Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Containerization and Compliance
Search
Frank Macreery
May 05, 2015
Programming
0
550
Containerization and Compliance
Originally presented at CoreOS Fest 2015.
Video here:
https://www.youtube.com/watch?v=y5ERnWnGa3s
Frank Macreery
May 05, 2015
Tweet
Share
More Decks by Frank Macreery
See All by Frank Macreery
Docker for Ruby Developers
fancyremarker
3
650
Aptible + TelePharm: HIPAA for Startups
fancyremarker
0
1.4k
Architecting Applications for HIPAA Compliance
fancyremarker
0
210
HIPAA Dev Ops: Architecting Layers of Responsibility
fancyremarker
0
73
Garner: Anatomy of a Ruby Gem
fancyremarker
0
340
Other Decks in Programming
See All in Programming
知っているようで知らない"rails new"の世界 / The World of "rails new" You Think You Know but Don't
luccafort
PRO
1
160
Deep Dive into Kotlin Flow
jmatsu
1
350
旅行プランAIエージェント開発の裏側
ippo012
2
910
Design Foundational Data Engineering Observability
sucitw
3
200
複雑なドメインに挑む.pdf
yukisakai1225
5
1.2k
詳解!defer panic recover のしくみ / Understanding defer, panic, and recover
convto
0
240
Namespace and Its Future
tagomoris
6
700
さようなら Date。 ようこそTemporal! 3年間先行利用して得られた知見の共有
8beeeaaat
3
1.5k
アセットのコンパイルについて
ojun9
0
130
ぬるぬる動かせ! Riveでアニメーション実装🐾
kno3a87
1
220
Testing Trophyは叫ばない
toms74209200
0
880
為你自己學 Python - 冷知識篇
eddie
1
350
Featured
See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Practical Orchestrator
shlominoach
190
11k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.8k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Bash Introduction
62gerente
615
210k
How GitHub (no longer) Works
holman
315
140k
Fireside Chat
paigeccino
39
3.6k
Git: the NoSQL Database
bkeepers
PRO
431
66k
Transcript
Containerization and Compliance CoreOS Fest 2015 Frank Macreery CTO, Aptible
@fancyremarker
None
HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA: What?
None
Protected Health Information (PHI)
Protected Health Information (PHI) "is created or received by a
health care provider or health plan…"
Protected Health Information (PHI) "relates to the health or condition
of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"
Protected Health Information (PHI) "identifies the individual"
HIPAA: Who?
Covered Entities Health plans, health care clearinghouses, health care providers
Business Associates An entity which "creates, receives, maintains, or transmits
protected health information"
None
None
None
None
Omnibus Final Rule Published January 2013 Effective Date: March 2013
Compliance Date: September 2013
HIPAA: Why?
Office of Civil Rights (OCR) The enforcement agency for HIPAA
Between 2011 and 2014, 115 audits were conducted.
Between 2011 and 2014, 115 audits were conducted. HHS estimates
there are between 200k–400k Business Associates.
While an OCR audit is unlikely, a vendor assessment by
a major hospital or insurer is almost certain.
Auditing Implementation is not enough
Auditing means… Documenting a mitigation for every vulnerability
Heartbleed
Heartbleed POODLEbleed
Heartbleed POODLEbleed xBleed???
How do we prove that PHI was unaffected by xBleed?
Integration Tests Document every security response
https://github.com/sstephenson/bats
# Dockerfile # Install and configure NGiNX... # ... ADD
test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
@test "It should pass an external Heartbleed test" { #
... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }
@test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx
run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }
Integration tests happen during each image build
Integration tests happen during each image build Images are built
automatically via Quay Build Triggers
None
Integration tests happen during each image build Build status is
easy to verify at a glance
None
Integration tests happen during each image build Quay Time Machine
lets us roll back an image to any previous state
None
Standardized Security Use containers to solve problems only once
BAA Business Associate Agreement
AWS "Approved" Services
AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift
But… You have to play by the rules
EC2 Must use dedicated instances for PHI
EBS All PHI volumes must be encrypted
ELB TCP mode only (no SSL termination)
None
TCP TCP HTTP HTTP
No HTTP means no HTTP forwarding headers X-Forwarded-For
10.51.0.183 - - [22/Apr/2015:03:32:01 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5
"-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:04:52:03 +0000] "GET / HTTP/1.1" 404 13 "-" "-" 10.51.0.183 - - [24/Apr/2015:20:08:36 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:05:02:31 +0000] "GET / clientaccesspolicy.xml HTTP/1.1" 404 35 "-" "-" Application only sees ELB addresses
PROXY Protocol Adds routing headers to TCP messages
PROXY TCP4 8.8.8.8 4.44.4.44 56324 443 (encrypted...) GET / HTTP/1.1
Host: www.example.com
How should we configure HTTP and PROXY Protocol containers?
server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80
proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }
server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80
proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }
ENV configuration $PROXY_PROTOCOL
ENV configuration $PROXY_PROTOCOL $FORCE_SSL $HSTS_MAX_AGE $UPSTREAM_SERVERS (…)
ENV configuration Makes testing easier
@test "It should handle HTTPS over Proxy Protocol" { simulate_upstream
PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }
@test "It should handle HTTPS over Proxy Protocol" { simulate_upstream
PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }
ENV configuration Abstracts implementation details: could be NGiNX, HAProxy, …
ENV configuration Simplifies configuration management: central store doesn’t need to
know parameters in advance
STANDARDIZE ALL THE THINGS!
Standardized Database Image Spec Initialization, Authentication, Encryption
Initialization docker run quay.io/aptible/db --initialize
# Dockerfile ADD run-database.sh /usr/bin/ ENTRYPOINT ["run-database.sh"]
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf" https://github.com/aptible/docker-postgresql
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"
Authentication docker run -e PASSPHRASE=foobar ...
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"
Encryption Use container volumes to identify PHI storage directories
# Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown
-R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]
# Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown
-R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]
Auditing Containers help automate and document incident response
Standardized Security Containers help standardize and abstract common functionality like
SSL termination, for encryption in transit
Standardized Security Containers provide a way to standardize database security
and encryption at rest
Thank you
@fancyremarker
[email protected]