Containerization and Compliance

Containerization and Compliance CoreOS Fest 2015 Frank Macreery CTO, Aptible
@fancyremarker

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA: What?

Protected Health Information (PHI)

Protected Health Information (PHI) "is created or received by a
health care provider or health plan…"

Protected Health Information (PHI) "relates to the health or condition
of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"

Protected Health Information (PHI) "identifies the individual"

HIPAA: Who?

Covered Entities Health plans, health care clearinghouses, health care providers

Business Associates An entity which "creates, receives, maintains, or transmits
protected health information"

Omnibus Final Rule Published January 2013 Effective Date: March 2013
Compliance Date: September 2013

HIPAA: Why?

Oﬃce of Civil Rights (OCR) The enforcement agency for HIPAA

Between 2011 and 2014, 115 audits were conducted.

Between 2011 and 2014, 115 audits were conducted. HHS estimates
there are between 200k–400k Business Associates.

While an OCR audit is unlikely, a vendor assessment by
a major hospital or insurer is almost certain.

Auditing Implementation is not enough

Auditing means… Documenting a mitigation for every vulnerability

Heartbleed

Heartbleed POODLEbleed

Heartbleed POODLEbleed xBleed???

How do we prove that PHI was unaﬀected by xBleed?

Integration Tests Document every security response

https://github.com/sstephenson/bats

# Dockerfile # Install and configure NGiNX... # ... ADD
test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx

#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

@test "It should pass an external Heartbleed test" { #
... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }

@test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx
run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }

Integration tests happen during each image build

Integration tests happen during each image build Images are built
automatically via Quay Build Triggers

Integration tests happen during each image build Build status is
easy to verify at a glance

Integration tests happen during each image build Quay Time Machine
lets us roll back an image to any previous state

Standardized Security Use containers to solve problems only once

BAA Business Associate Agreement

AWS "Approved" Services

AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift

But…  You have to play by the rules

EC2 Must use dedicated instances for PHI

EBS All PHI volumes must be encrypted

ELB TCP mode only (no SSL termination)

TCP TCP HTTP HTTP

No HTTP means no HTTP forwarding headers X-Forwarded-For

10.51.0.183 - - [22/Apr/2015:03:32:01 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5
"-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:04:52:03 +0000] "GET / HTTP/1.1" 404 13 "-" "-" 10.51.0.183 - - [24/Apr/2015:20:08:36 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:05:02:31 +0000] "GET / clientaccesspolicy.xml HTTP/1.1" 404 35 "-" "-" Application only sees ELB addresses

PROXY Protocol Adds routing headers to TCP messages

PROXY TCP4 8.8.8.8 4.44.4.44 56324 443 (encrypted...) GET / HTTP/1.1
Host: www.example.com

How should we conﬁgure HTTP and PROXY Protocol containers?

server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80
proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }

ENV conﬁguration $PROXY_PROTOCOL

ENV conﬁguration $PROXY_PROTOCOL  $FORCE_SSL $HSTS_MAX_AGE $UPSTREAM_SERVERS (…)

ENV conﬁguration Makes testing easier

@test "It should handle HTTPS over Proxy Protocol" { simulate_upstream
PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }

ENV conﬁguration Abstracts implementation details: could be NGiNX, HAProxy, …

ENV conﬁguration Simplifies configuration management: central store doesn’t need to
know parameters in advance

STANDARDIZE ALL THE THINGS!

Standardized Database Image Spec Initialization, Authentication, Encryption

Initialization docker run quay.io/aptible/db --initialize

# Dockerfile ADD run-database.sh /usr/bin/ ENTRYPOINT ["run-database.sh"]

#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf" https://github.com/aptible/docker-postgresql

postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"

Authentication docker run -e PASSPHRASE=foobar ...

postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"

Encryption Use container volumes to identify PHI storage directories

# Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown
-R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]

Auditing Containers help automate and document incident response

Standardized Security Containers help standardize and abstract common functionality like
SSL termination, for encryption in transit

Standardized Security Containers provide a way to standardize database security
and encryption at rest

Thank you

@fancyremarker [email protected]

Containerization and Compliance

Containerization and Compliance

More Decks by Frank Macreery

Other Decks in Programming

Featured

Transcript