Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defender's Guide to Cloud Native Infrastructure Security - All Day DevOps 2020

A53edd970bfc4b815bad87323175367b?s=47 Madhu Akula
November 12, 2020

Defender's Guide to Cloud Native Infrastructure Security - All Day DevOps 2020

This talk is focused on why, what and how we can add security value into modern cloud native infrastructure. An organization using microservices and distributed architectures use containers, Kubernetes, and modern infrastructure. Understanding these technologies and applying security principles like defense in depth, least privilege, secure by defaults, etc are some of the things we will see in this session.

By end of this talk, participants will be able to understand some of the common and real-world security problems. Applying pragmatic security using tools, technologies, and procedures (TTPs) to build secure cloud native infrastructure. In this talk, we will see how to apply security at different layers like infrastructure security, supply chain security, and run-time security.

Also the end of the talk, the speaker will give away the reference checklist and guide for building secure infrastructure with available resources in their daily operations.

A53edd970bfc4b815bad87323175367b?s=128

Madhu Akula

November 12, 2020
Tweet

Transcript

  1. TRACK: DEVSECOPS NOVEMBER 12, 2020 - Madhu Akula Defender’s Guide

    to Cloud Native Infrastructure Security @madhuakula
  2. TRACK: DEVSECOPS About Me! • Security Engineering @ Miro •

    Creator of Kubernetes Goat, Hacker Container, tools.tldr.run, many other • Security (Cloud Native, Containers, Kubernetes & Automation) • Speaker & Trainer @ BlackHat, DEF CON, USENIX, OWASP, All Day DevOps, null, etc. • Co-Author of Security Automation with Ansible 2 • Never Ending Learner! https://madhuakula.com Madhu Akula @madhuakula
  3. TRACK: DEVSECOPS • Why Cloud Native Infrastructure? • What is

    the current attack surface? • Introducing Cloud Native Security Defense • Layers of security defence (defense in depth) • Demonstrations focusing on specific scenarios • Key takeaways • References & Resources • Next steps to learn more and more… What you will learn today? @madhuakula
  4. TRACK: DEVSECOPS Cloud Native is used to describe containerised application

    to dynamically schedule, orchestrate and manage through continuous delivery workflows. Which allows to optimize resource utilization, and microservices-oriented to increase the overall agility and maintainability and support the life cycle of applications. - Cloud Native Computing Foundation What is Cloud Native? @madhuakula
  5. TRACK: DEVSECOPS What is Cloud Native? https://landscape.cncf.io @madhuakula @madhuakula

  6. TRACK: DEVSECOPS Why Cloud Native? Cloud native technologies empower organizations

    to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil. https://github.com/cncf/toc/blob/master/DEFINITION.md @madhuakula
  7. TRACK: DEVSECOPS Why Cloud Native Defense? https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containeri zation-trend-is-exploited-by-attackers https://www.youtube.com/watch?v=4CTK2aUXTHo https://github.com/Frichetten/CVE-2019-5736-PoC

    https://engineering.bitnami.com/articles/helm-security.html @madhuakula
  8. TRACK: DEVSECOPS • Application Code • Container Image • Orchestration

    Platform • Runtime • Microservices & Communication • API Gateway & Proxies • Network & Load Balancers • AuthN & AuthZ • Storage • Management Current Attack Surface • Namespaces • Control Groups • Daemon • Configuration • Capabilities • Content Trust • Container Registry • Volumes • Networks • Many other... @madhuakula
  9. TRACK: DEVSECOPS Current Attack Surface (contd.) https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ @madhuakula

  10. TRACK: DEVSECOPS Layers of Defense Defense-in-Depth @madhuakula

  11. TRACK: DEVSECOPS • Code Quality Analysis (Ex: SonarQube) • Security

    Linters (Ex: Findsecbugs) • Sensitive Info/Secrets Analysis • Dependency Security Analysis Checks • Static Code Security Analysis • Dynamic Security Analysis • Semantic Code Analysis (Ex: CodeQL) • Many more... Application Security @madhuakula
  12. TRACK: DEVSECOPS Demo Time https://youtu.be/ayo6d0xHqyc @madhuakula

  13. TRACK: DEVSECOPS Centralised Logging & Monitoring @madhuakula

  14. TRACK: DEVSECOPS • Immutable artifact • Artifact store • Artifact

    metadata • Artifact auditors • Artifact validations • Deployment policy Supply Chain Security https://cloud.google.com/solutions/secure-software-supply-chains-on-google-kubernetes-engine @madhuakula
  15. TRACK: DEVSECOPS Security Profiles https://github.com/genuinetools/bane @madhuakula

  16. TRACK: DEVSECOPS Network Security Policies https://github.com/ahmetb/kubernetes-network-policy-recipes Provides isolation between Kubernetes

    resources (pods, namespaces, svc, etc.) using labels and selectors across the cluster. @madhuakula
  17. TRACK: DEVSECOPS Risk Analysis https://github.com/goodwithtech/dockle https://github.com/aquasecurity/trivy https://kubesec.io @madhuakula

  18. TRACK: DEVSECOPS • Most of the cloud providers has fix

    for this in some way • GKE: Workload Identity, Metadata Concealment for Nodes https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity • AWS: IMDSv2 for SSRF https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-re verse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ • Metadata Concealment / Proxies @madhuakula
  19. TRACK: DEVSECOPS Role-based access control (RBAC) is a method of

    regulating access to computer or network resources based on the roles of individual users within your organization. Role Based Access Control - RBAC https://kubernetes.io/docs/reference/access-authn-authz/rbac/ @madhuakula
  20. TRACK: DEVSECOPS Secrets Management https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/ @madhuakula

  21. TRACK: DEVSECOPS TLS with cert-manager Automate certificate management in cloud

    native environments. cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide 'certificates as a service' to developers working within your Kubernetes cluster. @madhuakula
  22. TRACK: DEVSECOPS Pod Security Policies (PSP) https://kubernetes.io/docs/concepts/policy/pod-security-policy A Pod Security

    Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields. Good utility to check out is https://github.com/sysdiglabs/kube -psp-advisor WATCH OUT @madhuakula
  23. TRACK: DEVSECOPS Open Policy Agent (OPA) Policy-based control for cloud

    native environments Flexible, fine-grained control for administrators across the stack https://www.openpolicyagent.or g @madhuakula
  24. TRACK: DEVSECOPS Container Runtime Security • gVisor is a user-space

    kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system • Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services • Many other... @madhuakula
  25. TRACK: DEVSECOPS Runtime Security Detection https://falco.org/ Falco, the open-source cloud-native

    runtime security project, is the de facto Kubernetes threat detection engine @madhuakula
  26. TRACK: DEVSECOPS Docker CIS Benchmarks https://github.com/docker/docker-bench-security A script that checks

    for dozens of common best-practices around deploying Docker containers in production • Host configuration • Docker daemon configuration and files • Docker container images • Docker runtime • Docker security operations • Docker swarm configuration @madhuakula
  27. TRACK: DEVSECOPS Kubernetes CIS Benchmarks https://github.com/aquasecurity/kube-bench • Master Node Security

    Configuration ◦ API Server ◦ Scheduler ◦ Controller Manager ◦ Configuration Files ◦ Etcd ◦ General Security Primitives ◦ PodSecurityPolicices • Worker Node Security Configuration ◦ Kubelet ◦ Configuration Files @madhuakula
  28. TRACK: DEVSECOPS Audit your Clusters https://github.com/Shopify/kubeaudit @madhuakula

  29. TRACK: DEVSECOPS Best Practices • Application Code ◦ Code Linters

    ◦ Dependency Scanning ◦ Code Analysis (static, dynamic, variant and manual analysis) • Infrastructure Code ◦ Dockerfile (cis benchmarks, security best practices) ◦ Kubernetes manifests/Helm charts (cis benchmarks, least privilege) ◦ Host images, Host infrastructure (terraform, cloud infra security configs) ◦ Container Registry, Config Management • Sensitive information checks (secrets, api keys, etc.) • Version Control System (Config, PRs, MRs, etc.) • Manual Review/Approval/Verification @madhuakula
  30. TRACK: DEVSECOPS Best Practices (Contd.) • Secure Defaults • Least

    privilege principle • Network Security Policies • RBAC reviews • Service Mesh • Open Security Policy Agent (Multiple levels applying policy engine checks) • Proactive Logging & Monitoring for detection • Falco - Syscall monitoring & Threat detection engine • RASP - Runtime application security protection • Logging & Monitoring with Centralized Monitoring • Proactive Security Monitoring & Detection • Many other... @madhuakula
  31. TRACK: DEVSECOPS More Hands-On Labs coming here... https://github.com/madhuakula/kubernetes-goat @madhuakula

  32. TRACK: DEVSECOPS Cloud Native Security Tools https://tools.tldr.run @madhuakula

  33. TRACK: DEVSECOPS Key Takeaways • Security is everyone’s responsibility (Dev,

    Ops and Security, etc.) • Threat model your architecture and identify risks/threats • Follow and apply secure defaults • Know what you have (Inventory of assets) • Adopt zero trust model and trust nothing (Zoning, Containment & Segmentation) • Apply security at each layer (Defense in depth strategy) • Follow least privilege principle • AuthN & AuthZ • Encryption at REST & TRANSIT • Proactive monitoring & Active defense • Continuously analyse and apply feedback loops • Crawl, Walk, Run @madhuakula
  34. TRACK: DEVSECOPS • Docker Security Docs • Kubernetes Security Docs

    • Attack matrix for Kubernetes • Breaking & Pwning Docker Containers & Kubernetes Clusters • Advanced Persistence Threats: The Future of Kubernetes Attacks • 11 Ways (Not) to Get Hacked • Attacking & Auditing Docker Containers using Open Source @ DEFCON 26 • Attacking and Auditing Docker Containers and Kubernetes Clusters @ DEFCON 27 • contained.af • CIS Benchmarks Docker • Understanding and Hardening Linux Containers • Abusing Privileged and Unprivileged Linux Containers • Container Security Notes • Linux Container Security • Docker Runtime Privileges and Capabilities • Apparmor Security Profiles on Docker • Seccomp Security Profiles on Docker • Docker Labs Capabilities • Practical SELinux and Containers • Containers and Operating systems morning paper gist • Kubernetes Webinar series References & Resources @madhuakula
  35. TRACK: DEVSECOPS • Google SRE - 3 books • Cloud

    Native Infrastructure Book • Cloud Native Transformation Book • Kubernetes-Security.info • DevOps Security Checklist • Kubernetes Attack Audit Reports • CNCF Landscape • Known CVE’s and Vulnerability Research • K8S Slack Channels/Working Groups • Katacoda Playgrounds & Play with Docker & Play with Kubernetes • Many other... More Reading & Learning :) @madhuakula
  36. TRACK: DEVSECOPS THANK YOU TO OUR SPONSORS @madhuakula

  37. TRACK: DEVSECOPS Thank You Madhu Akula https://madhuakula.com @madhuakula