www.senseofsecurity.com.au © Sense of Security 2018 Page 1 – 12-APR-18

ACSC 2018 ConferenceEffective Container Security

Delivered by Murray Goldschmidt, COO

12 April 2018

www.senseofsecurity.com.au © Sense of Security 2018 Page 2 – 12-APR-18

Agenda

App Virtualisation vs

VirtualMachines

Why Containerised Apps?

Key Steps to Container Security

Vuln Mgt, Risk Mgt & Compliance

www.senseofsecurity.com.au © Sense of Security 2018 Page 3 – 12-APR-18

… & Not Discussed

❖ Control Groups(cgroups)

❖ Namespaces

❖ Capabilities

❖ Seccomp

❖ Linux Security Mechanisms

❖ The Docker daemon

www.senseofsecurity.com.au © Sense of Security 2018 Page 4 – 12-APR-18

VM’s < -- > Containers

Virtual Machine

Virtual Processor

Operating System

Libraries

Application

Physical Processor

Container

Libraries

Application

Virtual Processor

Operating System

Physical Processor

ISA

syscall

Virtual

Machine

Container

Virtual

Machine

Container

From: http://www.weblaminar.com/index.php/technologies/docker-container

www.senseofsecurity.com.au © Sense of Security 2018 Page 5 – 12-APR-18

Why App Containers?

Speed System Kernel is commonVery fast to load and operate

Contained & Repeatable

All dependencies mounted ->RepeatableSeparate Execution Environment for Multiple containers on single OS

Attack Surface Reduction

LightweightIncorporate only parts you need

Control Finer-grained execution environments

Lifecycle Ease of integration into DevOps SDLMultiple Orchestration Platforms

Support All Major OS’sAll Major Hosting Providers

www.senseofsecurity.com.au © Sense of Security 2018 Page 6 – 12-APR-18

VM

cont.

Cont.

Cont.

Cont.

ContN

cont.

Cont.

Cont.

Cont.

ContN

VM vs. Containers

Hardware

Hypervisor 1

VM

VM

VM

VM

VM

Hardware

Host OS

VM

VM

VM

VM

VM

Hypervisor 2

Hardware

Host OS

cont1

Cont2

Cont3

Cont4

ContN

Container Engine

Dep 1 Dep 2

Guest OS

Dependencies

Application

Container

App. Deps.

Application ABC

Virtualisation Containerisation

Type1 – Bare Metal Type 2

www.senseofsecurity.com.au © Sense of Security 2018 Page 7 – 12-APR-18

Containers On Bare Metal Server

Libraries

Host Operating System

Container Engine

Server

App A App B App C App D App E App F

www.senseofsecurity.com.au © Sense of Security 2018 Page 8 – 12-APR-18

Containers on VM’s or Instances

Container Engine

Libraries

App A

App B

App C

OS

Container Engine

Libraries

App D

App E

App F

OS

Virtual Machine Virtual Machine

Host Operating System

VM Hypervisor

Server

www.senseofsecurity.com.au © Sense of Security 2018 Page 9 – 12-APR-18

Microservices Architecture

https://docs.microsoft.com/en-us/azure/architecture/guide/architecture-styles/microservices

www.senseofsecurity.com.au © Sense of Security 2018 Page 10 – 12-APR-18

www.senseofsecurity.com.au © Sense of Security 2018 Page 11 – 12-APR-18

Containers as-a-Service

Functions

Application

Runtime

Container (Optional)

Operating System

Virtualization

Hardware

IaaS

Functions

Application

Runtime

Container

Operating System

Virtualization

Hardware

CaaS

Functions

Application

Runtime

Container

Operating System

Virtualization

Hardware

PaaS

Functions

Application

Runtime

Container

Operating System

Virtualization

Hardware

FaaS

Customer Managed

Customer Managed Unit

of Scale

Abstracted by Vendor

https://qph.ec.quoracdn.net/main-qimg-73dd2f0d9438e512525fc1608224dc79

www.senseofsecurity.com.au © Sense of Security 2018 Page 12 – 12-APR-18

Containers as-a-Service

Functions

Application

Runtime

Container

Operating System

Virtualization

Hardware

CaaS

www.senseofsecurity.com.au © Sense of Security 2018 Page 13 – 12-APR-18

Containers as-a-Service

Functions

Application

Runtime

Container (Optional)

Operating System

Virtualization

Hardware

IaaS

Functions

Application

Runtime

Container

Operating System

Virtualization

Hardware

CaaS

Functions

Application

Runtime

Container

Operating System

Virtualization

Hardware

PaaS

Functions

Application

Runtime

Container

Operating System

Virtualization

Hardware

FaaS

Customer Managed

Customer Managed Unit

of Scale

Abstracted by Vendor

www.senseofsecurity.com.au © Sense of Security 2018 Page 14 – 12-APR-18

Multi-Tenant CaaS

www.senseofsecurity.com.au © Sense of Security 2018 Page 15 – 12-APR-18

CaaS of the Future?

www.senseofsecurity.com.au © Sense of Security 2018 Page 16 – 12-APR-18

Containers Solve Everything?

www.senseofsecurity.com.au © Sense of Security 2018 Page 17 – 12-APR-18

End-to-End Security

DevOps is Agile

So we need to address

End-to-End Security

Security @ Source (Static)

&

Run Time Security (Dynamic)

www.senseofsecurity.com.au © Sense of Security 2018 Page 18 – 12-APR-18

Key Steps to App Container Security

1 End-to-End Vulnerability Management

2 Container Attack Surface Reduction

3 User Access Control

4 Hardening the Host OS & the Container

5 SDLC Automation (DevOps)

www.senseofsecurity.com.au © Sense of Security 2018 Page 19 – 12-APR-18

Automated Vuln Mgt

Build• API’s & Plug-ins

• Third Party

Components

• Vuln Mgt

Automation

Registry• Automated

Scan of

Pub/Priv

Registry Host• Compliance

Scanning

• OS

• CaaS

Runtime• Audit logging

• Event logging

SHIFT LEFT

Image adapted from Qualys materials

www.senseofsecurity.com.au © Sense of Security 2018 Page 20 – 12-APR-18

Attack Surface

Image by: Phil Estes, Container Security, Everything You Probably Should Know, Docker London 2016

www.senseofsecurity.com.au © Sense of Security 2018 Page 21 – 12-APR-18

Sec/Vuln Injection Points

https://www.rsaconference.com/writable/files/About/security_analysis_of_docker.pdf

www.senseofsecurity.com.au © Sense of Security 2018 Page 22 – 12-APR-18

https://www.qualys.com/apps/container-security/

www.senseofsecurity.com.au © Sense of Security 2018 Page 23 – 12-APR-18

Container Security Lifecycle Management

& Compliance Summary

Develop / Build Test / Modify Release /

Production

Use Trusted Images

Sign & Verify Images

Reduce Attack Surface

Privileged Access & Auth Mgt

Ongoing SecOps

Advanced Security Controls

Vulnerability Management

Third Party Components Mgt (SCA)

Network Segmentation

User Authentication

Vulnerability Scanning

Harden the OS

Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers,

by Amy DeMartine and Dave Bartoletti April 14, 2017

www.senseofsecurity.com.au © Sense of Security 2018 Page 24 – 12-APR-18

Thank you

Head office is level 8, 66 King Street, Sydney, NSW 2000,

Australia. Owner of trademark and all copyright is Sense of

Security Pty Ltd. Neither text or images can be reproduced

without written permission.

T: 1300 922 923

T: +61 (0) 2 9290 4444

F: +61 (0) 2 9290 4455

info@senseofsecurity.com.au

www.senseofsecurity.com.au