Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Containerization and Compliance
Search
Frank Macreery
May 05, 2015
Programming
0
550
Containerization and Compliance
Originally presented at CoreOS Fest 2015.
Video here:
https://www.youtube.com/watch?v=y5ERnWnGa3s
Frank Macreery
May 05, 2015
Tweet
Share
More Decks by Frank Macreery
See All by Frank Macreery
Docker for Ruby Developers
fancyremarker
3
650
Aptible + TelePharm: HIPAA for Startups
fancyremarker
0
1.4k
Architecting Applications for HIPAA Compliance
fancyremarker
0
210
HIPAA Dev Ops: Architecting Layers of Responsibility
fancyremarker
0
73
Garner: Anatomy of a Ruby Gem
fancyremarker
0
340
Other Decks in Programming
See All in Programming
ソフトウェアテスト徹底指南書の紹介
goyoki
1
140
Honoアップデート 2025年夏
yusukebe
1
920
パッケージ設計の黒魔術/Kyoto.go#63
lufia
3
430
Vue・React マルチプロダクト開発を支える Vite
andpad
0
110
Go言語での実装を通して学ぶLLMファインチューニングの仕組み / fukuokago22-llm-peft
monochromegane
0
120
[FEConf 2025] 모노레포 절망편, 14개 레포로 부활하기까지 걸린 1년
mmmaxkim
0
1.5k
MLH State of the League: 2026 Season
theycallmeswift
0
220
Rancher と Terraform
fufuhu
2
210
実用的なGOCACHEPROG実装をするために / golang.tokyo #40
mazrean
1
230
意外と簡単!?フロントエンドでパスキー認証を実現する WebAuthn
teamlab
PRO
1
600
MCPで実現するAIエージェント駆動のNext.jsアプリデバッグ手法
nyatinte
7
1.1k
FindyにおけるTakumi活用と脆弱性管理のこれから
rvirus0817
0
430
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
Imperfection Machines: The Place of Print at Facebook
scottboms
268
13k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
How to Ace a Technical Interview
jacobian
279
23k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
A designer walks into a library…
pauljervisheath
207
24k
Visualization
eitanlees
148
16k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.9k
4 Signs Your Business is Dying
shpigford
184
22k
GitHub's CSS Performance
jonrohan
1032
460k
Transcript
Containerization and Compliance CoreOS Fest 2015 Frank Macreery CTO, Aptible
@fancyremarker
None
HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA: What?
None
Protected Health Information (PHI)
Protected Health Information (PHI) "is created or received by a
health care provider or health plan…"
Protected Health Information (PHI) "relates to the health or condition
of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"
Protected Health Information (PHI) "identifies the individual"
HIPAA: Who?
Covered Entities Health plans, health care clearinghouses, health care providers
Business Associates An entity which "creates, receives, maintains, or transmits
protected health information"
None
None
None
None
Omnibus Final Rule Published January 2013 Effective Date: March 2013
Compliance Date: September 2013
HIPAA: Why?
Office of Civil Rights (OCR) The enforcement agency for HIPAA
Between 2011 and 2014, 115 audits were conducted.
Between 2011 and 2014, 115 audits were conducted. HHS estimates
there are between 200k–400k Business Associates.
While an OCR audit is unlikely, a vendor assessment by
a major hospital or insurer is almost certain.
Auditing Implementation is not enough
Auditing means… Documenting a mitigation for every vulnerability
Heartbleed
Heartbleed POODLEbleed
Heartbleed POODLEbleed xBleed???
How do we prove that PHI was unaffected by xBleed?
Integration Tests Document every security response
https://github.com/sstephenson/bats
# Dockerfile # Install and configure NGiNX... # ... ADD
test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
@test "It should pass an external Heartbleed test" { #
... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }
@test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx
run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }
Integration tests happen during each image build
Integration tests happen during each image build Images are built
automatically via Quay Build Triggers
None
Integration tests happen during each image build Build status is
easy to verify at a glance
None
Integration tests happen during each image build Quay Time Machine
lets us roll back an image to any previous state
None
Standardized Security Use containers to solve problems only once
BAA Business Associate Agreement
AWS "Approved" Services
AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift
But… You have to play by the rules
EC2 Must use dedicated instances for PHI
EBS All PHI volumes must be encrypted
ELB TCP mode only (no SSL termination)
None
TCP TCP HTTP HTTP
No HTTP means no HTTP forwarding headers X-Forwarded-For
10.51.0.183 - - [22/Apr/2015:03:32:01 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5
"-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:04:52:03 +0000] "GET / HTTP/1.1" 404 13 "-" "-" 10.51.0.183 - - [24/Apr/2015:20:08:36 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:05:02:31 +0000] "GET / clientaccesspolicy.xml HTTP/1.1" 404 35 "-" "-" Application only sees ELB addresses
PROXY Protocol Adds routing headers to TCP messages
PROXY TCP4 8.8.8.8 4.44.4.44 56324 443 (encrypted...) GET / HTTP/1.1
Host: www.example.com
How should we configure HTTP and PROXY Protocol containers?
server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80
proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }
server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80
proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }
ENV configuration $PROXY_PROTOCOL
ENV configuration $PROXY_PROTOCOL $FORCE_SSL $HSTS_MAX_AGE $UPSTREAM_SERVERS (…)
ENV configuration Makes testing easier
@test "It should handle HTTPS over Proxy Protocol" { simulate_upstream
PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }
@test "It should handle HTTPS over Proxy Protocol" { simulate_upstream
PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }
ENV configuration Abstracts implementation details: could be NGiNX, HAProxy, …
ENV configuration Simplifies configuration management: central store doesn’t need to
know parameters in advance
STANDARDIZE ALL THE THINGS!
Standardized Database Image Spec Initialization, Authentication, Encryption
Initialization docker run quay.io/aptible/db --initialize
# Dockerfile ADD run-database.sh /usr/bin/ ENTRYPOINT ["run-database.sh"]
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf" https://github.com/aptible/docker-postgresql
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"
Authentication docker run -e PASSPHRASE=foobar ...
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"
Encryption Use container volumes to identify PHI storage directories
# Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown
-R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]
# Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown
-R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]
Auditing Containers help automate and document incident response
Standardized Security Containers help standardize and abstract common functionality like
SSL termination, for encryption in transit
Standardized Security Containers provide a way to standardize database security
and encryption at rest
Thank you
@fancyremarker
[email protected]