DockerCon SF 2015: Maintaining the Official Node.js Docker Image
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment
-
Upload
docker-inc -
Category
Technology
-
view
4.865 -
download
0
Transcript of DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment
![Page 1: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/1.jpg)
Docker and PCI-DSS – Lessons learned in a security sensitive environment
Dr. Udo SeidelChief Architect & Digital Evangelist
![Page 2: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/2.jpg)
Agenda
PCI-DSS2.2.25.28.1.310.2.2
Lessons LearnedSecOpsSecurity ArchitektKISS...
IntroductionAbout UdoAbout Amadeus
Behind the scenes
The overall triggerHere comes dockerFramework details
![Page 3: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/3.jpg)
IntroductionAbout Udo and Amadeus
![Page 4: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/4.jpg)
About me :-)
● Teacher of mathematics and physics● PhD in experimental physics● Started with Linux in 1996● With Amadeus since 2006● Before:
– Linux/UNIX trainer– Solution Engineer in HPC and CAx environment
● Now: Architecture & Technical Governance aka CTO
![Page 5: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/5.jpg)
![Page 6: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/6.jpg)
Behind the scenesMore details about our Docker journey
![Page 7: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/7.jpg)
The overall trigger
● Customer project– New customer– New requirements– New chances and challenges
● Changes on Amadeus side– Personnel changes– Digitalization– Externally driven
![Page 8: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/8.jpg)
Here comes docker
● Huge topic at Red Hat Summit: April 2014● Internal discussions
– 'Native' joint interest of OPS and DEV – DEV & OPS Architects: April 2014– Introduction to project architecture: Summer 2014
● Why?– The 'usual suspects'– Solution of traditional OPS-DEV challenge
● Application patch management● Administrative access
![Page 9: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/9.jpg)
Framework details
● Technical– Openstack as IaaS
● 3 installations● Vmware based
– Management● Orchestration via Openshift● Teaming up with Red Hat
● Security– Internal
● Corporate Office● Global Operations Office● SOC● Community
– External● PCI-DSS● SSAE-16● ISO 27001
![Page 10: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/10.jpg)
PCI-DSS
● Payment Card Industry – Data Security Standard● VISA, MasterCard, American Express, …● Administration via Council● 6 Control objectives
– Build and maintain secure network– Protect cardholder data– Maintain a vulnerability management
program– Implement strong access control
measures– Regularly monitor and test networks– Maintain an information security policy
● Current version: 3.1 (115 pages)
![Page 11: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/11.jpg)
Some of the hick-ups
The hypervisor is insecure!
Physical separation rules!
Who is responsible for firewall policies?
Who is responsible for network topology?
![Page 12: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/12.jpg)
PCI-DSSSome case studies
![Page 13: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/13.jpg)
Before you start
Don't overcomplicate things.
Re-use what is already there.
It might be easier than you think.
![Page 14: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/14.jpg)
Requirement 2.2.2
Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Similar to outside– Review of Docker file and software source
● Overall– Even better due to separation of software, processes, ..
![Page 15: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/15.jpg)
Requirement 2.2.2 - Amadeus
Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
● See previous slide :-)● Grouping of Containers
– Openshift Pods– Smalles Deployable Unit– Application Unit (Component)
![Page 16: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/16.jpg)
Requirement 5.2
Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Similar to outside– Review of Docker file and software source
● Overall– No real change to world without Docker
![Page 17: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/17.jpg)
Requirement 5.2 - Amadeus
Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7.
● See previous slide :-)● Scanning discussion
– Scan engine towards Container - internal– Container towards Scan engine - external
![Page 18: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/18.jpg)
Requirement 8.1.3
Immediately revoke access for any terminated users.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Avoid personal users– Review of Docker file and software source
● Overall– Even better due separation of software, processes, ..– Big Plus: 'Hands-off'
![Page 19: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/19.jpg)
Requirement 8.1.3 - Amadeus
Immediately revoke access for any terminated users.
● See previous slides :-)● Jump server for access
– Personal users via directory service– Only place with personal users
● Application users– Container and Host level– Special treatment ..anyway– Shell to be removed (soon)
![Page 20: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/20.jpg)
Requirement 10.2.2
Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Similar to outside– Review of Docker file and software source
● Overall– Even better due separation of software, processes, ..– Big Plus: 'Hands-off'
![Page 21: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/21.jpg)
Requirement 10.2.2 - Amadeus
Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.
● See … (you should be able to complete it yourself)● Jumpserver only for these activities
– Questions similar to scanning– Access secured via SSH keys
![Page 22: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/22.jpg)
Amadeus Big Picture
![Page 23: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/23.jpg)
Amadeus PCI-DSS (8.1.3/10.2.2)
![Page 24: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/24.jpg)
Amadeus PCI-DSS (2.2.2/5.2)
![Page 25: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/25.jpg)
Additional Amadeus inside
● Patching via re-creation● Self-build Docker registry● Definitive Media Library
– Source of truth– Connection to Software Factory
● Different security/network zones– External separation via Loadbalancer– Internal via Openshift placement rules
● Encryption for data at – Flight (SSH, TSL)– Rest (HSM)
![Page 26: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/26.jpg)
Lessons learnedThe information you were coming here
![Page 27: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/27.jpg)
General advice
Don't overcomplicate things.
Re-use what is already there.
People before technology!
![Page 28: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/28.jpg)
Security Architect● Dedicated role/responsibility● Technical and soft skills● Sufficient standing
● Internally● Externally
Early involvement● Business goal● Win-win situation● Give and take
Common language● Internal education● External consultancy
● Vendors● Customers
● Re-use existing dictionaries
![Page 29: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/29.jpg)
SecOps● Member of DevOps team● Remember: Security Champions for OPS● Communication link to security organization
KISS● Helicopter view for solution finding● Always different solutions available
Team up● Internally
● DevOps and security organisation● DevOps and line organisation
● Externally● Vendors● Community● Partners
![Page 30: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/30.jpg)
Added value
Mobility
Abstraction/Separation
Ease to use
![Page 31: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/31.jpg)
Summary30+ slides condensed in one … or two
![Page 32: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/32.jpg)
Take-Away
● Don't underestimate non-technical side
● Don't forget what you already have
● 'Walk&talk' a lot
![Page 33: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/33.jpg)
Outlook
● Journey to be continued
● 'Porting' of other Amadeus applications
● Domino effect
![Page 34: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/34.jpg)
—Louis Pasteur
“Fortune favors the prepared mind.”
34
![Page 35: DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment](https://reader031.fdocuments.in/reader031/viewer/2022022203/586fd8e01a28ab18428b5745/html5/thumbnails/35.jpg)
Thank you!Dr. Udo Seidel@[email protected]