A DevSecOps Approach to Zero Trust Network Security - Container Days Hamburg 2018

Transcript

1. © 2018 Tigera, Inc. | Proprietary and Confidential A DevSecOps

   Approach To Zero Trust Network Security 1 Andy Randall Co-founder, Tigera

2. © 2018 Tigera, Inc. | Proprietary and Confidential DevOps 2

   “DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality.” - Bass, Len; Weber, Ingo; Zhu, Liming DevOps: A Software Architect's Perspective. Development QA Operations Dev Ops

3. © 2018 Tigera, Inc. | Proprietary and Confidential 3

4. © 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 4

   “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops

5. © 2018 Tigera, Inc. | Proprietary and Confidential “SHIFTING SECURITY

   LEFT” 5

6. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 6

7. None

8. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 8

9. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 9

10. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 10

11. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 11

12. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 12

13. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 13

14. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 14

15. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 15

16. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 16

17. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 17

18. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 18

19. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 19

20. None

21. © 2017 Tigera, Inc. KUBERNETES NETWORK POLICY 21

22. © 2017 Tigera, Inc. ISTIO SERVICE MESH 22

23. © 2017 Tigera, Inc. 24

24. © 2018 Tigera, Inc. | Proprietary and Confidential HONEY, I

    BUILT A ZERO TRUST NETWORK! 25 > The network is always assumed to be hostile > External and internal threats exist on the network at all times > Network locality is not sufficient for deciding trust in a network > Every device, user, and workflow is authenticated and authorized > Policies must be dynamic and calculated from as many sources of data as possible

25. © 2018 Tigera, Inc. | Proprietary and Confidential 26 It’s

    my job to define the network security policy! No, it’s mine! No, it’s mine! No, it’s mine!

26. © 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 27

    “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops

27. © 2018 Tigera, Inc. | Proprietary and Confidential MICROPOLICIES FOR

    MICROSERVICES 28 role: productpage geo: us role: details geo: us role: reviews geo: us role: ratings geo: us role: productpage geo: eu role: details geo: eu role: reviews geo: eu role: ratings geo: eu productpage → reviews reviews → ratings productpage → details eu ↔ eu us ↔ us

28. © 2018 Tigera, Inc. | Proprietary and Confidential SEPARATING SECURITY

    POLICY CONCERNS 29 Platform Tier App Tier InfoSec Tier allow cluster ingress to FE workloads deny cluster ingress & egress for known bad actors deny cluster ingress & egress for embargoed countries deny cluster ingress & egress for PCI workloads allow compliance audit log collector to all workloads pass all other connections to platform tier pass prod workloads connecting to prod workloads pass cluster ingress to FE prod workloads pass dev workloads connecting to dev workloads pass test workloads connecting to test workloads deny all other connections allow front end workloads to app logic workloads allow app logic workloads to database workloads allow DB workloads to connect to DB workloads deny all other connections Tier evaluation order Policy evaluation order Security Ops Devs

29. © 2018 Tigera, Inc. | Proprietary and Confidential CONTINUOUS MONITORING

    AND LOGGING 30 “DevSecOps always requires logging. Every resource is logged, no exceptions. Because without logs, it is like flying blind.” - Fabian Lim, DevSecOps is the Krav Maga of Security (devsecops.org)

30. © 2018 Tigera, Inc. | Proprietary and Confidential 31 Zero

    trust Visualize, correlate, rem ediate Cloud native and legacy CNX Zero Trust Network Security and Continuous Compliance for Modern Applications Enterprise control and com pliance

31. © 2018 Tigera, Inc. | Proprietary and Confidential 32

32. © 2018 Tigera, Inc. | Proprietary and Confidential 33

33. DANKE! Andy Randall @andrew_randall [email protected]

34. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 35 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Label-based expressions support fully flexible granularity and grouping requirements

35. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 36 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Apply this policy to any endpoint (workload or host) labelled role=database

36. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 37 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Allow incoming connections to port 6379 from any endpoint (workload or host) labelled role=fronted

37. © 2017 Tigera, Inc. | Proprietary and Confidential ISTIO BOOKINFO

    SAMPLE APPLICATION 38 Istio service mesh mTLS support: • global on/off setting • certificate per serviceAccount

38. © 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY

    USING SERVICE ACCOUNT NAMES 39 apiVersion: v1 kind: policy metadata: name: details spec: selector: app == "details" ingress: - action: allow source: serviceAccounts: names: ["productpage"] egress: - action: allow Allow incoming connections based on serviceAccount names

39. © 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY

    USING SERVICE ACCOUNT LABELS 40 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: serviceAccounts: selector: ratings == "reader" egress: - action: allow Allow incoming connections from any serviceAccount labelled ratings=reader

40. © 2017 Tigera, Inc. | Proprietary and Confidential COMBINING L3-L7

    POLICY 41 apiVersion: v1 kind: policy metadata: name: reviews spec: selector: app == "reviews" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: reviews == "reader" egress: - action: allow Allow incoming connections from: • any pod labelled app=productpage • with a serviceAccount labelled reviews=reader

41. © 2017 Tigera, Inc. | Proprietary and Confidential ADDING ADDITIONAL

    L5-7 MATCH CRITERIA 42 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: ratings == "reader" http: methods: ["GET"] paths: ["/ratings/*"] egress: - action: allow Policy rules can include other L5-7 match criteria