Microservices a security nightmare? GOTO Berlin - Dec 2, 2015 Maximilian Schöfmann Container Solutions Switzerland

Transcription

1

2 Microservices a security nightmare? GOTO Berlin - Dec 2, 2015 Maximilian Schöfmann Container Solutions Switzerland

3

4 Autonomy Security

5 microservices small, hence many services talking over the network built with different technologies by autonomous teams with end-to-end responsibility doing DevOps and Continuous Delivery using containers

6

7 many small services

8

9 talking over the network

10 Java 7 (1.7.0_03)

11 built with different technologies Java 8 nodejs 0.9 Java 7 Ruby 2.1 Go 1.4

12

13 by autonomous teams with end-to-end responsibility

14 (ISC) 2

15 doing DevOps OWASP??

16 Specification Implementation Validation

17 and Continuous Delivery

18

19 using containers

20 using containers XEN Hypervisor - 10^5 LOC Linux Kernel - 10^7 LOC

21

22 many small services

23 talking over the network user_db payment_ data cat_ pictures (stateless) (stateless)

24 talking over the network user_db payment_ data cat_ pictures (stateless) (stateless)

25 Authentication: Basic Auth talking over the network Authorization: Basic c21hcnrhc3muli4ucg==

26 talking over the network Authentication: Client certificates

27 Authentication: API Keys talking over the network X-My-API-Key: YWxsIHVyIGJhc2UgYXJlIGJlbG9uZ3MgMiAgdXMK

28 talking over the network Authentication: HMAC Authorization: AWS FOOBR7EXAMPLE:frJIUN8h81ADYpKg=

29 talking over the network Secrets management vaultproject.io square.github.io/keywhiz

30 talking over the network Single-Sign-On SAML

31 talking over the network Single-Sign-On client SSO service authenticate token request with token verify send response

32 talking over the network Single-Sign-On client SSO service authenticate token request with token send response verify

33 Authorization talking over the network

34 talking over the network Authorization { } "iss":"[email protected]", scope : "aud":" "exp": , "iat":

35 talking over the network ID Tokens { } "sub" : "bob", " " : "[email protected]", "name" : "Bob Example, exp" : , " ["admin", "publisher"]

36 talking over the network Translating ID Tokens Service B JWT dumb token Gateway JWT Service A JWT Service C

37 The Confused Deputy talking over the network

38 talking over the network API Gateways API Gateway Access control Rate limiting HTTPS termination...

39 talking over the network API Gateways API Gateway WAF Payment Svc.

40 built with different technologies

41 by autonomous teams with end-to-end responsibility

42 by autonomous teams with end-to-end responsibility Trust Accountability Expertise Trust Autonomy & Entrepreneurship Collaboration & Support Idea from A.T. Kearny Analysis

43 by autonomous teams with end-to-end responsibility Definition of Done It s not done, before it s fast!

44 by autonomous teams with end-to-end responsibility Definition of Done It s not done, before it s secure!

45 by autonomous teams with end-to-end responsibility Rugged Software Manifesto ruggedsoftware.org

46 doing DevOps SecDevOps? SecOps? DevSec?

47 doing DevOps SecDevOps = Mindset + Tooling

48 and Continuous Delivery

49 and continuous delivery Test pyramid confidence UI tests Service Tests faster feedback Unit Tests from Succeeding with Agile (Mike Cohn)

50 and continuous delivery Security-Test pyramid confidence E2E security tests Vulnerability scanning faster feedback static code analysis

51 and continuous delivery BDD style continuumsecurity.net/bdd-intro.

52 using containers BSD Jails 2000 Solaris Zones 2004 LXC 2008 rkt chroot 2001 Virtuozzo Linux-VServer 2007 cgroups 2013 Docker

53 using containers Defense in depth payment service instance #2 docs upload service instance #1 payment service instance #1 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

54 using containers Freeze & replace payment service instance #2 docs upload service instance #1 payment service instance #1 payment service instance #1 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

55 using containers Freeze & replace payment service instance #2 docs upload service instance #1 payment service instance #3 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

56 using containers Docker security read-only containers minimal base images drop capabilities verify signed images traditional hardening (AppArmor, SELinux )... tinyurl.com/docker-security

57 Scan images for vulnerabilities using containers Nautilus (Docker Inc.) Clair (CoreOS)

58 using containers Secure deployments Docker daemon - just HTTP TLS Authentication Authorisation Logging & Auditing scp git rsync

59 Summary small, distributed services can limit the impact of breaches isolate services with different security requirements use standard mechanisms for auth, but make sure they are scalable consider an API gateway, but don't overuse this pattern

60 Summary monocultures can do harm embrace rugged software principles accountability ensures security is built in, not bolted on invest in automation and tooling around security tools and security testing

61 Summary use containers as additional line of defense use containers as immutable infrastructure if you need to, use containers to do forensics secure your container hosts thoroughly scan images centrally for vulnerabilities abolish obsolete deployment methods

62 Nightmare?

63 Image References (all CC-BY or public domain) Pumpkin: Bill Gates: Anarchy Symbol: Sandwich: Wasp: Whack-a-mole: Rusty container: Server: Rugged vehicle: Certificate: Confused Deputy: Aphid:

64 container-solutions.com

65