Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defender's Guide to Cloud Native Infrastructure Security - All Day DevOps 2020

Madhu Akula
November 12, 2020

Defender's Guide to Cloud Native Infrastructure Security - All Day DevOpsย 2020

This talk is focused on why, what and how we can add security value into modern cloud native infrastructure. An organization using microservices and distributed architectures use containers, Kubernetes, and modern infrastructure. Understanding these technologies and applying security principles like defense in depth, least privilege, secure by defaults, etc are some of the things we will see in this session.

By end of this talk, participants will be able to understand some of the common and real-world security problems. Applying pragmatic security using tools, technologies, and procedures (TTPs) to build secure cloud native infrastructure. In this talk, we will see how to apply security at different layers like infrastructure security, supply chain security, and run-time security.

Also the end of the talk, the speaker will give away the reference checklist and guide for building secure infrastructure with available resources in their daily operations.

Madhu Akula

November 12, 2020
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. TRACK: DEVSECOPS
    NOVEMBER 12, 2020
    - Madhu Akula
    Defenderโ€™s Guide
    to Cloud Native
    Infrastructure
    Security
    @madhuakula

    View full-size slide

  2. TRACK: DEVSECOPS
    About Me!
    โ— Security Engineering @ Miro
    โ— Creator of Kubernetes Goat, Hacker Container,
    tools.tldr.run, many other
    โ— Security (Cloud Native, Containers, Kubernetes
    & Automation)
    โ— Speaker & Trainer @ BlackHat, DEF CON,
    USENIX, OWASP, All Day DevOps, null, etc.
    โ— Co-Author of Security Automation with Ansible 2
    โ— Never Ending Learner!
    https://madhuakula.com
    Madhu Akula
    @madhuakula

    View full-size slide

  3. TRACK: DEVSECOPS
    โ— Why Cloud Native Infrastructure?
    โ— What is the current attack surface?
    โ— Introducing Cloud Native Security Defense
    โ— Layers of security defence (defense in depth)
    โ— Demonstrations focusing on specific scenarios
    โ— Key takeaways
    โ— References & Resources
    โ— Next steps to learn more and moreโ€ฆ
    What you will learn today?
    @madhuakula

    View full-size slide

  4. TRACK: DEVSECOPS
    Cloud Native is used to describe containerised application
    to dynamically schedule, orchestrate and manage through
    continuous delivery workflows. Which allows to optimize
    resource utilization, and microservices-oriented to
    increase the overall agility and maintainability and support
    the life cycle of applications.
    - Cloud Native Computing Foundation
    What is Cloud Native?
    @madhuakula

    View full-size slide

  5. TRACK: DEVSECOPS
    What is Cloud Native?
    https://landscape.cncf.io
    @madhuakula
    @madhuakula

    View full-size slide

  6. TRACK: DEVSECOPS
    Why Cloud Native?
    Cloud native technologies empower organizations to build and run
    scalable applications in modern, dynamic environments such as public,
    private, and hybrid clouds. Containers, service meshes, microservices,
    immutable infrastructure, and declarative APIs exemplify this approach.
    These techniques enable loosely coupled systems that are resilient,
    manageable, and observable. Combined with robust automation, they
    allow engineers to make high-impact changes frequently and
    predictably with minimal toil.
    https://github.com/cncf/toc/blob/master/DEFINITION.md
    @madhuakula

    View full-size slide

  7. TRACK: DEVSECOPS
    Why Cloud Native Defense?
    https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containeri
    zation-trend-is-exploited-by-attackers
    https://www.youtube.com/watch?v=4CTK2aUXTHo
    https://github.com/Frichetten/CVE-2019-5736-PoC
    https://engineering.bitnami.com/articles/helm-security.html
    @madhuakula

    View full-size slide

  8. TRACK: DEVSECOPS
    โ— Application Code
    โ— Container Image
    โ— Orchestration Platform
    โ— Runtime
    โ— Microservices & Communication
    โ— API Gateway & Proxies
    โ— Network & Load Balancers
    โ— AuthN & AuthZ
    โ— Storage
    โ— Management
    Current Attack Surface
    โ— Namespaces
    โ— Control Groups
    โ— Daemon
    โ— Configuration
    โ— Capabilities
    โ— Content Trust
    โ— Container Registry
    โ— Volumes
    โ— Networks
    โ— Many other...
    @madhuakula

    View full-size slide

  9. TRACK: DEVSECOPS
    Current Attack Surface (contd.)
    https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    @madhuakula

    View full-size slide

  10. TRACK: DEVSECOPS
    Layers of Defense
    Defense-in-Depth
    @madhuakula

    View full-size slide

  11. TRACK: DEVSECOPS
    โ— Code Quality Analysis (Ex: SonarQube)
    โ— Security Linters (Ex: Findsecbugs)
    โ— Sensitive Info/Secrets Analysis
    โ— Dependency Security Analysis Checks
    โ— Static Code Security Analysis
    โ— Dynamic Security Analysis
    โ— Semantic Code Analysis (Ex: CodeQL)
    โ— Many more...
    Application Security
    @madhuakula

    View full-size slide

  12. TRACK: DEVSECOPS
    Demo Time
    https://youtu.be/ayo6d0xHqyc
    @madhuakula

    View full-size slide

  13. TRACK: DEVSECOPS
    Centralised
    Logging & Monitoring
    @madhuakula

    View full-size slide

  14. TRACK: DEVSECOPS
    โ— Immutable artifact
    โ— Artifact store
    โ— Artifact metadata
    โ— Artifact auditors
    โ— Artifact validations
    โ— Deployment policy
    Supply Chain Security
    https://cloud.google.com/solutions/secure-software-supply-chains-on-google-kubernetes-engine
    @madhuakula

    View full-size slide

  15. TRACK: DEVSECOPS
    Security Profiles
    https://github.com/genuinetools/bane
    @madhuakula

    View full-size slide

  16. TRACK: DEVSECOPS
    Network Security Policies
    https://github.com/ahmetb/kubernetes-network-policy-recipes
    Provides isolation between Kubernetes resources (pods, namespaces, svc, etc.)
    using labels and selectors across the cluster.
    @madhuakula

    View full-size slide

  17. TRACK: DEVSECOPS
    Risk Analysis
    https://github.com/goodwithtech/dockle
    https://github.com/aquasecurity/trivy
    https://kubesec.io
    @madhuakula

    View full-size slide

  18. TRACK: DEVSECOPS
    โ— Most of the cloud providers has fix for this in some way
    โ— GKE: Workload Identity, Metadata Concealment for Nodes
    https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
    โ— AWS: IMDSv2 for SSRF
    https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-re
    verse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
    โ—
    Metadata Concealment / Proxies
    @madhuakula

    View full-size slide

  19. TRACK: DEVSECOPS
    Role-based access control (RBAC) is a method of
    regulating access to computer or network resources
    based on the roles of individual users within your
    organization.
    Role Based Access Control - RBAC
    https://kubernetes.io/docs/reference/access-authn-authz/rbac/
    @madhuakula

    View full-size slide

  20. TRACK: DEVSECOPS
    Secrets Management
    https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar/
    @madhuakula

    View full-size slide

  21. TRACK: DEVSECOPS
    TLS with cert-manager
    Automate certificate management
    in cloud native environments.
    cert-manager builds on top of
    Kubernetes, introducing
    certificate authorities and
    certificates as first-class resource
    types in the Kubernetes API. This
    makes it possible to provide
    'certificates as a service' to
    developers working within your
    Kubernetes cluster.
    @madhuakula

    View full-size slide

  22. TRACK: DEVSECOPS
    Pod Security Policies (PSP)
    https://kubernetes.io/docs/concepts/policy/pod-security-policy
    A Pod Security Policy is a
    cluster-level resource that
    controls security sensitive aspects
    of the pod specification. The
    PodSecurityPolicy objects define a
    set of conditions that a pod must
    run with in order to be accepted
    into the system, as well as
    defaults for the related fields.
    Good utility to check out is
    https://github.com/sysdiglabs/kube
    -psp-advisor
    WATCH OUT
    @madhuakula

    View full-size slide

  23. TRACK: DEVSECOPS
    Open Policy Agent (OPA)
    Policy-based control for cloud
    native environments Flexible,
    fine-grained control for
    administrators across the stack
    https://www.openpolicyagent.or
    g
    @madhuakula

    View full-size slide

  24. TRACK: DEVSECOPS
    Container Runtime Security
    โ— gVisor is a user-space kernel, written in Go,
    that implements a substantial portion of the
    Linux system call interface. It provides an
    additional layer of isolation between
    running applications and the host operating
    system
    โ— Firecracker is an open source virtualization
    technology that is purpose-built for creating
    and managing secure, multi-tenant
    container and function-based services
    โ— Many other...
    @madhuakula

    View full-size slide

  25. TRACK: DEVSECOPS
    Runtime Security Detection
    https://falco.org/
    Falco, the open-source cloud-native runtime security
    project, is the de facto Kubernetes threat detection
    engine
    @madhuakula

    View full-size slide

  26. TRACK: DEVSECOPS
    Docker CIS Benchmarks
    https://github.com/docker/docker-bench-security
    A script that checks for dozens of
    common best-practices around
    deploying Docker containers in
    production
    โ— Host configuration
    โ— Docker daemon configuration and
    files
    โ— Docker container images
    โ— Docker runtime
    โ— Docker security operations
    โ— Docker swarm configuration
    @madhuakula

    View full-size slide

  27. TRACK: DEVSECOPS
    Kubernetes CIS Benchmarks
    https://github.com/aquasecurity/kube-bench
    โ— Master Node Security Configuration
    โ—‹ API Server
    โ—‹ Scheduler
    โ—‹ Controller Manager
    โ—‹ Configuration Files
    โ—‹ Etcd
    โ—‹ General Security Primitives
    โ—‹ PodSecurityPolicices
    โ— Worker Node Security Configuration
    โ—‹ Kubelet
    โ—‹ Configuration Files
    @madhuakula

    View full-size slide

  28. TRACK: DEVSECOPS
    Audit your Clusters
    https://github.com/Shopify/kubeaudit
    @madhuakula

    View full-size slide

  29. TRACK: DEVSECOPS
    Best Practices
    โ— Application Code
    โ—‹ Code Linters
    โ—‹ Dependency Scanning
    โ—‹ Code Analysis (static, dynamic, variant and manual analysis)
    โ— Infrastructure Code
    โ—‹ Dockerfile (cis benchmarks, security best practices)
    โ—‹ Kubernetes manifests/Helm charts (cis benchmarks, least privilege)
    โ—‹ Host images, Host infrastructure (terraform, cloud infra security configs)
    โ—‹ Container Registry, Config Management
    โ— Sensitive information checks (secrets, api keys, etc.)
    โ— Version Control System (Config, PRs, MRs, etc.)
    โ— Manual Review/Approval/Verification
    @madhuakula

    View full-size slide

  30. TRACK: DEVSECOPS
    Best Practices (Contd.)
    โ— Secure Defaults
    โ— Least privilege principle
    โ— Network Security Policies
    โ— RBAC reviews
    โ— Service Mesh
    โ— Open Security Policy Agent (Multiple levels applying policy engine checks)
    โ— Proactive Logging & Monitoring for detection
    โ— Falco - Syscall monitoring & Threat detection engine
    โ— RASP - Runtime application security protection
    โ— Logging & Monitoring with Centralized Monitoring
    โ— Proactive Security Monitoring & Detection
    โ— Many other...
    @madhuakula

    View full-size slide

  31. TRACK: DEVSECOPS
    More Hands-On Labs coming here...
    https://github.com/madhuakula/kubernetes-goat
    @madhuakula

    View full-size slide

  32. TRACK: DEVSECOPS
    Cloud Native Security Tools
    https://tools.tldr.run
    @madhuakula

    View full-size slide

  33. TRACK: DEVSECOPS
    Key Takeaways
    โ— Security is everyoneโ€™s responsibility (Dev, Ops and Security, etc.)
    โ— Threat model your architecture and identify risks/threats
    โ— Follow and apply secure defaults
    โ— Know what you have (Inventory of assets)
    โ— Adopt zero trust model and trust nothing (Zoning, Containment & Segmentation)
    โ— Apply security at each layer (Defense in depth strategy)
    โ— Follow least privilege principle
    โ— AuthN & AuthZ
    โ— Encryption at REST & TRANSIT
    โ— Proactive monitoring & Active defense
    โ— Continuously analyse and apply feedback loops
    โ— Crawl, Walk, Run
    @madhuakula

    View full-size slide

  34. TRACK: DEVSECOPS
    โ— Docker Security Docs
    โ— Kubernetes Security Docs
    โ— Attack matrix for Kubernetes
    โ— Breaking & Pwning Docker Containers & Kubernetes Clusters
    โ— Advanced Persistence Threats: The Future of Kubernetes Attacks
    โ— 11 Ways (Not) to Get Hacked
    โ— Attacking & Auditing Docker Containers using Open Source @ DEFCON 26
    โ— Attacking and Auditing Docker Containers and Kubernetes Clusters @ DEFCON 27
    โ— contained.af
    โ— CIS Benchmarks Docker
    โ— Understanding and Hardening Linux Containers
    โ— Abusing Privileged and Unprivileged Linux Containers
    โ— Container Security Notes
    โ— Linux Container Security
    โ— Docker Runtime Privileges and Capabilities
    โ— Apparmor Security Profiles on Docker
    โ— Seccomp Security Profiles on Docker
    โ— Docker Labs Capabilities
    โ— Practical SELinux and Containers
    โ— Containers and Operating systems morning paper gist
    โ— Kubernetes Webinar series
    References & Resources
    @madhuakula

    View full-size slide

  35. TRACK: DEVSECOPS
    โ— Google SRE - 3 books
    โ— Cloud Native Infrastructure Book
    โ— Cloud Native Transformation Book
    โ— Kubernetes-Security.info
    โ— DevOps Security Checklist
    โ— Kubernetes Attack Audit Reports
    โ— CNCF Landscape
    โ— Known CVEโ€™s and Vulnerability Research
    โ— K8S Slack Channels/Working Groups
    โ— Katacoda Playgrounds & Play with Docker & Play with Kubernetes
    โ— Many other...
    More Reading & Learning :)
    @madhuakula

    View full-size slide

  36. TRACK: DEVSECOPS
    THANK YOU TO OUR SPONSORS
    @madhuakula

    View full-size slide

  37. TRACK: DEVSECOPS
    Thank You
    Madhu Akula
    https://madhuakula.com
    @madhuakula

    View full-size slide