Save 37% off PRO during our Black Friday Sale! »

A DevSecOps Approach to Zero Trust Network Security - Container Days Hamburg 2018

7a1af5a69aeacaba5042ee2f332fdaf6?s=47 Andy Randall
June 20, 2018
20

A DevSecOps Approach to Zero Trust Network Security - Container Days Hamburg 2018

I gave this presentation at Container Days in Hamburg, June 2018.
Video here: https://www.youtube.com/watch?v=KJeWRzwzABQ

7a1af5a69aeacaba5042ee2f332fdaf6?s=128

Andy Randall

June 20, 2018
Tweet

Transcript

  1. © 2018 Tigera, Inc. | Proprietary and Confidential A DevSecOps

    Approach To Zero Trust Network Security 1 Andy Randall Co-founder, Tigera
  2. © 2018 Tigera, Inc. | Proprietary and Confidential DevOps 2

    “DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality.” - Bass, Len; Weber, Ingo; Zhu, Liming DevOps: A Software Architect's Perspective. Development QA Operations Dev Ops
  3. © 2018 Tigera, Inc. | Proprietary and Confidential 3

  4. © 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 4

    “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops
  5. © 2018 Tigera, Inc. | Proprietary and Confidential “SHIFTING SECURITY

    LEFT” 5
  6. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 6

  7. None
  8. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 8

  9. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 9

  10. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 10

  11. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 11

  12. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 12

  13. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 13

  14. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 14

  15. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 15

  16. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 16

  17. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 17

  18. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 18

  19. © 2017 Tigera, Inc. SECURING MODERN APPLICATION NETWORKS 19

  20. None
  21. © 2017 Tigera, Inc. KUBERNETES NETWORK POLICY 21

  22. © 2017 Tigera, Inc. ISTIO SERVICE MESH 22

  23. © 2017 Tigera, Inc. 24

  24. © 2018 Tigera, Inc. | Proprietary and Confidential HONEY, I

    BUILT A ZERO TRUST NETWORK! 25 > The network is always assumed to be hostile > External and internal threats exist on the network at all times > Network locality is not sufficient for deciding trust in a network > Every device, user, and workflow is authenticated and authorized > Policies must be dynamic and calculated from as many sources of data as possible
  25. © 2018 Tigera, Inc. | Proprietary and Confidential 26 It’s

    my job to define the network security policy! No, it’s mine! No, it’s mine! No, it’s mine!
  26. © 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 27

    “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops
  27. © 2018 Tigera, Inc. | Proprietary and Confidential MICROPOLICIES FOR

    MICROSERVICES 28 role: productpage geo: us role: details geo: us role: reviews geo: us role: ratings geo: us role: productpage geo: eu role: details geo: eu role: reviews geo: eu role: ratings geo: eu productpage → reviews reviews → ratings productpage → details eu ↔ eu us ↔ us
  28. © 2018 Tigera, Inc. | Proprietary and Confidential SEPARATING SECURITY

    POLICY CONCERNS 29 Platform Tier App Tier InfoSec Tier allow cluster ingress to FE workloads deny cluster ingress & egress for known bad actors deny cluster ingress & egress for embargoed countries deny cluster ingress & egress for PCI workloads allow compliance audit log collector to all workloads pass all other connections to platform tier pass prod workloads connecting to prod workloads pass cluster ingress to FE prod workloads pass dev workloads connecting to dev workloads pass test workloads connecting to test workloads deny all other connections allow front end workloads to app logic workloads allow app logic workloads to database workloads allow DB workloads to connect to DB workloads deny all other connections Tier evaluation order Policy evaluation order Security Ops Devs
  29. © 2018 Tigera, Inc. | Proprietary and Confidential CONTINUOUS MONITORING

    AND LOGGING 30 “DevSecOps always requires logging. Every resource is logged, no exceptions. Because without logs, it is like flying blind.” - Fabian Lim, DevSecOps is the Krav Maga of Security (devsecops.org)
  30. © 2018 Tigera, Inc. | Proprietary and Confidential 31 Zero

    trust Visualize, correlate, rem ediate Cloud native and legacy CNX Zero Trust Network Security and Continuous Compliance for Modern Applications Enterprise control and com pliance
  31. © 2018 Tigera, Inc. | Proprietary and Confidential 32

  32. © 2018 Tigera, Inc. | Proprietary and Confidential 33

  33. DANKE! Andy Randall @andrew_randall andy@tigera.io

  34. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 35 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Label-based expressions support fully flexible granularity and grouping requirements
  35. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 36 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Apply this policy to any endpoint (workload or host) labelled role=database
  36. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 37 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Allow incoming connections to port 6379 from any endpoint (workload or host) labelled role=fronted
  37. © 2017 Tigera, Inc. | Proprietary and Confidential ISTIO BOOKINFO

    SAMPLE APPLICATION 38 Istio service mesh mTLS support: • global on/off setting • certificate per serviceAccount
  38. © 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY

    USING SERVICE ACCOUNT NAMES 39 apiVersion: v1 kind: policy metadata: name: details spec: selector: app == "details" ingress: - action: allow source: serviceAccounts: names: ["productpage"] egress: - action: allow Allow incoming connections based on serviceAccount names
  39. © 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY

    USING SERVICE ACCOUNT LABELS 40 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: serviceAccounts: selector: ratings == "reader" egress: - action: allow Allow incoming connections from any serviceAccount labelled ratings=reader
  40. © 2017 Tigera, Inc. | Proprietary and Confidential COMBINING L3-L7

    POLICY 41 apiVersion: v1 kind: policy metadata: name: reviews spec: selector: app == "reviews" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: reviews == "reader" egress: - action: allow Allow incoming connections from: • any pod labelled app=productpage • with a serviceAccount labelled reviews=reader
  41. © 2017 Tigera, Inc. | Proprietary and Confidential ADDING ADDITIONAL

    L5-7 MATCH CRITERIA 42 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: ratings == "reader" http: methods: ["GET"] paths: ["/ratings/*"] egress: - action: allow Policy rules can include other L5-7 match criteria