Containerization and Compliance

Transcript

1. Containerization and Compliance CoreOS Fest 2015 Frank Macreery CTO, Aptible

   @fancyremarker
2. None

3. HIPAA The Health Insurance Portability and Accountability Act of 1996

4. HIPAA: What?

5. None

6. Protected Health Information (PHI)

7. Protected Health Information (PHI) "is created or received by a

   health care provider or health plan…"

8. Protected Health Information (PHI) "relates to the health or condition

   of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"

9. Protected Health Information (PHI) "identifies the individual"

10. HIPAA: Who?

11. Covered Entities Health plans, health care clearinghouses, health care providers

12. Business Associates An entity which "creates, receives, maintains, or transmits

    protected health information"
13. None
14. None
15. None
16. None

17. Omnibus Final Rule Published January 2013 Effective Date: March 2013

    Compliance Date: September 2013

18. HIPAA: Why?

19. Office of Civil Rights (OCR) The enforcement agency for HIPAA

20. Between 2011 and 2014, 115 audits were conducted.

21. Between 2011 and 2014, 115 audits were conducted. HHS estimates

    there are between 200k–400k Business Associates.

22. While an OCR audit is unlikely, a vendor assessment by

    a major hospital or insurer is almost certain.

23. Auditing Implementation is not enough

24. Auditing means… Documenting a mitigation for every vulnerability

25. Heartbleed

26. Heartbleed POODLEbleed

27. Heartbleed POODLEbleed xBleed???

28. How do we prove that PHI was unaffected by xBleed?

29. Integration Tests Document every security response

30. https://github.com/sstephenson/bats

31. # Dockerfile # Install and configure NGiNX... # ... ADD

    test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx

32. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

33. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

34. @test "It should pass an external Heartbleed test" { #

    ... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }

35. @test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx

    run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }

36. Integration tests happen during each image build

37. Integration tests happen during each image build Images are built

    automatically via Quay Build Triggers
38. None

39. Integration tests happen during each image build Build status is

    easy to verify at a glance
40. None

41. Integration tests happen during each image build Quay Time Machine

    lets us roll back an image to any previous state
42. None

43. Standardized Security Use containers to solve problems only once

44. BAA Business Associate Agreement

45. AWS "Approved" Services

46. AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift

47. But…
 You have to play by the rules

48. EC2 Must use dedicated instances for PHI

49. EBS All PHI volumes must be encrypted

50. ELB TCP mode only (no SSL termination)

51. None

52. TCP TCP HTTP HTTP

53. No HTTP means no HTTP forwarding headers X-Forwarded-For

54. 10.51.0.183 - - [22/Apr/2015:03:32:01 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5

    "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:04:52:03 +0000] "GET / HTTP/1.1" 404 13 "-" "-" 10.51.0.183 - - [24/Apr/2015:20:08:36 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:05:02:31 +0000] "GET / clientaccesspolicy.xml HTTP/1.1" 404 35 "-" "-" Application only sees ELB addresses

55. PROXY Protocol Adds routing headers to TCP messages

56. PROXY TCP4 8.8.8.8 4.44.4.44 56324 443 (encrypted...) GET / HTTP/1.1

    Host: www.example.com

57. How should we configure HTTP and PROXY Protocol containers?

58. server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80

    proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }

59. server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80

    proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }

60. ENV configuration $PROXY_PROTOCOL

61. ENV configuration $PROXY_PROTOCOL
 $FORCE_SSL $HSTS_MAX_AGE $UPSTREAM_SERVERS (…)

62. ENV configuration Makes testing easier

63. @test "It should handle HTTPS over Proxy Protocol" { simulate_upstream

    PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }

64. @test "It should handle HTTPS over Proxy Protocol" { simulate_upstream

    PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }

65. ENV configuration Abstracts implementation details: could be NGiNX, HAProxy, …

66. ENV configuration Simplifies configuration management: central store doesn’t need to

    know parameters in advance

67. STANDARDIZE ALL THE THINGS!

68. Standardized Database Image Spec Initialization, Authentication, Encryption

69. Initialization docker run quay.io/aptible/db --initialize

70. # Dockerfile ADD run-database.sh /usr/bin/ ENTRYPOINT ["run-database.sh"]

71. #!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R

    postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf" https://github.com/aptible/docker-postgresql

72. #!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R

    postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"

73. Authentication docker run -e PASSPHRASE=foobar ...

74. #!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R

    postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"

75. Encryption Use container volumes to identify PHI storage directories

76. # Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown

    -R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]

77. # Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown

    -R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]

78. Auditing Containers help automate and document incident response

79. Standardized Security Containers help standardize and abstract common functionality like

    SSL termination, for encryption in transit

80. Standardized Security Containers provide a way to standardize database security

    and encryption at rest

81. Thank you

82. @fancyremarker [email protected]