Security at Cloud Native Speed Chris Short Principal Technical Marketing Manager Cloud Native Ambassador PodCTL Co-host

○ @ChrisShort ○ Red Hat OpenShift ○ PodCTL > whoami ○ CNCF Ambassador ○ DevOps’ish ○ KubeWeekly

○ Struggles ○ Velocity ○ CD for Security > column README.md ○ Platform Security ○ Speed Makes Us Safer ○ Continuous Learning

Shared Struggles Create Opportunity 4 Struggles

- Overworked - Under resourced - Overwhelmed - Under pressure Struggles The Security Professional

- Overworked - Under resourced - Overwhelmed - Under pressure Struggles The Software Developer

Using cloud native tools Struggles ○ Cloud Providers ○ Kubernetes ○ Operators ○ Helm Charts ○ Libraries ○ Third Party APIs ○ Internal APIs ○ CNCF Landscape...

No content

What Have We Done?!? Struggles

Velocity The market is responding to an increasing demand for feature delivery.

Velocity Enter the Cloud Native Trail Map… ○ Containerization ○ CI/CD ○ Orchestration & Application Definition ○ Networking & Policy ○ Distributed DB & Storage ○ Streaming & Messaging ○ Container Registry & Runtime ○ Software Distribution

Velocity Source: Sysdig 2019 Container Usage Report "[T]he number of containers that are alive for 10 seconds or less has doubled to 22%." HOW FAST IS THIS THING GOING???

73% Velocity Source: Sysdig 2019 Container Usage Report of all containers live for thirty minutes OR LESS. HOW FAST IS THIS THING GOING???

WHAT DOES THE DATA TELL US? Velocity Source: 2019 Accelerate State of DevOps Report ○ High performing teams deploy multiple times a day ○ Lead times are less than a day ○ Service restorations happen in less than an hour ○ Change failure rates are between 0-15%

SECURITY MUST BE CONTINUOUS And integrated throughout the IT lifecycle Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT Identify security requirements & governance models Built-in from the start; not bolted-on Deploy to trusted platforms with enhanced security capabilities Automate systems for security & compliance Revise, update, remediate as the landscape changes

PRIVATE REGISTRY EXTERNAL IMAGES SECURE & AUTOMATE THE CONTENT LIFECYCLE Git CONTENT METADATA TRUSTED CONTENT UNKNOWN CONTENT CI CD CD for Security

○ Troubleshoot the lowest layers first ○ Note: Containers are made with layers ○ L3/L4 now lives in YAML files maybe with app configs ○ L6 is now the output of K8s APIs CD for Security Source: OSI Model https://chrisshort.net/drawings/osi-model/

UNIT TEST CODE QUAL VULN SCAN INT TEST QA UAT -Cucumber -Arquillian -Junit -Sonarqube -Fortify -App Scan -Aqua Security -Black Duck -Clair -Sonatype -StackRox -Twistlock OPENSHIFT CI/CD PIPELINE PROMOTE TO PROD ☒ ☑ PROMOTE TO UAT PROMOTE TO TEST IMAGE BUILD & DEPLOY CI/CD MUST INCLUDE SECURITY GATES ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Sign your custom container images CD for Security

“THE most important thing when managing containers in Kubernetes clusters?” Platform Security

● Host & Runtime security ● Identity and Access Management ● Role-based Access Controls ● Project namespaces ● Integrated SDN - Network Policies is default ● Integrated & extensible secrets management ● Logging, Monitoring, Metrics SECURING THE CONTAINER PLATFORM Security Features Should Include RHEL CoreOS RHEL RHEL CoreOS RHEL RHEL CoreOS

Sources: Kubernetes Documentation Basic and advanced configuration of Security-Enhanced Linux (SELinux) Platform Security setenforce 1 has protected organizations from vulnerabilities in upstream Kubernetes SELINUX Not a security feature necessarily, Namespaces are a way to divide cluster resources between multiple users which can minimize blast radius. Namespaces Secure Computing Mode (seccomp) is a kernel feature that allows you to filter system calls to the kernel from a container. Seccomp Control groups account for, control, prioritize, and limit system resource usage (CPU, memory, disk I/O, etc.) Cgroups Pod security policies and network policies can codify business requirements that can be applied cluster wide Security policies

Dependency scanning Platform Security Security touchpoints must be in the pipeline. They should be at a minimum enforcing OWASP Proactive Controls. OWASP Top 10 The best place to check for buggy code is in your codebase (not production). Source Code Analysis Tools Static analysis of code at rest Dynamic Application Security Testing (DAST) is a required step in the pipeline. If dependencies have vulns they should be upgraded and tests against new versions should run automatically. Base images should be secure be build with security in mind, used by default, and continuously scanned and patched. Trusted images should be signed on build and verified on pull. Trusted Base Images Integrated registry with scanning capabilities and container health index as a sole source of truth. Trusted Registries Source: OWASP Top 10

Platform Security ○ Contextually aware ○ Additional extensibility (CRDs) ○ Move at the speed of Kubernetes internals ○ Robust, scalable, portable controls USE KUBERNETES NATIVE CONTROLS

Source: Cloud-native security for containers and Kubernetes Platform Security ○ Network segmentation: Policy enforcing controls ○ Admission controllers: Enforce policy pre-apply ○ Infrastructure as Code: More relevant than ever CLEAR BOUNDARIES

Velocity Speed makes us safer

Automation KUBERNETES SECURITY OPERATIONS Secure defaults Network isolation Signing and policies Audit and logs Multicluster aware Monitoring and alerts Zero-downtime upgrades Full-stack patch & upgrade Vulnerability scanning HARDEN OPERATE AUTOMATED OPERATIONS

Automation AUTOMATION Security must be automated and running at the same velocity as software development

Source: Site Reliability Engineering. Ch. 6, Monitoring Distributed Systems Automation ○ Reduce friction and improve experience ○ Golden Signals (Latency, Traffic, Errors, Saturation) ○ Compromise will occur; practice disasters ○ Break things on purpose (Chaos Engineering) RETHINKING RISK & SAFETY

Automation ○ Scale violating deployments to zero quickly ○ Auto-patching on new dependency releases ○ Bad actors registered in security policies ○ Pushing security policies to network edges FUTURE: AUTOMATING MITIGATION

Velocity Continuous Learning

"You are either building a learning organization, or you will be losing to someone who is." —Andrew Clay Shafer, Red Hat CONTINUOUS LEARNING

Continuous Learning Encourage co-workers to attend local Meetups with you to learn from others in your area. Meetups Attend events like these and talks like this that are near you (not just the huge ones). Events Open source has shown that the more minds working on a problem, the higher the likelihood of the solution being groundbreaking. Community Participation

Many local and national level governments have security operations centers; work with them to help inform others Continuous Learning Never underestimate the power of the Google Setup alerts for critical phrases that impact security posture Google Alerts I contribute to two newsletters (KubeWeekly and DevOps’ish) and a podcast (PodCTL), but there are many other fine news sources for relevant information Newsletters, Podcasts, etc. Governments Sharing More Information

linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you