Security at Cloud Native Speed

Abstract

Cloud native technologies are increasingly used by organizations to provide a competitive advantage. Containers and Kubernetes jumpstart developer productivity but, they could increase security teams’ workloads. Threat vectors span cloud providers, control planes, developer tooling, and applications in environment hybrid environments. Use these technologies and cultures to improve security and reduce blast radius while improving velocity. This talk will analyze human tendencies and provide tips to improve security postures in cloud native environments.

Description

Security needs to be a step in every part of the software development lifecycle. But, the tools, libraries, platforms, and attack surface never seems to shrink. When teams adopt Kubernetes and cloud native tooling, applications become ephemeral and infrastructure becomes elastic. Baking security tooling into the pipeline is critical. Mandating rigid boundaries around decoupled components is key. Embracing speed and collaboration are crucial to security teams in today’s cloud native landscape. The more the merrier along this journey!

whoami

Cloud Native Ambassador
DevOps’ish
KubeWeekly

Struggles

The Security Professional

Overworked
Under resourced
Overwhelmed
Under pressure

The Software Engineer

Overworked
Under resourced
Overwhelmed
Under pressure

You’re now using the same tooling

Cloud providers
APIs
Kubernetes

The same tooling

CNCF Cloud Native Landscape

What have we done?!?!

Velocity

How fast is this thing going

“[T]he number of containers that are alive for 10 seconds or less has doubled to 22%.”

Source: Sysdig 2019 Container Usage Report

Big Number

73% of all containers live for thirty minutes OR LESS.

Source: Sysdig 2019 Container Usage Report

Embrace Velocity

High performing teams deploy multiple times a day
Lead times are less than a day
Service restorations happen in less than an hour
Change failure rates are between 0-15%

Source: 2019 Accelerate State of DevOps Report

CD for Security

Continuous Security

Integrate security into the lifecycle

Remember the OSI Reference Model

Troubleshoot the lowest layers first
Containers are made with layers
Build software pipelines that application and infrastructure changes can flow through

Elements of a container pipeline

Elements of the container pipeline

CI/CD Must Include Security Gates

CI/CD Must Include Security Gates

Platform Security

Tweets

Screenshots of tweets (https://twitter.com/ChrisShort/status/1191840746988605440)

Securing the container platform

Securing the container platform

Robust security standards

SELINUX (access control)
Namespaces (partitioning)
Seccomp (system calls)
Cgroups (resource allocation)
Security policies (PSP, network policy, OPA)

Active not Passive

OWASP
Static analysis of code at rest
Dependency scanning
Trusted base images
Trusted registries

Use K8s Primitives

Use Kubernetes native controls
Contextually aware
Additional extensibility (CRDs)
Industry standard APIs
Speed of K8s internals
Robust, scalable, portable controls

Clear boundaries

Network segmentation
Admission controllers
Infrastructure as Code

Source: Cloud-native security for containers and Kubernetes

Speed Makes Us Safer

Automation

The first step is adopting tooling to help
The next steps are a cultural shift towards speed
Security must be automated and running at the same velocity as software development

Rethinking Safety

Reducing friction to make changes smaller and easier
SRE Golden Signals
Assume compromise will occur
Plan for disasters
Breaking things on purpose (Chaos Engineering)

Detection leading to mitigation

Automating mitigation
Scale violating deployments to zero quickly
Automating defense in depth response
Offending metadata registered in security devices
Ansible Operator to block bad actors at network boundary (not K8s boundary)

Security at Cloud Native Speed

Abstract

Description

whoami

Struggles

The Security Professional

The Software Engineer

You’re now using the same tooling

The same tooling

Velocity

How fast is this thing going

Big Number

Embrace Velocity

CD for Security

Continuous Security

Remember the OSI Reference Model

Elements of a container pipeline

CI/CD Must Include Security Gates

Platform Security

Tweets

Securing the container platform

Robust security standards

Active not Passive

Use K8s Primitives

Clear boundaries

Speed Makes Us Safer

Automation

Rethinking Safety

Detection leading to mitigation

Continuous Learning

Discards

You don’t stand a chance

Related Content

Abstract#

Description#

whoami#

Struggles#

The Security Professional#

The Software Engineer#

You’re now using the same tooling#

The same tooling#

Velocity#

How fast is this thing going#

Big Number#

Embrace Velocity#

CD for Security#

Continuous Security#

Remember the OSI Reference Model#

Elements of a container pipeline#

CI/CD Must Include Security Gates#

Platform Security#

Tweets#

Securing the container platform#

Robust security standards#

Active not Passive#

Use K8s Primitives#

Clear boundaries#

Speed Makes Us Safer#

Automation#

Rethinking Safety#

Detection leading to mitigation#

Continuous Learning#

Discards#

You don’t stand a chance#

Related Content

Abstract

Description

whoami

Struggles

The Security Professional

The Software Engineer

You’re now using the same tooling

The same tooling

Velocity

How fast is this thing going

Big Number

Embrace Velocity

CD for Security

Continuous Security

Remember the OSI Reference Model

Elements of a container pipeline

CI/CD Must Include Security Gates

Platform Security

Tweets

Securing the container platform

Robust security standards

Active not Passive

Use K8s Primitives

Clear boundaries

Speed Makes Us Safer

Automation

Rethinking Safety

Detection leading to mitigation

Continuous Learning

Discards

You don’t stand a chance