Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

Transcription

1 Emerging Approaches in a -Connected Enterprise: Containers and Microservices Anil Karmel Co-Founder and CEO, C2 Labs Co-Chair, NIST Security Working Group

2 Emerging Technologies and Trends is Our Reality Evolving Models Private (IaaS) Public (SaaS, PaaS, IaaS) Hybrid is becoming the defacto norm What About Security? OPM Breach Experian Breach (T-Mobile Customers)

3 2013 Advanced Threat Report Courtesy of FireEye Relative to 2006, cyber crimes increased by 782%: A malware activity every 3 minutes 65% of attacks target financial services, healthcare, manufacturing and entertainment 89% of callback activities were linked with Advanced Persistent Threat (APT) tools made in China or by Chinese hacker groups

4 NIST Computing Reference Architecture SP Broker Broker Provider Provider Consumer Consumer Auditor Auditor Security Security Audit Audit Privacy PrivacyImpact Impact Audit Audit Performance Performance Audit Audit Orchestration Service Service Management Management Service ServiceLayer Layer SaaS SaaS Business Business Support Support PaaS PaaS Service Service Intermediation Intermediation IaaS IaaS Provisioning/ Provisioning/ Consumer Consumer Resource ResourceAbstraction Abstraction and andcontrol Control Configuration Configuration Layer Layer Physical PhysicalResource ResourceLayer Layer Hardware Hardware Portability/ Portability/ Interoperability Interoperability Facility Facility Service Service Aggregation Aggregation Service Service Arbitrage Arbitrage Carrier Carrier Cross Cutting Concerns: Security, Privacy, etc

5 Demystified What is a Ecosystem? Security / Control Software as a Service Platform as a Service Infrastructure as a Service

6 Distributed Architecture = Split Control / Responsibilities CLOUD ECOSYSTEM Clients (Browsers, Mobile Apps, etc.) CLOUD ENVIRONMENT Software as a Service (SaaS) (Application, Services) Platform as a Service (PaaS) (APIs, Pre-built components) Infrastructure as a Service (VMs, Load Balancers, DB, etc.) Physical Hardware (Servers, Storage, Networking)

7 What you can manage PaaS SaaS You manage IaaS Stack image source: Security Alliance specification, 2009

8 Organizational Challenges Modernizing IT Agility Organizations are struggling to deliver more in a fiscally and resource constrained environment Flexibility Existing IT investments are typically problematic to reconfigure or scale to meet new application demands Transparancy Difficult to quantify the cost of optimizing legacy infrastructure to support new applications

9 Organizational Challenges Modernizing IT, Mobile, Social, Big Data Powerful ROI story with real security challenges Mobile BYOD with Mobile Application Management result in security and privacy concerns Social Agency data inadvertently ends up on public social networks via geotagging Big Data Unstructured data unveils actionable intelligence but what about the Mosaic effect? How does you balance time to market, cost concerns, security, manageability and risk in the move to a cloud-connected enterprise?

10 How do we revolutionize our investments? Software-Defined IT REDEFINE CONTEXT Who is the user? What data are they trying to access? Where is the user and the data? How are they accessing the information? Context Aware IT Level of assurance of the data defines the required level of trust

11 Context Aware IT Data Centric Approach Understand your Data Identify and understand the value of the data in your organization Decompose Your Data Break down applications and data into building blocks Monitor Your Data Understand Risk to your Data using the Risk Management Framework for Employ Continuous Monitoring of your Systems to identify and limit the damage an adversary has to your data

12 Emerging Technologies and Trends Microservices and Containers Microservices Decompose Complex Applications into Small, Independent Processes communicating with each other using language-agnostic API s Highly Decoupled and Modular with services organized around capabilities (e.g. User Interface, Billing) Allows for Continuous Integration Containers Much like Virtualization abstracts the Operating System from Hardware, Containers abstracts to Applications from the Operating System Applications are isolated from other Applications on the same Operating System Allows for Portability and Scale Up/Out Security issues need to be evaluated and addressed in native container deployments

13 Emerging Technologies and Trends Virtual Machines vs Containers Source: Docker.com

14 Container Security Challenges Increased Attack Surface Containers are far more complex than VM s wherein a single Application can consist of 1000 s of microservices Underlying Linux Operating System complexities can be exploited by attackers to compromise all containers on a host OS Runtime Compromise / Vulnerabilities / Misconfiguration Secure Software Development Containers can have code pushed to them from untrusted sources Log Management Big Data Problem: How do you view and manage logs across 1000 s of containers Orchestration Infrastructure now runs as code (Puppet/Chef/Ansible) Software developers, not infrastructure staff now run the data center

15 Container Security Solutions Increased Attack Surface Employ MicroVM s (Just Enough VM) Monitor Containers at Runtime / Real-time scan for Vulnerabilities and Misconfiguration and Remediate Secure Software Development Whitelist/Blacklist Containers Establish a secure container registry Sign containers and code (MD5) Log Management Centralize container logs including developer actions Orchestration Employ orchestration platform to manage containers across environments (DEV,TEST,QA,PROD) and across clouds \ Insource Security / Outsource Compute

16 Microservices Security Challenges and Solutions Decomposition of Applications Need to decompose applications into microservices correctly so they only do one thing well, driving development of secure code Monolithic code with a 1,000 DLL's needs to be decomposed into 1,000 microservices which makes it more secure and maintainable Interface-driven development Need to have well defined REST API s to ensure microservices talk consistently to each other Containers and Microservices will power the DevOps revolution and the next bowwave of technology innovation

17 Thank you! Anil Karmel, CEO, C2