Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Containerization and Compliance
Search
Frank Macreery
May 05, 2015
Programming
0
550
Containerization and Compliance
Originally presented at CoreOS Fest 2015.
Video here:
https://www.youtube.com/watch?v=y5ERnWnGa3s
Frank Macreery
May 05, 2015
Tweet
Share
More Decks by Frank Macreery
See All by Frank Macreery
Docker for Ruby Developers
fancyremarker
3
630
Aptible + TelePharm: HIPAA for Startups
fancyremarker
0
1.4k
Architecting Applications for HIPAA Compliance
fancyremarker
0
190
HIPAA Dev Ops: Architecting Layers of Responsibility
fancyremarker
0
70
Garner: Anatomy of a Ruby Gem
fancyremarker
0
290
Other Decks in Programming
See All in Programming
Runtime Objects in Rust
mitsuhiko
0
220
ソースコードを美しくたもつために ~コードレビューの認知限界を突破し、年間400リリースを達成する~
kotauchisunsun
1
760
TypeScriptとGraphQLで実現する 型安全なAPI実装 / TSKaigi 2024
hokaccha
5
2.8k
RailsConf 2024: Riffing on Rails: sketch your way to better designed code
kaspth
1
220
Powerfully Typed TypeScript
euxn23
3
1.7k
哲学史とモデリング
tanakahisateru
2
430
GitHub Actionsの痒いところを埋めるサードパーティーランナー
dora1998
2
260
TypeScriptでもLLMアプリケーション開発 / LLM Application In Typescript
rkaga
5
1.3k
仕様と実装で学ぶOpenTelemetry
drumato
2
1.1k
『Railsオワコン』と言われる時代に、なぜブルーモ証券はRailsを選ぶのか
free_world21
2
480
JavaScript Closure
asoluka
0
2k
WebGLで始める コンピュータグラフィックス入門
heller77
0
380
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1025
450k
Rails Girls Zürich Keynote
gr2m
91
13k
Designing for humans not robots
tammielis
247
25k
Raft: Consensus for Rubyists
vanstee
133
6.3k
Documentation Writing (for coders)
carmenintech
60
4k
Ruby is Unlike a Banana
tanoku
96
10k
Making the Leap to Tech Lead
cromwellryan
125
8.6k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.7k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
Transcript
Containerization and Compliance CoreOS Fest 2015 Frank Macreery CTO, Aptible
@fancyremarker
None
HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA: What?
None
Protected Health Information (PHI)
Protected Health Information (PHI) "is created or received by a
health care provider or health plan…"
Protected Health Information (PHI) "relates to the health or condition
of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"
Protected Health Information (PHI) "identifies the individual"
HIPAA: Who?
Covered Entities Health plans, health care clearinghouses, health care providers
Business Associates An entity which "creates, receives, maintains, or transmits
protected health information"
None
None
None
None
Omnibus Final Rule Published January 2013 Effective Date: March 2013
Compliance Date: September 2013
HIPAA: Why?
Office of Civil Rights (OCR) The enforcement agency for HIPAA
Between 2011 and 2014, 115 audits were conducted.
Between 2011 and 2014, 115 audits were conducted. HHS estimates
there are between 200k–400k Business Associates.
While an OCR audit is unlikely, a vendor assessment by
a major hospital or insurer is almost certain.
Auditing Implementation is not enough
Auditing means… Documenting a mitigation for every vulnerability
Heartbleed
Heartbleed POODLEbleed
Heartbleed POODLEbleed xBleed???
How do we prove that PHI was unaffected by xBleed?
Integration Tests Document every security response
https://github.com/sstephenson/bats
# Dockerfile # Install and configure NGiNX... # ... ADD
test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
@test "It should pass an external Heartbleed test" { #
... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }
@test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx
run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }
Integration tests happen during each image build
Integration tests happen during each image build Images are built
automatically via Quay Build Triggers
None
Integration tests happen during each image build Build status is
easy to verify at a glance
None
Integration tests happen during each image build Quay Time Machine
lets us roll back an image to any previous state
None
Standardized Security Use containers to solve problems only once
BAA Business Associate Agreement
AWS "Approved" Services
AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift
But… You have to play by the rules
EC2 Must use dedicated instances for PHI
EBS All PHI volumes must be encrypted
ELB TCP mode only (no SSL termination)
None
TCP TCP HTTP HTTP
No HTTP means no HTTP forwarding headers X-Forwarded-For
10.51.0.183 - - [22/Apr/2015:03:32:01 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5
"-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:04:52:03 +0000] "GET / HTTP/1.1" 404 13 "-" "-" 10.51.0.183 - - [24/Apr/2015:20:08:36 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:05:02:31 +0000] "GET / clientaccesspolicy.xml HTTP/1.1" 404 35 "-" "-" Application only sees ELB addresses
PROXY Protocol Adds routing headers to TCP messages
PROXY TCP4 8.8.8.8 4.44.4.44 56324 443 (encrypted...) GET / HTTP/1.1
Host: www.example.com
How should we configure HTTP and PROXY Protocol containers?
server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80
proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }
server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80
proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }
ENV configuration $PROXY_PROTOCOL
ENV configuration $PROXY_PROTOCOL $FORCE_SSL $HSTS_MAX_AGE $UPSTREAM_SERVERS (…)
ENV configuration Makes testing easier
@test "It should handle HTTPS over Proxy Protocol" { simulate_upstream
PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }
@test "It should handle HTTPS over Proxy Protocol" { simulate_upstream
PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }
ENV configuration Abstracts implementation details: could be NGiNX, HAProxy, …
ENV configuration Simplifies configuration management: central store doesn’t need to
know parameters in advance
STANDARDIZE ALL THE THINGS!
Standardized Database Image Spec Initialization, Authentication, Encryption
Initialization docker run quay.io/aptible/db --initialize
# Dockerfile ADD run-database.sh /usr/bin/ ENTRYPOINT ["run-database.sh"]
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf" https://github.com/aptible/docker-postgresql
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"
Authentication docker run -e PASSPHRASE=foobar ...
#!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R
postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"
Encryption Use container volumes to identify PHI storage directories
# Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown
-R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]
# Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown
-R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]
Auditing Containers help automate and document incident response
Standardized Security Containers help standardize and abstract common functionality like
SSL termination, for encryption in transit
Standardized Security Containers provide a way to standardize database security
and encryption at rest
Thank you
@fancyremarker
[email protected]