best practices to secure application containers and ... · shared operating system. •application...
TRANSCRIPT
© c2labs.com
Anil KarmelCo-Founder and CEO, C2 LabsCo-Chair, NIST Cloud Security Working Group
Best Practices to Secure Application Containers and Microservices
© c2labs.com
Federal Agency ChallengesModernizing IT
• Agility– Agencies are struggling to deliver more in a fiscally and
resource constrained environment
• Flexibility– Existing IT investments are typically problematic to
reconfigure or scale to meet new application demands
• Transparancy– Difficult to quantify the cost of optimizing legacy
infrastructure to support new applications
© c2labs.com
Context Aware ITData Centric Approach
• Understand your Data– Identify and understand the value of the data in your
organization
• Decompose Your Data– Break down applications and data into building blocks
• Monitor Your Data– Understand Risk to your Data
– Employ Continuous Monitoring of your Systems to identify and limit the damage an adversary has to your data
© c2labs.com
Emerging Technologies and TrendsMicroservices and Containers
• Microservices– Decompose Complex Applications into Small, Independent
Processes communicating with each other using language-agnostic API’s
– Highly Decoupled and Modular with services organized around capabilities (e.g. User Interface, Billing)
– Allows for Continuous Integration
• Containers– Much like Virtualization abstracts the Operating System from
Hardware, Containers abstracts to Applications from the Operating System
– Applications are isolated from other Applications on the same Operating System
– Allows for Cloud Portability and Scale Up/Out
– Security issues need to be evaluated and addressed in native container deployments
© c2labs.com
Container and Microservices DefinitionNIST SP800-180 (DRAFT)
Slide 4
http://csrc.nist.gov/publications/drafts/800-180/sp800-180_draft.pdf
© c2labs.com
Definition of MicroservicesNIST SP800-180
• Microservices: A microservice is a basic element that results from the architectural decomposition of an application’s components into loosely coupled patterns consisting of self-contained services that communicate with each other using a standard communications protocol and a set of well-defined APIs, independent of any vendor, product or technology.
• Microservices are built around capabilities as opposed to services, builds on SOA and is implemented using Agile techniques. Microservices are typically deployed inside Application Containers.
Slide 5
© c2labs.com
Definition of Application ContainersNIST SP800-180 (DRAFT)
• Application Containers: An Application Container is a construct designed to package and run an application or its’ components running on a shared Operating System.
• Application Containers are isolated from other Application Containers and share the resources of the underlying Operating System, allowing for efficient restart, scale-up or scale-out of applications across clouds. Application Containers typically contain Microservices.
© c2labs.com
Emerging Technologies and TrendsVirtual Machines vs Containers
• Define your Trust Boundary
• Security and Privacy– Behavioral Segmentation
– National Privacy Standard
• Management– Control Plane Standard
Source: NIST SP800-180 (DRAFT)
© c2labs.com
Microservices and Containers Use CasesGoogle
• “EVERYTHING at Google runs in a container”– Starts over 2 Billion Containers per week as of
2014
• http://www.theregister.co.uk/2014/05/23/google_containerization_two_billion/
© c2labs.com
Microservices and Containers Use CasesNetFlix
• Best Practices for Designing a Microservices Architecture– Create a Separate Data Store for Each
Microservice
– Keep Code at a Similar Level of Maturity
– Do a Separate Build for Each Microservice
– Deploy in Containers
– Treat Servers as Stateless
• https://www.nginx.com/blog/microservices-at-netflix-architectural-best-practices/
© c2labs.com
Container SecurityChallenges
• Increased Attack Surface– Containers are far more complex than VM’s wherein a single Application
can consist of 1000’s of microservices
– Underlying Linux Operating System complexities can be exploited by attackers to compromise all containers on a host OS
– Runtime Compromise / Vulnerabilities / Misconfiguration
• Secure Software Development– Containers can have code pushed to them from untrusted sources
• Log Management– Big Data Problem: How do you view and manage logs across 1000’s of
containers
• Orchestration– Infrastructure now runs as code (Puppet/Chef/Ansible)
– Software developers, not infrastructure staff now run the data center
© c2labs.com
Container SecurityChallenges
• File System Compromise– Microservices in the Application Container could be
compromised by an attacker
• Networking– A compromised container could result in lateral movement
• Run Time Compromise / Privilege Escalation– An attacker could modify a microservice in an Application
Container which compromises the application or container itself
© c2labs.com
Container SecuritySolutions
• Increased Attack Surface– Employ MicroVM’s (Just Enough VM)
– Monitor Containers at Runtime / Real-time scan for Vulnerabilities and Misconfiguration and Remediate
• Secure Software Development– Whitelist/Blacklist Containers
– Establish a secure container registry
– Sign containers and code (MD5)
• Log Management– Centralize container logs including developer actions
• Orchestration– Employ orchestration platform to manage containers across
environments (DEV,TEST,QA,PROD) and across clouds
© c2labs.com
Container SecuritySolutions
• File System Compromise– Ensure file system is read only
– Treat infrastructure as stateless
• Networking– Ensure application containers can only talk to other approved
application containers
• Run Time Compromise / Privilege Escalation– Set filter on Linux Kernel to prevent privilege escalation and
implement white lists
– Anomaly detection based on a deviation from a known baseline to prevent remote code execution
© c2labs.com
Microservices SecurityChallenges and Solutions
• Decomposition of Applications– Need to decompose applications into microservices
correctly so they only do one thing well, driving development of secure code
– Monolithic code with a 1,000 DLL's needs to be decomposed into 1,000 microservices which makes it more secure and maintainable
• Interface-driven development– Need to have well defined REST API’s to ensure
microservices talk consistently to each other
© c2labs.com
NIST and CSA PartnershipBest Practices for Application Containers and Microservices
• NIST and CSA have joined forces to define best practices for Application Containers and Microservices (ACM)– CSA ACM Members have joined the NIST ACM Cloud
Security Working Group
– NIST artifacts will serve as the foundation for CSA ACM work– NIST SP 800-180: NIST Definition of Microservices,
Application Containers and System Virtual Machines
– Additional artifacts from NIST ACM Working Group
© c2labs.com
NIST Application Container and Microservices (ACM) Charter
• NIST ACM Working Group Charter: http://collaborate.nist.gov/twiki-
cloud-
computing/bin/view/CloudComputing/ApplicationContainersAndMicro
services
• Objectives
– Aggregate and document application containers and microservices use
cases;
– Research and document the challenges of implementing and managing
application containers and microservices
– Identify process-based and end-product based threats to container
deployment and container stacks respectively;
– Provide security recommendations for adopting state of the art practices
for mitigating the identified threats.
© c2labs.com
NIST Application Container and Microservices (ACM) Charter
• NIST ACM Working Group Charter: http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/ApplicationContainersAndMicroservices
• Deliverables– Document the challenges of implementing and managing
application containers, with a particular focus on deployment and run-time security threats to application containers and microservices
– Document the security recommendations for mitigating identified deployment and run-time security threats to application containers and microservices
© c2labs.com
NIST Application Container and Microservices (ACM) Progress to Date
• NIST Progress to Date– Documented Challenges per a Use Case Template
– Created Methodology to Score Challenges
– Identified Best Practices to secure Application
Containers and Microservices
• NIST Path Forward– Complete internal review and publish documents for
public comment
© c2labs.com
NIST IR: ACM Challenges
© c2labs.com
NIST IR: ACM Challenges
© c2labs.com
NIST IR: ACM Challenges
© c2labs.com
NIST SP: ACM Best Practices
© c2labs.com
NIST SP: ACM Best Practices
© c2labs.com
NIST SP: ACM Best Practices
© c2labs.com
CSA Application Container and Microservices (ACM) Charter
• CSA ACM Working Group Charter:
• https://docs.google.com/document/d/1k_82U2BFgvA9j06MaI96VZAoMIYFm
Ag8HoAFA2GEA1Y/edit
• Objectives – Q3 2017
– Create an Application Container Implementation Guidance document that
includes:
– Overview of the Application Container threat landscape
– Unique security issues/concerns introduced by Application Containers
– Application Container host hardening and security recommendations
– Application Container hardening and security recommendations
– Security considerations for application containers in a DevOps environment
– Define Microservices secure development standards and governance
© c2labs.com
CSA Application Container and Microservices (ACM) Charter
• CSA ACM Working Group Charter:
• https://docs.google.com/document/d/1k_82U2BFgvA9j06MaI96VZAoMIYFm
Ag8HoAFA2GEA1Y/edit
• Objectives – Q4 2017
– Create a Microservices Implementation Guidance document that
includes:
– Best Practices for implementing a Microservices Architecture for
Cloud-native applications
– Best Practices for decomposing monolithic applications into
Microservices
© c2labs.com
NIST and CSA ACM Working GroupCall for Volunteers
• Email us and we’ll get you connected.– Anil Karmel, Co-Chair, NIST Cloud Security Working
Group, Co-Founder and CEO, C2 Labs– [email protected]
– Andrew Wild, CISO, QTS Data Centers– [email protected]