7 Dec 2020
Enabling Autonomous Teams With Policy Enforcement at Yubico - James Alseth & John Reese, Yubico
In this talk, we will discuss the tools and processes created by Yubico to enable autonomous teams through policy. Initially, Kubernetes RBAC and peer reviews from our Platform team allowed teams to adopt Kubernetes for their services. However, we knew that a dependency on a single team was not a scalable solution. To give teams more autonomy over their services, and rely less on manual reviews, we began to enforce policies in our pipelines and clusters by leveraging the Open Policy Agent. The Open Policy Agent and its surrounding projects were the perfect fit for us; they are open source, flexible, performant, and have seen widespread adoption throughout the ecosystem. We'll also discuss the tooling that was built that enabled us to test policies, automatically generate supporting documentation and audit how each policy is being used so that they can be safely promoted through our environments. Best of all? They are all open source!
In this talk, we will discuss the tools and processes created by Yubico to enable autonomous teams through policy. Initially, Kubernetes RBAC and peer reviews from our Platform team allowed teams to adopt Kubernetes for their services. However, we knew that a dependency on a single team was not a scalable solution. To give teams more autonomy over their services, and rely less on manual reviews, we began to enforce policies in our pipelines and clusters by leveraging the Open Policy Agent. The Open Policy Agent and its surrounding projects were the perfect fit for us; they are open source, flexible, performant, and have seen widespread adoption throughout the ecosystem. We'll also discuss the tooling that was built that enabled us to test policies, automatically generate supporting documentation and audit how each policy is being used so that they can be safely promoted through our environments. Best of all? They are all open source!
- 2 participants
- 38 minutes
4 Dec 2020
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A Tale of a Meshi Kafka: Securing Kafka Deployment When Istio Is Used - Ariel Shuper, Portshift & Nikolas Mousouros, Marlow Navigation
Kafka is a commonly used message broker for microservices real-time data feeds. A standard setup allows any micro-service to read or write any messages to/from any topic. The need for security typically starts when multiple applications use the same Kafka broker in a cluster, or when confidential information is shared in the Kafka topics. Common security practices to use are authenticating subscribers and publishers, authorization policies for access control and data encryption. When Istio is being used with microservices that access Kafka topics, the envoy proxies is expected to offload these security elements. However, creating sustainable and consistent authorization policies when Istio is deployed isn't feasible, and tracking the microservices based on their IPs isn’t feasible because of their replacement. The session will present how to build an external authorization mechanism and simplify policy management for Kafka topics by using open source tools, like OPA and others
A Tale of a Meshi Kafka: Securing Kafka Deployment When Istio Is Used - Ariel Shuper, Portshift & Nikolas Mousouros, Marlow Navigation
Kafka is a commonly used message broker for microservices real-time data feeds. A standard setup allows any micro-service to read or write any messages to/from any topic. The need for security typically starts when multiple applications use the same Kafka broker in a cluster, or when confidential information is shared in the Kafka topics. Common security practices to use are authenticating subscribers and publishers, authorization policies for access control and data encryption. When Istio is being used with microservices that access Kafka topics, the envoy proxies is expected to offload these security elements. However, creating sustainable and consistent authorization policies when Istio is deployed isn't feasible, and tracking the microservices based on their IPs isn’t feasible because of their replacement. The session will present how to build an external authorization mechanism and simplify policy management for Kafka topics by using open source tools, like OPA and others
- 2 participants
- 38 minutes
4 Dec 2020
Building Effective Attack Detection in the Cloud - Alfie Champion & Nick Jones, F-Security Consulting
The cloud has significantly altered the nature of attack detection, and many of the common data sources and attacker TTPs that security teams have been looking for on premise have changed or are no longer relevant. A lack of public threat intelligence has hindered development of industry knowledge bases, such as the MITRE ATT&CK framework, and the nature of many cloud-native attacker TTPs make it challenging to separate the malicious from the benign. Based on first-hand experience attacking and defending large enterprises, this talk will share what Alfie and Nick have learned about detecting attacks against cloud-native environments. They will cover how the cloud has changed the detection landscape, the key data sources to leverage, and how to plan and prioritise your cloud detection use cases. They'll also discuss how to validate your detection, including a demonstration of Leonidas, an open source framework for automatically validating detection capability in the cloud.
The cloud has significantly altered the nature of attack detection, and many of the common data sources and attacker TTPs that security teams have been looking for on premise have changed or are no longer relevant. A lack of public threat intelligence has hindered development of industry knowledge bases, such as the MITRE ATT&CK framework, and the nature of many cloud-native attacker TTPs make it challenging to separate the malicious from the benign. Based on first-hand experience attacking and defending large enterprises, this talk will share what Alfie and Nick have learned about detecting attacks against cloud-native environments. They will cover how the cloud has changed the detection landscape, the key data sources to leverage, and how to plan and prioritise your cloud detection use cases. They'll also discuss how to validate your detection, including a demonstration of Leonidas, an open source framework for automatically validating detection capability in the cloud.
- 2 participants
- 30 minutes
4 Dec 2020
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Capture the Flag Wrap Up & Summary, Andrew Martin, Control Plane & Magno Logan, Trend Micro
Capture the Flag Wrap Up & Summary, Andrew Martin, Control Plane & Magno Logan, Trend Micro
- 3 participants
- 44 minutes
4 Dec 2020
Cartography: using graphs to improve and scale security decision-making - Alex Chantavy, Lyft & Marco Lancini, Thought Machine
This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use. Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database. The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!
This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use. Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database. The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!
- 2 participants
- 29 minutes
4 Dec 2020
Cloud Security and how to leverage the shared responsibility model to your advantage - Eshrak Assaf & David Lebutsch, IBM
Adopting Cloud Computing models could be a blessing or a curse. When done with security and compliance in mind, it could save you lots of time, effort and operational costs. When done without regard to security and compliance, it could result in exposing your company to financial and reputational risks. In this session, we will talk about some basic security and compliance concepts that developers need to know before they consider adopting Cloud Computing models. We will talk about how to leverage the Cloud shared responsibility model to your advantage, and why Cloud security and compliance is not optional.
Adopting Cloud Computing models could be a blessing or a curse. When done with security and compliance in mind, it could save you lots of time, effort and operational costs. When done without regard to security and compliance, it could result in exposing your company to financial and reputational risks. In this session, we will talk about some basic security and compliance concepts that developers need to know before they consider adopting Cloud Computing models. We will talk about how to leverage the Cloud shared responsibility model to your advantage, and why Cloud security and compliance is not optional.
- 2 participants
- 9 minutes
4 Dec 2020
Designing Secure Applications in the Cloud - Adora Nwodo, Microsoft
When building cloud applications, we should always bear in mind that our services are exposed on the Internet and can be accessed by anyone and may have untrusted users. Because of this, we need to be proactive and aware of these possible security threats so that we can design our cloud applications to be able to handle them properly. Apart from preventing malicious attacks, cloud applications must also be designed to protect sensitive data and grant access for certain resources to only authorized users. In this session, I will be talking about 3 security patterns that can be used to prevent malicious or accidental actions outside of the applications designed usage, and to prevent disclosure or loss of information when building for the cloud.
When building cloud applications, we should always bear in mind that our services are exposed on the Internet and can be accessed by anyone and may have untrusted users. Because of this, we need to be proactive and aware of these possible security threats so that we can design our cloud applications to be able to handle them properly. Apart from preventing malicious attacks, cloud applications must also be designed to protect sensitive data and grant access for certain resources to only authorized users. In this session, I will be talking about 3 security patterns that can be used to prevent malicious or accidental actions outside of the applications designed usage, and to prevent disclosure or loss of information when building for the cloud.
- 1 participant
- 27 minutes
4 Dec 2020
Dynamic Image Scanning Through System Tracing - Itay Shakury, Aqua Security
As security practices and tools for application scanning are becoming increasingly popular, malicious actors are introducing sophisticated techniques to obfuscate their intent and evade those scanning tools. The malware they create cannot be detected using static analysis or signatures, but dynamic analysis that runs the application and observes its activity can trace the entire chain of events and help you detect those threats. In this talk we introduce Dynamic scanning and discuss how it relates to two other security approaches: Static scanning and Runtime security. We will then show how operating system tracing is key to implementing dynamic scanning as we explore common behavioral patterns of malware, and discuss how these threats can be uncovered using open source tools.
As security practices and tools for application scanning are becoming increasingly popular, malicious actors are introducing sophisticated techniques to obfuscate their intent and evade those scanning tools. The malware they create cannot be detected using static analysis or signatures, but dynamic analysis that runs the application and observes its activity can trace the entire chain of events and help you detect those threats. In this talk we introduce Dynamic scanning and discuss how it relates to two other security approaches: Static scanning and Runtime security. We will then show how operating system tracing is key to implementing dynamic scanning as we explore common behavioral patterns of malware, and discuss how these threats can be uncovered using open source tools.
- 1 participant
- 37 minutes
4 Dec 2020
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Event Wrap Up - Andrew Martin, Emily Fox, Brandon Lum, Jeyappragash Jeyakeerthi
Event Wrap Up - Andrew Martin, Emily Fox, Brandon Lum, Jeyappragash Jeyakeerthi
- 3 participants
- 33 minutes
4 Dec 2020
Exit Stage Left: Replacing Theater with Chaos - Kelly Shortridge, Capsule8
Kelly will explore how security theater leads to increased organizational friction, especially in the realm of software delivery, rather than promoting safety. She'll contrast these dramatics with a security chaos engineering approach – one which embraces the importance of convenience, alignment with organizational goals, and the wisdom derived from failure.
Kelly will explore how security theater leads to increased organizational friction, especially in the realm of software delivery, rather than promoting safety. She'll contrast these dramatics with a security chaos engineering approach – one which embraces the importance of convenience, alignment with organizational goals, and the wisdom derived from failure.
- 1 participant
- 21 minutes
4 Dec 2020
Hardware Backed Security For Multitenancy at the Edge with SPIFFE & PARSEC - Paul Howard, Arm & Andres Vega, VMware
Three powerful CNCF projects come together in this session, which focuses on how cloud-native workloads can access the best hardware security facilities of any platform in a way that is portable, convenient to consume, and which scales to multiple workloads. SPIFFE, the Secure Production Identity Framework for Everyone, alongside its production-grade implementation project SPIRE, are both now incubation projects within CNCF. Parsec (CNCF sandbox) is the Platform Abstraction for Security: a simple and portable way to access platform facilities for key management and cryptography on any hardware in any programming language. But Parsec is so much more than just an API shim. It also provides key management and access control based on the identities of workloads, keeping their secure assets separate. This session will show how Parsec can be combined with SPIFFE and SPIRE to provide a key management service based on attested workload identities,
Three powerful CNCF projects come together in this session, which focuses on how cloud-native workloads can access the best hardware security facilities of any platform in a way that is portable, convenient to consume, and which scales to multiple workloads. SPIFFE, the Secure Production Identity Framework for Everyone, alongside its production-grade implementation project SPIRE, are both now incubation projects within CNCF. Parsec (CNCF sandbox) is the Platform Abstraction for Security: a simple and portable way to access platform facilities for key management and cryptography on any hardware in any programming language. But Parsec is so much more than just an API shim. It also provides key management and access control based on the identities of workloads, keeping their secure assets separate. This session will show how Parsec can be combined with SPIFFE and SPIRE to provide a key management service based on attested workload identities,
- 2 participants
- 13 minutes
4 Dec 2020
Why OpenID Connect is More Secure then Certificates - Marc Boorshtein, Tremolo Security, Inc.
Most user's first experience accessing a cluster usually involves a certificate. It's one of the most secure ways to authenticate a user, when done properly. It's not nearly as secure as OpenID Connect for your clusters. In this session you will learn why certificate authentication is a bad idea for your users accessing your clusters and why you should be using OpenID Connect. In addition to showing why OpenID Connect is the more secure method for accessing your clusters, the session will detail the OpenID Connect threat model and how to mitigate it. The session will also contrast this model with certificates and show how it's nearly impossible to create an authentication system with certificates as secure as one protected with OpenID Connect. There will also be a chance for those attending to try to take over an OpenID Connect protected cluster!
Most user's first experience accessing a cluster usually involves a certificate. It's one of the most secure ways to authenticate a user, when done properly. It's not nearly as secure as OpenID Connect for your clusters. In this session you will learn why certificate authentication is a bad idea for your users accessing your clusters and why you should be using OpenID Connect. In addition to showing why OpenID Connect is the more secure method for accessing your clusters, the session will detail the OpenID Connect threat model and how to mitigate it. The session will also contrast this model with certificates and show how it's nearly impossible to create an authentication system with certificates as secure as one protected with OpenID Connect. There will also be a chance for those attending to try to take over an OpenID Connect protected cluster!
- 1 participant
- 10 minutes
