Minimizing attack surface of containers running cloud workloads

A21758ad9d6d476d61743ee4640db016?s=47 mbroz2
February 20, 2020

Minimizing attack surface of containers running cloud workloads

We live in a world where every time you share information online it is at significant risk of being compromised. Responsibility for protecting that data falls to everyone -- developers, architects and providers. With security at the forefront of everyone's concern, how are cloud providers meeting these security concerns while still allowing businesses to rapidly provision services to meet business needs on-demand?

In this meetup we'll review container security: the concepts, tips and tricks, and see what others in the industry are doing. Overall, we'll analyse general attack surfaces of containers, to understand how best to minimize this surface area. Specific attack vectors and known exploits will be looked at, and we can see how to prevent these. To illustrate by example, we'll build out a website frontend and backend that needs to process sensitive personal information, and have it protected in flight and at rest.

Topics Covered:
- Docker and Kubernetes introduction
- Overview of container security and where the industry is going
- Specific technology introductions
- Live installation and configuration of a web application



February 20, 2020


  1. Austin Cloud Technology Meetup Minimizing the attack surface of containers

    running cloud workloads Jenn Francis Chris Poole @msjennsays @chrispoole
  2. Why containers? One perspective: packaging of programs and applications. •

    apt install • yum install • pacman –S Then config files… distro-dependent locations. What libraries do you pull in?
  3. Why containers? Another perspective: agility and devops. • Self-service •

    Easier to deploy • Run anywhere • Run lots on the same host, with isolation IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  4. Application Libraries Runtimes Base OS Docker container IBM Cloud Hyper

    Protect Services | © 2020 IBM Corporation
  5. Containers…? • Portability: can be used on any supported types

    of ships • Wide variety of cargo to pack inside • Standard sizes: standard fittings on ships: stack! • Many containers on a ship • Isolates cargo from each other
  6. Where can they run?

  7. Where can they run?

  8. Docker container Docker process Dockerfile Docker image Docker container docker

    run docker build
  9. Commands docker ps docker build –t name . docker run

    docker start docker stop docker rm
  10. Kubernetes Container orchestration IBM Cloud Hyper Protect Services | ©

    2020 IBM Corporation
  11. Production challenges production 1a 2 1 3a 4a 3 4

    Application server Log collector/processor Failures?
  12. New terms: Pods Masters and workers Deployments Services Etcd …

    master master worker worker worker etcd IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  13. 2 1 3 4 worker 1a 3a 4a worker production

    Application server Log collector/processor Failures? Pods: Guaranteed on same host Guaranteed deployed together Internal subnet IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  14. Kubernetes • manage networking and access • track state of

    containers • scale services • do load balancing • relocation in case of unresponsive host • service discovery • attribute storage to containers • ...
  15. IBM Cloud Hyper Protect Services | © 2020 IBM Corporation

    What are the risks?
  16. IBM Cloud Hyper Protect Services | © 2020 IBM Corporation

    “The problem allowed non-authorized users of the cloud service to access employee contact info in their offline address books.” 2010 Who’s been breached? “Hackers tapped into more than 68 million user accounts – email addresses and passwords included – representing nearly 5 gigabytes of data.” 2012 “Hackers stole and posted for sale on the dark web an estimated 167 million email addresses and passwords.” 2016
  17. 73% Allow root access 2% Corporate data encrypted 58% Threats

    from insiders
  18. IBM Cloud Hyper Protect Services | © 2020 IBM Corporation

    trust transitive verb \ ˈtrəst \ 1a: to rely on the truthfulness or accuracy of b: to place confidence in c: to hope or expect confidently soon 2a: to commit or place in one's care or keeping b: to permit to stay or go or to do something without fear or misgiving In whom or what do you trust? What is most important to you?
  19. Your Enterprise Third Party Mr. Malicious IBM Cloud SRE Application

    Admin Government Agent Network Admin Application User Database Admin Developer Hardware Vendor Software Vendor Storage Admin IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  20. IBM Cloud Hyper Protect Services | © 2020 IBM Corporation

    Your Enterprise Third Party Mr. Malicious IBM Cloud SRE Application Admin Government Agent Network Admin Application User Database Admin Developer Hardware Vendor Software Vendor Storage Admin
  21. General Tips • Try Podman • Think about the attack

    vectors • Keep the host up to date • Don’t use --privileged unless really needed • Update base images regularly • Use image scanning tools: IBM Container Registry etc. will do this for you • Switch from and don’t run as root in the container • Minimal, read-only setup • Use image signing: Docker Content Trust and Notary IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  22. General Tips • Developers will disable security: prevent this •

    CI/CD impact: scan for, ensure security IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  23. Industry reactions: secure the system • “how can I get

    more isolation for my pods than Linux kernel namespaces and cgroups?” • gVisor • Nabla containers • Amazon Nitro • “how can I avoid the daemon process?” • Podman over Docker CLI • “can I reduce my trust in the host?” • Hyper Protect IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  24. IBM Cloud Hyper Protect Services | © 2020 IBM Corporation

    Taking a look at IBM Cloud Hyper Protect
  25. VM Isolation VM Isolation LinuxONE Secure Enclave Customer A Worker

    Customer B Worker • Peer containers isolated to prevent breakout exploits • No shell access, or memory access from hardware console • No shell access into Kubernetes workers • Encrypted storage Container Container Container Docker container A Docker container B Host layer(s) Amazon EKS IBM Cloud Hyper Protect Containers • Vulnerable to container breakout exploits, giving access to host layer, and peer containers • Sysadmin shell or console access to lower layers
  26. Inside datacenter physical attack Remote attack (shell access) Privilege

    escalation IBM Cloud Hyper Protect services are based on LinuxONE secure enclave technology. • Firmware sets no memory (dump) access • Encryption keys stored in only public cloud FIPS 140-2 level 4 compliant HSM. 73% of AWS users analyzed leave SSH wide open to the internet, allowing potential compromise. Console access is also common. Secure enclave technology has: • No SSH, console or shell access, of any kind to the host layer. Kubernetes workers and containers on shared hosts allow potential exploits, B2B or, when wholly-owned by one org, dept. to dept. IBM Cloud Hyper Protect: • Uses runq, not runc, to isolate each worker in an SSC secure enclave • SSC LPARs have EAL5+ isolation. IBM Cloud Hyper Protect Services | © 2020 IBM Corporation
  27. Demo IBM Cloud Hyper Protect Services | © 2020 IBM

  28. 28 IBM Cloud Hyper Protect Services Industry-leading security for Cloud

    data, digital assets and workloads Hyper Protect Crypto Services Keep your own keys for cloud data encryption protected by a dedicated cloud HSM* * Industry’s only FIPS 140-2 level 4 certified HSM Hyper Protect DBaaS Complete data confidentiality for your sensitive data (PostgreSQL, MongoDB EE) Hyper Protect Virtual Servers Instantiate Linux VMs with own public SSH key to maintain exclusive access to code and data (Ubuntu) Hyper Protect Containers Build and deploy micro services with a hyper secure environment GA Coming soon GA GA Built On LinuxONE secure enclaves
  29. Thank you! Jenn Francis Chris Poole

    @msjennsays @chrispoole
  30. Notices and disclaimers IBM Cloud Hyper Protect Services | ©

    2020 IBM Corporation © 2020 International Business Machines Corporation. No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights — use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. This document is distributed “as is” without any warranty, either express or implied. In no event, shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted per the terms and conditions of the agreements under which they are provided. IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.” Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer follows any law.
  31. Notices and disclaimers continued IBM Cloud Hyper Protect Services |

    © 2020 IBM Corporation Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products about this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a purpose. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, and [names of other referenced IBM products and services used in the presentation] are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: .