Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud...
Transcript of Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud...
SecuringtheLidsonContainersintheCloud
RaymondLay10th April2017
HelloMotto
WHYContainerTechnology
HOWSecureisit
WHATelsetoconsider
WHYContainerTechnology
SoftwareDesignEvolution…
FromMonolithic
ToMicroservices
FastDeployment,Efficientscaling,
DesignAutonomy
FromPhysicalServers
ToVMsToContainers
Speed&Scale
• MoreAgile• DeliverFaster• Better@Packaging&
Deployment• LowerResource
Constraint
HowSecureisContainerTechnology
IsContainerTechnologyInherentlyMORESecure
IsContainerTechnologyInherentlyMORESecure
• NamespacesprovideIsolation• IsolateApplicationsfromHost• IsolateApplicationsfromeachother
• Cgroups provideresourcelimiting(CPU,Memoryetc)• ReducingSurfaceAreaoftheHost(Access)• ImprovedSecuritythroughrestrictingcapabilities• EncourageadoptionofPrinciplesofLeastPrivileges• Applicationspackageincontainersare“usually”moresecure
• Relianceonkernelfeaturestoisolateandcontrolresources• Assumethatcontainer(containedprocesses)areworkingas
intendedandthecodesdeployedaresecure• TheunderlyingOSiswell-secured(hardenedappropriately)• Securitypatcheshavebeenintegratedintodeployment
Itdepends…
WhatelsetoConsider
DevilintheDetails…
• HostLevel“RootAccess”• HostLevelProtection• ContainerSecurity– Codes&Ownership• VulnerabilityAssessments• Orchestration,Scalability&PatchManagement• Deploymentwith/withoutVMs
Container
Application
OtherContainers
UnderlyingOS
EXTERNALTHREATS
Threats&Defenses
Cgroups
Namespaces
CodeReviews
TraditionalDefenses Namespaces
KEYTAKEAWAYS
• ContainerTechnologycanprovideSpeed,Scale&Security
• TraditionalInfoSecapproachstillapplies- CIA
• Defaults<>Deployed