Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A DevSecOps Approach to Zero Trust Network Secu...

Andy Randall
June 20, 2018
79

A DevSecOps Approach to Zero Trust Network Security - Container Days Hamburg 2018

I gave this presentation at Container Days in Hamburg, June 2018.
Video here: https://www.youtube.com/watch?v=KJeWRzwzABQ

Andy Randall

June 20, 2018
Tweet

Transcript

  1. © 2018 Tigera, Inc. | Proprietary and Confidential A DevSecOps

    Approach To Zero Trust Network Security 1 Andy Randall Co-founder, Tigera
  2. © 2018 Tigera, Inc. | Proprietary and Confidential DevOps 2

    “DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality.” - Bass, Len; Weber, Ingo; Zhu, Liming DevOps: A Software Architect's Perspective. Development QA Operations Dev Ops
  3. © 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 4

    “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops
  4. © 2018 Tigera, Inc. | Proprietary and Confidential HONEY, I

    BUILT A ZERO TRUST NETWORK! 25 > The network is always assumed to be hostile > External and internal threats exist on the network at all times > Network locality is not sufficient for deciding trust in a network > Every device, user, and workflow is authenticated and authorized > Policies must be dynamic and calculated from as many sources of data as possible
  5. © 2018 Tigera, Inc. | Proprietary and Confidential 26 It’s

    my job to define the network security policy! No, it’s mine! No, it’s mine! No, it’s mine!
  6. © 2018 Tigera, Inc. | Proprietary and Confidential DevSecOps 27

    “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” - Shannon Lietz, What is DevSecOps?, devsecops.org Development QA Security Operations DevSec Ops
  7. © 2018 Tigera, Inc. | Proprietary and Confidential MICROPOLICIES FOR

    MICROSERVICES 28 role: productpage geo: us role: details geo: us role: reviews geo: us role: ratings geo: us role: productpage geo: eu role: details geo: eu role: reviews geo: eu role: ratings geo: eu productpage → reviews reviews → ratings productpage → details eu ↔ eu us ↔ us
  8. © 2018 Tigera, Inc. | Proprietary and Confidential SEPARATING SECURITY

    POLICY CONCERNS 29 Platform Tier App Tier InfoSec Tier allow cluster ingress to FE workloads deny cluster ingress & egress for known bad actors deny cluster ingress & egress for embargoed countries deny cluster ingress & egress for PCI workloads allow compliance audit log collector to all workloads pass all other connections to platform tier pass prod workloads connecting to prod workloads pass cluster ingress to FE prod workloads pass dev workloads connecting to dev workloads pass test workloads connecting to test workloads deny all other connections allow front end workloads to app logic workloads allow app logic workloads to database workloads allow DB workloads to connect to DB workloads deny all other connections Tier evaluation order Policy evaluation order Security Ops Devs
  9. © 2018 Tigera, Inc. | Proprietary and Confidential CONTINUOUS MONITORING

    AND LOGGING 30 “DevSecOps always requires logging. Every resource is logged, no exceptions. Because without logs, it is like flying blind.” - Fabian Lim, DevSecOps is the Krav Maga of Security (devsecops.org)
  10. © 2018 Tigera, Inc. | Proprietary and Confidential 31 Zero

    trust Visualize, correlate, rem ediate Cloud native and legacy CNX Zero Trust Network Security and Continuous Compliance for Modern Applications Enterprise control and com pliance
  11. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 35 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Label-based expressions support fully flexible granularity and grouping requirements
  12. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 36 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Apply this policy to any endpoint (workload or host) labelled role=database
  13. © 2017 Tigera, Inc. | Proprietary and Confidential CALICO L3-4

    POLICY / K8S NETWORK POLICY 37 apiVersion: v1 kind: policy metadata: name: allow-tcp-6379 spec: selector: role == "database" ingress: - action: allow source: selector: role == "frontend" destination: ports: ["6379"] egress: - action: allow Allow incoming connections to port 6379 from any endpoint (workload or host) labelled role=fronted
  14. © 2017 Tigera, Inc. | Proprietary and Confidential ISTIO BOOKINFO

    SAMPLE APPLICATION 38 Istio service mesh mTLS support: • global on/off setting • certificate per serviceAccount
  15. © 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY

    USING SERVICE ACCOUNT NAMES 39 apiVersion: v1 kind: policy metadata: name: details spec: selector: app == "details" ingress: - action: allow source: serviceAccounts: names: ["productpage"] egress: - action: allow Allow incoming connections based on serviceAccount names
  16. © 2017 Tigera, Inc. | Proprietary and Confidential TLS POLICY

    USING SERVICE ACCOUNT LABELS 40 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: serviceAccounts: selector: ratings == "reader" egress: - action: allow Allow incoming connections from any serviceAccount labelled ratings=reader
  17. © 2017 Tigera, Inc. | Proprietary and Confidential COMBINING L3-L7

    POLICY 41 apiVersion: v1 kind: policy metadata: name: reviews spec: selector: app == "reviews" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: reviews == "reader" egress: - action: allow Allow incoming connections from: • any pod labelled app=productpage • with a serviceAccount labelled reviews=reader
  18. © 2017 Tigera, Inc. | Proprietary and Confidential ADDING ADDITIONAL

    L5-7 MATCH CRITERIA 42 apiVersion: v1 kind: policy metadata: name: ratings spec: selector: app == "ratings" ingress: - action: allow source: podSelector: app == "productpage" serviceAccounts: selector: ratings == "reader" http: methods: ["GET"] paths: ["/ratings/*"] egress: - action: allow Policy rules can include other L5-7 match criteria