Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Containerization and Compliance

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Frank Macreery Frank Macreery
May 05, 2015
Programming
0
550

Containerization and Compliance

Originally presented at CoreOS Fest 2015.

Video here: https://www.youtube.com/watch?v=y5ERnWnGa3s

Avatar for Frank Macreery

Frank Macreery

May 05, 2015
Tweet

More Decks by Frank Macreery

See All by Frank Macreery
Docker for Ruby Developers
Avatar for Frank Macreery fancyremarker
3
650
Aptible + TelePharm: HIPAA for Startups
Avatar for Frank Macreery fancyremarker
0
1.4k
Architecting Applications for HIPAA Compliance
Avatar for Frank Macreery fancyremarker
0
210
HIPAA Dev Ops: Architecting Layers of Responsibility
Avatar for Frank Macreery fancyremarker
0
76
Garner: Anatomy of a Ruby Gem
Avatar for Frank Macreery fancyremarker
0
350

Other Decks in Programming

See All in Programming
AI前提で考えるiOSアプリのモダナイズ設計
Avatar for 野瀬田 裕樹 yuukiw00w
0
220
AI & Enginnering
Avatar for codelynx codelynx
0
110
Oxlintはいいぞ
Avatar for Yuji Yamaguchi yug1224
5
1.3k
AtCoder Conference 2025
Avatar for shindannin shindannin
0
1k
OCaml 5でモダンな並列プログラミングを Enjoyしよう!
Avatar for Haochen Kotoi-Xie haochenx
0
140
20260127_試行錯誤の結晶を1冊に。著者が解説 先輩データサイエンティストからの指南書 / author's_commentary_ds_instructions_guide
Avatar for nash_efp nash_efp
1
940
CSC307 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
660
Fragmented Architectures
Avatar for Denys Poltorak denyspoltorak
0
150
AI Schema Enrichment for your Oracle AI Database
Avatar for thatjeffsmith thatjeffsmith
0
250
AIによる高速開発をどう制御するか? ガードレール設置で開発速度と品質を両立させたチームの事例
Avatar for tonkotsuboy_com tonkotsuboy_com
7
2.1k
なるべく楽してバックエンドに型をつけたい!(楽とは言ってない)
Avatar for HIBIKI CUBE hibiki_cube
0
140
今こそ知るべき耐量子計算機暗号(PQC)入門 / PQC: What You Need to Know Now
Avatar for mackey0225 mackey0225
3
370

Featured

See All Featured
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
0
270
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
57
50k
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
0
200
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3.3k
sira's awesome portfolio website redesign presentation
Avatar for ElsiraPls elsirapls
0
150
What Being in a Rock Band Can Teach Us About Real World SEO
Avatar for Ade Holder 427marketing
0
170
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
0
310
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
14k
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
240
Accessibility Awareness
Avatar for Sarah Abderemane sabderemane
0
51
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k

Transcript

  1. Containerization and Compliance CoreOS Fest 2015 Frank Macreery CTO, Aptible

    @fancyremarker
  2. None

  3. HIPAA The Health Insurance Portability and Accountability Act of 1996

  4. HIPAA: What?

  5. None

  6. Protected Health Information (PHI)

  7. Protected Health Information (PHI) "is created or received by a

    health care provider or health plan…"

  8. Protected Health Information (PHI) "relates to the health or condition

    of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"

  9. Protected Health Information (PHI) "identifies the individual"

  10. HIPAA: Who?

  11. Covered Entities Health plans, health care clearinghouses, health care providers

  12. Business Associates An entity which "creates, receives, maintains, or transmits

    protected health information"
  13. None
  14. None
  15. None
  16. None

  17. Omnibus Final Rule Published January 2013 Effective Date: March 2013

    Compliance Date: September 2013

  18. HIPAA: Why?

  19. Office of Civil Rights (OCR) The enforcement agency for HIPAA

  20. Between 2011 and 2014, 115 audits were conducted.

  21. Between 2011 and 2014, 115 audits were conducted. HHS estimates

    there are between 200k–400k Business Associates.

  22. While an OCR audit is unlikely, a vendor assessment by

    a major hospital or insurer is almost certain.

  23. Auditing Implementation is not enough

  24. Auditing means… Documenting a mitigation for every vulnerability

  25. Heartbleed

  26. Heartbleed POODLEbleed

  27. Heartbleed POODLEbleed xBleed???

  28. How do we prove that PHI was unaffected by xBleed?

  29. Integration Tests Document every security response

  30. https://github.com/sstephenson/bats

  31. # Dockerfile # Install and configure NGiNX... # ... ADD

    test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx

  32. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

  33. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

  34. @test "It should pass an external Heartbleed test" { #

    ... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }

  35. @test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx

    run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }

  36. Integration tests happen during each image build

  37. Integration tests happen during each image build Images are built

    automatically via Quay Build Triggers
  38. None

  39. Integration tests happen during each image build Build status is

    easy to verify at a glance
  40. None

  41. Integration tests happen during each image build Quay Time Machine

    lets us roll back an image to any previous state
  42. None

  43. Standardized Security Use containers to solve problems only once

  44. BAA Business Associate Agreement

  45. AWS "Approved" Services

  46. AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift

  47. But…
 You have to play by the rules

  48. EC2 Must use dedicated instances for PHI

  49. EBS All PHI volumes must be encrypted

  50. ELB TCP mode only (no SSL termination)

  51. None

  52. TCP TCP HTTP HTTP

  53. No HTTP means no HTTP forwarding headers X-Forwarded-For

  54. 10.51.0.183 - - [22/Apr/2015:03:32:01 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5

    "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:04:52:03 +0000] "GET / HTTP/1.1" 404 13 "-" "-" 10.51.0.183 - - [24/Apr/2015:20:08:36 +0000] "POST /hubot/slack-webhook HTTP/1.1" 200 5 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" 10.51.0.198 - - [22/Apr/2015:05:02:31 +0000] "GET / clientaccesspolicy.xml HTTP/1.1" 404 35 "-" "-" Application only sees ELB addresses

  55. PROXY Protocol Adds routing headers to TCP messages

  56. PROXY TCP4 8.8.8.8 4.44.4.44 56324 443 (encrypted...) GET / HTTP/1.1

    Host: www.example.com

  57. How should we configure HTTP and PROXY Protocol containers?

  58. server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80

    proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }

  59. server { <% if ENV['PROXY_PROTOCOL'] == 'true' %> listen 80

    proxy_protocol; set_real_ip_from 0.0.0.0/0; real_ip_header proxy_protocol; access_log /proc/self/fd/1 proxy_log; <% else %> listen 80; <% end %> }

  60. ENV configuration $PROXY_PROTOCOL

  61. ENV configuration $PROXY_PROTOCOL
 $FORCE_SSL $HSTS_MAX_AGE $UPSTREAM_SERVERS (…)

  62. ENV configuration Makes testing easier

  63. @test "It should handle HTTPS over Proxy Protocol" { simulate_upstream

    PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }

  64. @test "It should handle HTTPS over Proxy Protocol" { simulate_upstream

    PROXY_PROTOCOL=true UPSTREAM_SERVERS=localhost:4000 wait_for_nginx wait_for_proxy_protocol run curl -k https://localhost:8443 2>/dev/null [[ "$output" =~ "Hello World!" ]] }

  65. ENV configuration Abstracts implementation details: could be NGiNX, HAProxy, …

  66. ENV configuration Simplifies configuration management: central store doesn’t need to

    know parameters in advance

  67. STANDARDIZE ALL THE THINGS!

  68. Standardized Database Image Spec Initialization, Authentication, Encryption

  69. Initialization docker run quay.io/aptible/db --initialize

  70. # Dockerfile ADD run-database.sh /usr/bin/ ENTRYPOINT ["run-database.sh"]

  71. #!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R

    postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf" https://github.com/aptible/docker-postgresql

  72. #!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R

    postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"

  73. Authentication docker run -e PASSPHRASE=foobar ...

  74. #!/bin/bash if [[ "$1" == "--initialize" ]]; then chown -R

    postgres:postgres "$DATA_DIRECTORY" su postgres <<COMMANDS /usr/lib/postgresql/9.3/bin/initdb -D "$DATA_DIRECTORY" /etc/init.d/postgresql start psql --command "CREATE USER ${USERNAME:-aptible} WITH SUPERUSER PASSWORD '$PASSPHRASE'" psql --command "CREATE DATABASE ${DATABASE:-db}" /etc/init.d/postgresql stop COMMANDS exit fi su postgres -c "/usr/lib/postgresql/9.3/bin/postgres -D "$DATA_DIRECTORY" \ -c config_file=/etc/postgresql/9.3/main/postgresql.conf"

  75. Encryption Use container volumes to identify PHI storage directories

  76. # Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown

    -R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]

  77. # Dockerfile ENV DATA_DIRECTORY /var/db RUN mkdir $DATA_DIRECTORY && chown

    -R postgres $DATA_DIRECTORY # Every VOLUME gets mounted on an encrypted EBS volume VOLUME ["$DATA_DIRECTORY"]

  78. Auditing Containers help automate and document incident response

  79. Standardized Security Containers help standardize and abstract common functionality like

    SSL termination, for encryption in transit

  80. Standardized Security Containers provide a way to standardize database security

    and encryption at rest

  81. Thank you

  82. @fancyremarker [email protected]