Microservices a security nightmare? GOTO Berlin - Dec 2, 2015 Maximilian Schöfmann Container Solutions Switzerland



Similar documents
Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

Cloud Security with Stackato

Why Does CA Platform Use OpenShift?

What new with Informix Software as a Service and Bluemix? Brian Hughes IBM

Building a Continuous Integration Pipeline with Docker

ISLET: Jon Schipp, Ohio Linux Fest An Attempt to Improve Linux-based Software Training

Software Defined Everything

Docker : devops, shared registries, HPC and emerging use cases. François Moreews & Olivier Sallou

Containers, Docker, and Security: State of the Union

DevOps with Containers. for Microservices

Gregory PaaS team

WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Practical Guide to Platform as a Service.

DevOps. Josh Preston Solutions Architect Stardate

Type-C Ubuntu Product & Strategy Canonical Ltd.

Copyright Pivotal Software Inc, of 10

The Bro Network Security Monitor

Connectivity to Polycom RealPresence Platform Source Data

Lecture 11 Web Application Security (part 1)

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Copyright: WhosOnLocation Limited

API Architecture. for the Data Interoperability at OSU initiative

Ensuring the Security of Your Company s Data & Identities. a best practices guide

Secret Server Qualys Integration Guide

How Bigtop Leveraged Docker for Build Automation and One-Click Hadoop Provisioning

Egnyte Single Sign-On (SSO) Installation for OneLogin

Cloud, where are we? Mark Potts, HP Fellow, CTO Cloud November 2014

GoodData Corporation Security White Paper

Use Cases for Docker in Enterprise Linux Environment CloudOpen North America, 2014 Linda Wang Sr. Software Engineering Manager Red Hat, Inc.

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

JVA-122. Secure Java Web Development

How to Implement Enterprise SAML SSO

Vidder PrecisionAccess

Administering Jive Mobile Apps

Using Vagrant for Magento development. Alexander

Microservices on AWS

Novell Access Manager

This release bulletin relates to Version build 2701 of the Swivel Authentication Platform and other new capabilities.

Requirement Priority Name Requirement Text Response Comment

DMZ Gateways: Secret Weapons for Data Security

RED HAT CLOUD SUITE FOR APPLICATIONS

An Analysis of Container-based Platforms for NFV

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

The AppSec How-To: Achieving Security in DevOps

The Virtualization Practice

Access Management Analysis of some available solutions

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Reaching for the cloud: the potential and the reality of using cloud-based platforms. Speaker: Michael Michaelides October 22, 2015

A Guide to New Features in Propalms OneGate 4.0

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Linux A first-class citizen in Windows Azure. Bruno Terkaly bterkaly@microsoft.com Principal Software Engineer Mobile/Cloud/Startup/Enterprise

IBM Bluemix. The Digital Innovation Platform. Simon

APIs The Next Hacker Target Or a Business and Security Opportunity?

Protecting Your Organisation from Targeted Cyber Intrusion

Single-sign-on between MWS custom portlets and IS services

Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

Designing and Coding Secure Systems

The Cloud to the rescue!

The Software Container pattern

Introduction to Openstack, an Open Cloud Computing Platform. Libre Software Meeting

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105

Automated deployment of a microservice-based monitoring infrastructure. Augusto Ciuffoletti. 6 ottobre 2015

RED HAT CONTAINER STRATEGY

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Evaluation of different Open Source Identity management Systems

Architecture Overview

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Considerations for Adopting PaaS (Platform as a Service)

elearning for Secure Application Development

Docker for Sysadmins: what's in it for me?

OpenShift. Marek Jelen, OpenShift, Red Hat

Security Information & Policies

Cyber Security for Start-ups: An Affordable 10-Step Plan

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Interactive Application Security Testing (IAST)

Platform as a Service and Container Clouds

How To Protect A Web Application From Attack From A Trusted Environment

BDD FOR AUTOMATING WEB APPLICATION TESTING. Stephen de Vries

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Operating Systems Virtualization mechanisms

VMware vcloud Air Security TECHNICAL WHITE PAPER

A Sumo Logic White Paper. Harnessing Continuous Intelligence to Enable the Modern DevOps Team

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

PortWise Access Management Suite

Transcription:

Microservices a security nightmare? GOTO Berlin - Dec 2, 2015 Maximilian Schöfmann Container Solutions Switzerland container-solutions.com @containersoluti

Autonomy Security

microservices small, hence many services talking over the network built with different technologies by autonomous teams with end-to-end responsibility doing DevOps and Continuous Delivery using containers

many small services

talking over the network

Java 7 (1.7.0_03)

built with different technologies Java 8 nodejs 0.9 Java 7 Ruby 2.1 Go 1.4

by autonomous teams with end-to-end responsibility

(ISC) 2

doing DevOps OWASP??

Specification Implementation Validation

and Continuous Delivery

using containers

using containers XEN Hypervisor - 10^5 LOC Linux Kernel - 10^7 LOC

many small services

talking over the network user_db payment_ data cat_ pictures (stateless) (stateless)

talking over the network user_db payment_ data cat_ pictures (stateless) (stateless)

Authentication: Basic Auth talking over the network Authorization: Basic c21hcnrhc3muli4ucg==

talking over the network Authentication: Client certificates

Authentication: API Keys talking over the network X-My-API-Key: YWxsIHVyIGJhc2UgYXJlIGJlbG9uZ3MgMiAgdXMK

talking over the network Authentication: HMAC Authorization: AWS FOOBR7EXAMPLE:frJIUN8h81ADYpKg=

talking over the network Secrets management vaultproject.io square.github.io/keywhiz

talking over the network Single-Sign-On SAML

talking over the network Single-Sign-On client SSO service authenticate token request with token verify send response

talking over the network Single-Sign-On client SSO service authenticate token request with token send response verify

Authorization talking over the network

talking over the network Authorization { } "iss":"myservice@developer.gserviceaccount.com", scope : https://www.googleapis.com/auth/bigquery", "aud":"https://www.googleapis.com/oauth2/v3/token", "exp":1328554385, "iat":1328550785

talking over the network ID Tokens { } "sub" : "bob", "email" : "bob@example.com", "name" : "Bob Example, exp" : 1328672194, "https://mycorp.tld/groups": ["admin", "publisher"]

talking over the network Translating ID Tokens Service B JWT dumb token Gateway JWT Service A JWT Service C

The Confused Deputy talking over the network

talking over the network API Gateways API Gateway Access control Rate limiting HTTPS termination...

talking over the network API Gateways API Gateway WAF Payment Svc.

built with different technologies

by autonomous teams with end-to-end responsibility

by autonomous teams with end-to-end responsibility Trust Accountability Expertise Trust Autonomy & Entrepreneurship Collaboration & Support Idea from A.T. Kearny Analysis

by autonomous teams with end-to-end responsibility Definition of Done It s not done, before it s fast!

by autonomous teams with end-to-end responsibility Definition of Done It s not done, before it s secure!

by autonomous teams with end-to-end responsibility Rugged Software Manifesto ruggedsoftware.org

doing DevOps SecDevOps? SecOps? DevSec?

doing DevOps SecDevOps = Mindset + Tooling

and Continuous Delivery

and continuous delivery Test pyramid confidence UI tests Service Tests faster feedback Unit Tests from Succeeding with Agile (Mike Cohn)

and continuous delivery Security-Test pyramid confidence E2E security tests Vulnerability scanning faster feedback static code analysis

and continuous delivery BDD style continuumsecurity.net/bdd-intro.

using containers BSD Jails 2000 Solaris Zones 2004 LXC 2008 rkt 2014 1982 chroot 2001 Virtuozzo Linux-VServer 2007 cgroups 2013 Docker

using containers Defense in depth payment service instance #2 docs upload service instance #1 payment service instance #1 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

using containers Freeze & replace payment service instance #2 docs upload service instance #1 payment service instance #1 payment service instance #1 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

using containers Freeze & replace payment service instance #2 docs upload service instance #1 payment service instance #3 bookmark manager instance #1 cat picture service instance #1 meme generator instance #1

using containers Docker security read-only containers minimal base images drop capabilities verify signed images traditional hardening (AppArmor, SELinux )... tinyurl.com/docker-security

Scan images for vulnerabilities using containers Nautilus (Docker Inc.) Clair (CoreOS)

using containers Secure deployments Docker daemon - just HTTP TLS Authentication Authorisation Logging & Auditing scp git rsync

Summary small, distributed services can limit the impact of breaches isolate services with different security requirements use standard mechanisms for auth, but make sure they are scalable consider an API gateway, but don't overuse this pattern

Summary monocultures can do harm embrace rugged software principles accountability ensures security is built in, not bolted on invest in automation and tooling around security tools and security testing

Summary use containers as additional line of defense use containers as immutable infrastructure if you need to, use containers to do forensics secure your container hosts thoroughly scan images centrally for vulnerabilities abolish obsolete deployment methods

Nightmare?

Image References (all CC-BY or public domain) Pumpkin: https://www.flickr.com/photos/wwarby/5144858705 Bill Gates: https://c2.staticflickr.com/8/7331/16335705267_b6e9d9b223.jpg Anarchy Symbol: https://pixabay.com/p-32917/ Sandwich: https://upload.wikimedia.org/wikipedia/commons/6/6a/peanut-butter-jelly-sandwich.png Wasp: https://pixabay.com/p-538470 Whack-a-mole: https://c1.staticflickr.com/9/8484/8195620894_4b68d7df76_b.jpg Rusty container: https://www.flickr.com/photos/annspan/3912153466 Server: https://upload.wikimedia.org/wikipedia/commons/0/0c/chassis-plans-3u.jpg Rugged vehicle: https://c1.staticflickr.com/5/4036/4669861882_742023ed7a_b.jpg Certificate: https://pixabay.com/p-576790 Confused Deputy: https://en.wikipedia.org/wiki/confused_deputy_problem Aphid: https://en.wikipedia.org/wiki/aphid#/media/file:acyrthosiphon_pisum_(pea_aphid)-plos.jpg

container-solutions.com container-solutions.com @containersoluti

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information