEFT INTO THE BUILD PHASE
• Evaluate risk based on configuration and content• Register compliant images as approved for use• Scan for vulnerabilities on the finished product• Share information between Dev, Ops and Sec
20
ADD ENFORCEMENT OF IMAGE USAGE
• Only accept known images• Approve images based on risk• Maintain integrity
21
LIMIT ACCESS TO CONTAINER ENGINE
• Separate automation from human actions• Control parameters that elevate privilege• Permissions on volumes, networks, etc.• Audit trail with accountable user
22
GRANULAR CONTROLS OF RUNNING CONTAINERS
• User context of the container• Executables and resources inside the container• Isolation from the host• Network segmentation
23
CONTAINERS + AQUA = BETTER SECURITY
24
THE SECURITY FOUNDATION FOR CONTAINERS
1. Image Assurance
2. Runtime Protection
3. Container Network Firewall
4. Secret Management
5. Access Control and Docker Compliance
25
AQUA SECURITY: SNAPSHOT
TEAM
70 experienced, passionate innovators
FORTUNE 1000 CUSTOMERS
Banking Media
Insurance Healthcare
Retail Travel
Software & Internet Telecommunications
Investors
Light Ventures Capital Microsoft Ventures TLV PartnersShlomo Kramer
Tel Aviv San Francisco Boston
26
DEPLOYMENT ARCHITECTURE
Center
Aqua Command Center
Aqua Cyber Intelligence
Linux/Windows OS
Aq
ua
En
forc
er
Co
nta
ine
r
Co
nta
ine
r
Container Engine
Public Registry
Private Registry
CI/CD SIEM / Analytics
Aqua Gateways
TO THE DEMO
28
For Additional Info
Our Resource Center: www.aquasec.com/resources/
Container Wiki: www.aquasec.com/wiki
WWW.AQUASEC.COM