understanding container security
TRANSCRIPT
![Page 1: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/1.jpg)
Understanding Container Security
![Page 2: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/2.jpg)
Overview• A Brief History and Overview of Containers• Security Benefits of Containers• Container Vulnerability Management• Responding to Container Attacks
![Page 3: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/3.jpg)
Survey – How familiar are you with containers?• I open them every day – gotta eat to survive• I read about them on TechCrunch• I run them on my raspi at home• We run our production workloads in containers• I contribute code to open source container-related projects
![Page 4: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/4.jpg)
Brief History of Containers
![Page 5: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/5.jpg)
Containers are not new, but…
![Page 6: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/6.jpg)
Container History Timeline
Unix V7
FreeBSD Jails
Solaris Zones
OpenVZ
Process Containers
cgroups
AIX WPARs
LXC
LMCTFY
Docker
1979 2000 2004 2005 2006 2007 2008 2013
![Page 7: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/7.jpg)
How Are Organizations Using Containers?
![Page 8: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/8.jpg)
Container Tech is Being Adopted Quickly
![Page 9: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/9.jpg)
Source: ClusterHQ
Container Security : Top # 3
Container Adoption Challenges
![Page 10: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/10.jpg)
Containers in the Future• Phones• IOT• Maybe cars?
![Page 11: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/11.jpg)
Survey – what container platform do you use?• Docker• LXC• LXD• rkt• Solaris/SmartOS based• Unikernel/microkernel or similar• Why didn’t you list my platform? Everyone uses it!
![Page 12: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/12.jpg)
Brief Overview of Container Orchestration
![Page 13: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/13.jpg)
Why Orchestration?• For “real” workloads:
• How to launch 500 containers across 20 hosts?• Being aware of resources on each host• Getting storage and networking to right container on the right host• Distribution for speed, efficiency, cost, etc.• As part of a CI/CD process
• How to do a rolling update of those 500 live containers to a new sw version?
![Page 14: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/14.jpg)
Lots to Orchestrate
Customer VM
VM Image Management Networking
Customer VM
Local Storage NAS/SAN
![Page 15: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/15.jpg)
Lots to Orchestrate
Customer VM
VM Image Management Networking
Customer VM
Local Storage NAS/SAN
Containers
Container Image mgmt
Container networking
Container storage
Host
Host Image Mgmt
Host Networking
Local Storage NAS/SAN
![Page 16: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/16.jpg)
Lots to Orchestrate
Containers
Container Image mgmt
Container networking
Container storage
Host
Host Image Mgmt
Host Networking
Local Storage NAS/SAN
• Swarm networking• Weave networking• Project Calico networking• CoreOS Flannel networking• Flocker storage• Gluster storage• CoreOS Torus storage• …• ...
We haven’t talked security, yet.
![Page 17: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/17.jpg)
Survey – How Familiar Are You With Information Security?• It’s common for me to get viruses and ransomware• I’m paid to write code by a deadline• I learned my lesson the first time and now try my best• Due to unspecified agreements I cannot answer this question
![Page 18: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/18.jpg)
Security Benefits of Containers and Microservices• Smaller surface area*• Shorter lifespan* – shorter period when open to attack• More automated process – easier to recreate/redeploy*
*(in theory)
![Page 19: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/19.jpg)
Security Benefits of Containers and Microservices• Containerized apps lend themselves to ”12 factor” design
12factor.net
![Page 20: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/20.jpg)
Security Disadvantages of Containers and Microservices• Relatively new technology• Lots of moving parts• Shorter lifespan – this makes investigations more difficult
![Page 21: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/21.jpg)
Container Security Adoption
![Page 22: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/22.jpg)
Survey – What’s your biggest container security concern?• Image security• Host security• Vulnerability management• Container isolation
![Page 23: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/23.jpg)
Results of Twitter Survey
![Page 24: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/24.jpg)
Image Security• Where did an image come from?• Is it an official image?• Is it the right version?• Has somebody modified it?
![Page 25: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/25.jpg)
Image Security• Docker Content Trust
export DOCKER_CONTENT_TRUST=1
• CoreOS image signing and verificationpgp based
![Page 26: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/26.jpg)
Host Security• Follow standard hardening processes (Bastille, Center for Internet
Security, etc.) but only firewall host, not it’s containers• A host itself shouldn’t be “exposed” – there should be no public
attack surface. Administer via known private network
• One nasty exposure – privileged containers.
![Page 27: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/27.jpg)
Vulnerability Management in a Container World
![Page 28: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/28.jpg)
Managing Security Exposure in Containers
![Page 29: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/29.jpg)
Smaller Image, Less Vulnerabilities• Avoid ”From:Debian” and similar
• Software can’t be vulnerable if it’s not installed.
An amazingly large percentage of public Docker images are based on Debian, Ubuntu, or CentOS.
![Page 30: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/30.jpg)
Why? Least Privilege• We want the smallest image possible, when we load it across 100
hosts• The smaller the image, the less exposure for potential vulnerabilities
• If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
![Page 31: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/31.jpg)
Container Vulnerability Scanners• Open Source:
• OpenSCAP• CoreOS Clair• Anchore
• Commercial:• Why go with commercial? Might be easier, packaged.
![Page 32: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/32.jpg)
Vulnerability Triage• Developers are being exposed to the secops work of
vulnerability/patch management
![Page 33: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/33.jpg)
Understand CVSSv2
![Page 34: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/34.jpg)
Understand CVSS Calculator
![Page 35: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/35.jpg)
Container Isolation
![Page 36: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/36.jpg)
Why Isolate?• Only as secure as your weakest link• What happens if other departments are running in your private
cloud?• What happens if other customers are running in your bare metal
CaaS?
![Page 37: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/37.jpg)
![Page 38: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/38.jpg)
CapabilitiesWorst to best:
• Run with --privileged=true
• Run with –cap-add ALL
• Run with --cap-drop ALL --cap-add <only needed>
• Run as non-root user, unprivileged
Useful: capabilities section of https://docs.docker.com/engine/reference/run/
![Page 39: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/39.jpg)
SeccompWe need to build a list of system calls called by the program…
…that we want to succeed
• Guess (preferably educated)• RTFM (thanks John!)• Capture behavior – maybe /usr/sbin/strace• Disassembly?
![Page 40: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/40.jpg)
Plan For Container Attacks• Before going to production, think about how you’d investigate an
attack
• Containers are mostly ephemeral• Collect logs at a central location (ELK, Loggly, etc.)• Practice identifying and snapshotting problem containers• Don’t forget about data backup/recovery
![Page 41: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/41.jpg)
Layered Insight OzoneComprehensive container-native security
Deep visibility and fine-grained control
Automatic behavioral templates
Machine learning based anomaly detection
![Page 42: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/42.jpg)
Layered Insight Ozone
Inside-Out Approach
Workload Portability
No Special Privileges (Userspace)
Zero Impact to Devs / DevOps
Fully Automatic
LI Instrumented Containers
Infrastructure
Host OS
Docker
![Page 43: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/43.jpg)
Thanks – Let’s continue the conversation! @johnlkinsella
https://www.layeredinsight.com
Slides posted at http://www.slideshare.net/jlkinsel
![Page 44: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/44.jpg)
Links• https://docs.docker.com/engine/security/trust/content_trust/ • https://coreos.com/rkt/docs/latest/signing-and-verification-guide.html • https://benchmarks.cisecurity.org/• https://nvd.nist.gov/cvss/v2-calculator
![Page 45: Understanding container security](https://reader036.vdocuments.mx/reader036/viewer/2022062400/58e5411d1a28ab3a468b4763/html5/thumbnails/45.jpg)
Data Sources
• Moments in Container History: Pivotal• Container Adoption behavior: DataDog• Container Adoption challenges: ClusterHQ• Container Security adoption rates: SDX Central• Layered container image: Ubuntu
Data and some graphics provided by: