Implementing Secure Docker Environments At Scale by Ben Bernstein, Twistlock
-
Upload
docker-inc -
Category
Technology
-
view
284 -
download
1
Transcript of Implementing Secure Docker Environments At Scale by Ben Bernstein, Twistlock
Agenda
Implementing Secure Docker Environments At ScaleArchitectural guidance for the security architect
Roles &
Responsibilities
Agenda
Implementing Secure Docker Environments At ScaleArchitectural guidance for the security architect
Roles &
Responsibilities
Agenda
Implementing Secure Docker Environments At ScaleArchitectural guidance for the security architect
Conceptual
Design
Roles &
Responsibilities
Agenda
Implementing Secure Docker Environments At ScaleArchitectural guidance for the security architect
Conceptual
Design
Common Pitfalls
• Security Team• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
Roles and ResponsibilitiesRoles and Responsibilities
• Security Team• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
Roles and ResponsibilitiesRoles and Responsibilities
• Security Team• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
• Dev Team• Vulnerabilities/patching, infrastructure, identities/access
Fix
Proactively consider security
Roles and ResponsibilitiesRoles and Responsibilities
• Security Team• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
• Dev Team• Vulnerabilities/patching, infrastructure, identities/access
Fix
Proactively consider security
• Devops Team Implementation
Daily security operations
Roles and ResponsibilitiesRoles and Responsibilities
Today
Development & StagingProduction Maintenance
Security Operation Team
Offline Guidance
Set Policy
HandleNotifications
Network
Set Policy
HandleNotifications
“IT” Operation Team
Offline Communications
Offline Review
Set Policy
Identity
HandleNotifications
Set Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
Today
Development & StagingProduction Maintenance
Security Operation Team
Offline Guidance
Set Policy
HandleNotifications
Network
Set Policy
HandleNotifications
“IT” Operation Team
Offline Communications
Offline Review
Set Policy
Identity
HandleNotifications
Set Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS
Architectural Diagram
Milestone ReviewReview Setup Scripts, Security Testing, App ComplianceCommunicate Infra Requirements to IT
Development & Staging
Micro-Segmentation E-W FWs
Production
UpdatesSecurity Alerts / Patches
Maintenance
Security Operation Team
Offline Guidance
Set Policy
HandleNotifications
IPS/IDSDeception1st / Next Gen Firewall
Network
Set Policy
HandleNotifications
“IT” Operation Team
Offline Communications
Offline Review
Set Policy
Identity
HandleNotifications
Set Policy
Host Configuration ComplianceTraffic EncryptionData Encryption
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS
Architectural Diagram
Development & StagingProduction Maintenance
Security Operation Team
Offline Guidance
Set Policy
HandleNotifications
Isolation
Network
Set Policy
HandleNotifications
“IT” Operation Team
Offline Communications
Offline Review
Set Policy
Pre-Checkin ReviewCode Analysis
User Behavior Analytics
Identity
HandleNotifications
Set Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS
Staging
Architectural Diagram
Development Production Maintenance
Security Operation Team
Set Policy
Isolation
Network
Set Policy
Dev/Devops Team
Pre-Checkin ReviewCode Analysis
User Behavior Analytics
IdentityPlatform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Dev/Devops Team
Staging
Architectural Diagram
Development Production
UpdatesSecurity Alerts / Patches
Maintenance
Security Operation Team
Set Policy
Set Policy
HandleNotifications
Isolation
Network
Set Policy
HandleNotifications
Dev/Devops Team
Set Policy
Pre-Checkin ReviewCode Analysis
User Behavior Analytics
Identity
HandleNotifications
Set Policy
Host Configuration Compliance
Platform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Delivery ReviewCVE checks, Signing, Base Image, Other MetadataPorts, Volumes, Devices, Processes
Delivery Aware Network RestrictionsDelivery Aware Anomaly Detection Delivery Aware Deception
Dev/Devops Team
Staging
Architectural Diagram
Development Production
UpdatesSecurity Alerts / Patches
Maintenance
Security Operation Team
Set Policy
Set Policy
HandleNotifications
Isolation
Network
Set Policy
HandleNotifications
Dev/Devops Team
Set Policy
Pre-Checkin ReviewCode Analysis
User Behavior Analytics
Identity
HandleNotifications
Set Policy
Host Configuration Compliance
Platform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Delivery ReviewCVE checks, Signing, Base Image, Other MetadataPorts, Volumes, Devices, Processes
Delivery Aware Network RestrictionsDelivery Aware Anomaly Detection Delivery Aware Deception
Dev/Devops Team
Fuzzing, Sandboxing Delivery Aware Pen-Tests
• Compliance Policies
Adjust per micro-service
Adjust per R&D team / Org / Application Group.
Three Common PitfallsBattle Tested
• Compliance Policies
Adjust per micro-service
Adjust per R&D team / Org / Application Group.
• Delivery hygiene
Monitoring only in production
Monitor early in CI/CD and in production
Three Common PitfallsBattle Tested
• Compliance Policies
Adjust per micro-service
Adjust per R&D team / Org / Application Group.
• Delivery hygiene
Monitoring only in production
Monitor early in CI/CD and in production
• Active Threat Protection
Trust your “application / next-gen firewall”
Use “delivery aware” active threat protection
Three Common PitfallsBattle Tested