Cloud Native Security 101: Building Blocks, Patterns and Best Practices

Transcript

1. Rafik Harabi Cloud Native Security 101: Building Blocks, Patterns and

   Best Practices 1

2. Who Am I? • Senior Solution Architect at Sysdig, Cloud

   Security Advocate • Focus on Cloud Native Security and Observability • Previously working on go to Cloud programmes @rafik8_ rafikharabi 2

3. Who are you? • Who is here for the first

   time? • Who knows one of those acronyms: CWPP, CSPM, KSPM, CIEM, CNAPP, CDR? • Who knows two of them? • Who knows three? • All of them? 3

4. Agenda • Cloud Native Security acronyms • Anatomy of Cloud

   Native application • Lifecycle of Cloud Native application • Cloud Native Security Platform building blocks. • Attack vectors. • Patterns & Best Practices. • Personas and Workflows. 4

5. 5

6. Network/Security Management Identity and Access Data Platforms Workload Anatomy of

   Cloud Native Application Cloud Provider Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Cloud Infrastructure Containers Audit logs Kubernetes Container as a Service 6

7. Cloud Native Acronym CWPP Cloud Workload Protection Platform Workload and

   application security (Container, VM, Serverless). Network/Security Management Identity and Access Data Platforms Workload Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Containers Audit logs Kubernetes Container as a Service 7

8. Cloud Native Acronym CSPM Cloud Security Posture Management Cloud assets

   configuration security: Protect the cloud control plane, basically tracking cloud resources and verifying the static configuration of the cloud Network/Security Management Identity and Access Data Platforms Workload Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Containers Audit logs Kubernetes Container as a Service 8

9. Cloud Native Acronym KSPM Kubernetes Security Posture Management Security configuration

   assessment for Kubernetes. Network/Security Management Identity and Access Data Platforms Workload Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Containers Audit logs Kubernetes Container as a Service 9

10. Cloud Native Acronym CIEM Cloud Infrastructure Entitlement Management Manage identity

    and access security for both humans and services. Reducing the risk of excessive permissions and entitlement in the cloud. Network/Security Management Identity and Access Data Platforms Workload Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Containers Audit logs Kubernetes Container as a Service 10

11. Cloud Native Acronym CDR Cloud Detection and Response Threat Detection

    and Response for Cloud Assets and Workloads. Network/Security Management Identity and Access Data Platforms Workload Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Containers Audit logs Kubernetes Container as a Service 11

12. Cloud Native Acronym CNAPP Cloud Native Application Protection Platform A

    platform that combine CSPM, CIEM, CWPP and CDR. Network/Security Management Identity and Access Data Platforms Workload Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Containers Audit logs Kubernetes Container as a Service 12

13. CIEM CDR CSPM (& KSPM) CNAPP Building Blocks CWPP CNAPP

    • Vulnerability Management • Container / K8s Runtime Security • Serverless Security • Host/Container Threat Detection • Vulnerability Management • Cloud Misconfigurations / IaC • Cloud Inventory • Cloud Threat Detection • Compliance • Cloud Threat Detection • Container / K8s Runtime Security • Host Threat Detection • Cloud IAM: Identities and Permissions • Detect excessive permissions 13

14. Attack Vectors 14

15. Cloud Attack Vectors Network Identity Control Plane Data Servers &

    Services Cloud network breaches 1 Unauthorized resource access 2 Cloud data exfiltration 3 Cloud security misconfiguration 4 Vulnerability exploits 5 1 2 3 4 4 5 15

16. Kubernetes Attack Vectors Access K8S API Server / ETCD API

    Control Plane Worker Node Image Registry API server Dashboard ETCD Server Controller Scheduler Kublet Kube proxy App 1 Secret Container runtime 1 2 4 3 6 1 Dashboard misconfiguration 2 Malicious container image in registry 3 Application with exploitable vulnerability 4 Docker daemon misconfiguration 6 5 Gain access to secrets 5 1 16

17. Container Container Workload Attack Vectors Image Registry Kernel & OS

    Hardware Container Engine Worker Node Container DOCKER.SOCKET 1 2 3 4 5 6 7 8 Vulnerable OS/Container engine 1 Vulnerable application 2 Exposed Container engine 3 Insecure image registry 4 Misconfigured container 6 Privileged containers 5 Privilege escalation on host 7 Insufficient Network isolation 8 17

18. Patterns & Best practices 18

19. Lifecycle of Cloud Native Application CODE BUILD RUN Deploy •

    Continuous Integration • Dependencies • Image Manifest (Docker file, Podman, Buildah,,, ) • Application packaging (Helm, …) • Infrastructure Code (Terraform, …) • Continuous Deployment • Continuous Delivery • Monitoring • Troubleshooting • Incident Response Iteration Provision • Infrastructure provisioning • Infrastructure configuration 19

20. Secure Cloud Native Application CODE BUILD RUN Respond & Forensics

    Deploy Configuration Management Infrastructure as Code Validation Vulnerability Management Threat Detection Incident Response •CI/CD pipelines, registries, and hosts •Prioritization based on in-use vulns • Capture detailed record for forensics • Block malicious containers / processes • CSPM / cloud misconfigurations • Cloud Inventory • Cloud threat detection • Workload runtime security • Drift prevention • Block risky configs Identity and Access Management • CIEM / least privilege • Prioritization based on in-use permissions • Block risky images • Block risky config Admission 20

21. Container In-Use vulnerabilities Prioritization • Pattern: Prioritize images to be

    fixed based on packages that are really in use • Why: Image contains usually many packages that are embedded but never used/loaded • Result: Focus on what really matter to proritze and fix (avoid engineers fatigue) ◦ multi-level vulnerabilities focus: ▪ In use ? ▪ Exploitable ? ▪ Has fix ? • Both for containers and Kubernetes hosts 21

22. Container In-Use vulnerabilities Prioritization Container Image Registry Container Runtime Application

    Runtime Real Risk Vulnerabilities in Runtime Yes No No Yes Fix Immediately Yes No Threat mitigation Developer Threat Team In Use Exploitable Has Fix High Priority 22

23. Container Image Signing • Risk: ◦ Deploy and run non-compliant/trusted

    image • Benefits: ◦ Container image integrity ◦ Images are from a trusted source ◦ Safe handover (from development to production) Production cluster Image Signature Dev Registry Prod Registry Developer Tester Operations Dev cluster QA cluster QA Registry Image Signature Verify the signature Verify the signature 23

24. Gatekeeper pattern (AC) • Based on Kubernetes Admission controller •

    Risk: ◦ Vulnerability Image ◦ Image from non trusted source ◦ Compromised Image • Benefits: ◦ Avoid deploying and running non compliant workloads Kubernetes Cluster Create Deployment Node Admission Controller Validation Decision Image scan status Image signing status Image Container Registry/Repository Manage Exceptions Controls Deploy 24

25. Base Image & Layer Analysis • Use a library of

    base images from a trusted source • Start with a minimal base image 25

26. Base Image & Layer Analysis Base image A (1.1) Layer

    Layer Layer Base image A (2.5) Layer Layer Base image A (1.1) Layer Base image A (1.1) Layer Layer Layer Base image A (1.2) 26

27. Continuous & Actionable Compliance • Continuous CSPM: all misconfiguration are

    flagged, addressed in an automated and continuous way • Configuration Drift detection and remediation CODE BUILD RUN Respond Deploy CSPM / KSPM IaC Security Continuous Assessment of Risk Remediate at source 27

28. Risk Assessment and Prioritization Inventory Evaluate Assets at risk Prioritize

    Assets prioritized Remediate Auto-fix TODO Apply (Patch) Open PR SecOps Developer Patch 28

29. Personas & Workflows 29

30. Cloud Security Personas Developer Platform Engineer DevOps DevSecOps Security Engineer

    Security Architect SecOps CISO • Building Platform using IaC • Platform troubleshooting • Automation • Continuous Integration • Continuous Delivery • Automation • Continuous Integration • Continuous Delivery • Vulnerability Management • Policies implementation • Build secure application • Fix Vulnerability • Compliance • Risk Governance • Threat Detection • Forensics • Threat Modeling & Attack Surface • Security Posture • Define Policies • Vulnerabilities Reports • Compliance Reports • Implement Policies 30

31. Cloud Security Personas Developer Platform Engineer DevOps DevSecOps SecOps Security

    Architect Security Engineer CODE BUILD RUN IR & Forensics Deploy 31

32. DevSecOps workflow (CI scan) DevSecOps pipeline Developer Push container image

    source Build image Resulting container image Image Scan Fail: You stop the pipeline and notify the developer Pass: You push to registry Container Registry Runtime Source Repository Container Vulnerability 32

33. DevSecOps (Registry scan) • Risks: ◦ Skip CI pipeline ◦

    0-day vulnerability in previously validated image ◦ Pulling non validated image from public repository (introduce malware, cryptomining or high and critical vulnerabilities) • Pattern: Continuously scan container registries. Developer Push container image source Build image Resulting container image Image Scan Fail: You stop the pipeline and notify the developer Pass: You push to registry Container Registry Runtime Source Repository Public Registry Registry Scan 33

34. DevSecOps (workload integrity) Container Vulnerability Developer Push sources Build image

    Resulting container image Image Scan Fail: You stop the pipeline and notify the developer Pass: You push to registry Dev Container Registry Runtime Source Repository Integrity Verification Sign KMS QA Container Registry Verify Signature Verify Signature Public Registry Registry Scan 34

35. DevSecOps (workload integrity) Dev Container Registry QA Cluster Integrity Verification

    Sign KMS QA Container Registry Verify Signature Verify Signature 35

36. DevSecOps (Admission Controller) Container Vulnerability age Image Scan Fail: You

    stop the pipeline and notify the developer Pass: You push to registry Dev Container Registry Runtime Integrity Verification Sign KMS QA Container Registry Verify Signature Verify Signature Public Registry Registry Scan Kuberntes Cluster Admission Controller Deploy • Check scan status • Check signature Image Scan Result 36

37. DevSecOps (Runtime scan) • Risks: ◦ 0-day vulnerability in running

    images (Log4shell …) • Pattern: Continuously scan running containers. Kubernetes Cluster Admission Controller Deploy • Check vuln status • Check signature Node Host & Container Scanner Image Scan Result Reporting SIEM Ticketing 37

38. IaC security (build phase) Container Vulnerability Developer Push sources Build

    image Resulting container image Image Scan Container Source Repository Infrastructure Source Repository IaC Scan Pull Request Merge Runtime Deploy Suggest Fix IaC Scanning 1 2 3 4 5 6 38

39. DevOps Infrastructure Source Repository Merge Pull Request Kubernetes Cluster Node

    Detect Drift SecOps Open PR IaC security (run phase) 1 2 3 4 39

40. Takeaways • Cloud Native security implementation is a team and

    collaboration matter. • Cloud native security should be adopted gradually: ◦ It depends on your cloud journey stage. ◦ Always start with the most important use cases for your business. 40

41. Further reading • CNAPP Cloud Security: https://sysdig.com/blog/cnapp-cloud-security-sysdig/ • Google Cloud

    Podcast: EP94 Meet Cloud Security Acronyms with Anna Belak • Gartner: Innovation Insight for Cloud-Native Application Protection Platforms • MITRE ATT&CK Matrix for Containers: https://attack.mitre.org/matrices/enterprise/containers/ 41

42. Thank you! Any questions? Don’t forget to rate the session

    and provide your feedback please 🙂 42

43. 43