►
From YouTube: Webinars: Encrypting data in Kubernetes deployments. Protect your data, not just your Secrets
Description
The DevSecOps migration has many steps and Secrets is a good start, but it only provides storage and management of sensitive information such as passwords, tokens and keys. What about the data? Data encryption is considered a fundamental security requirement in any enterprise deployment, but the legacy method of implementing an encryption solution breaks down in Kubernetes environments. We’ll discuss why granular data-at-rest encryption integrated into a Kubernetes storage layer is the best strategy to address security vulnerabilities unique to Kubernetes deployments.
Presenter:
Maksim Yankovskiy, VP of Engineering @Zettaset
A
Started
I'd
like
to
thank
everyone
who
is
joining
us
today,
welcome
to
CN
CF
or
welcome
to
jc's
CF
webinar
encrypting
data
and
kubernetes
deployments
protect
your
data,
not
just
your
secrets:
I'm
Kristy,
Chan
marketing,
communication
manager
at
CN,
CF
I'll
be
moderating
today's
webinar.
We
would
like
to
welcome
our
presenter
today,
Maxim
and
coughs
kee
VP
of
engineering
at
Zetas
a
set
a
few
housekeeping
items
before
we
get
started
during
the
webinar.
You
are
not
able
to
talk
as
an
attendee.
There
is
a
Q&A
box
at
the
bottom
of
your
screen.
A
Please
feel
free
to
drop
your
questions
in
there
and
we'll
get
to
as
many
as
we
can.
At
the
end.
This
is
an
official
webinar
of
the
CNC
F
and
as
such
is
subject
and
CMT
F
code
of
conduct.
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct.
Basically,
please
be
respectful
to
all
of
your
fellow
participants
and
presenters.
With
that
I'll
hand
it
over
to
Maksim
to
kick
off
today's
presentation.
Take
it
away.
A
B
You
very
much
Christine
good
morning
the
day
we
welcome
everybody,
as
they
say
in
their
line
business.
When
you
board
a
plane.
You
know
we
realize
you
have
a
lot
of
choices
when
it
comes.
How
do
you
spend
the
next
hour
of
your
time?
Actually
we
be
current
in
today.
You
don't
have
a
lot
of
choices,
but
we're
still
gonna
try
and
make
this
our
very
educational
and
very
informative.
B
We're
going
to
talk
about
data
breaches,
data
protections
in
terms
of
DevOps
and
deficit,
hawks
we're
going
to
talk
about
what
it
would
take
to
generate
to
engineer
an
application
or
an
application
system
with
security
in
mind
and,
of
course,
true
to
the
topic
of
today's
webinar
we're
going
to
talk
about
how
do
we
protect
enterprise
data
and
then
we'll
have
enough
time
to
go
into
Q&A.
Of
course.
B
So,
first
item
on
the
main
is
data
breaches.
The
cyber
attacks
are
increasing
in
frequency,
everybody
has
been
targeted.
You
will
see
a
number
of
companies
mentioned
in
a
small
phone
down
there
unless
at
the
bottom
of
the
slide,
but
there's
some
big
names
there,
Equifax
Verizon,
just
to
name
a
few
Whole
Foods
IRS,
Blue
Cross,
you
walk
across
the
companies
and
you
realize
every
single
sector
has
been
hacked
and
essential
data
breaches
or
dime-a-dozen.
B
They
happen
very
often,
but
in
terms
of
the
cost
of
the
breach,
they're
actually
quite
pricey,
to
the
enterprises
they're
about
3.62
million
per
bridge,
and
the
breaches
happen
often-
and
if
you
look
at
it
over
42
percent
or
around
42
percent
of
the
cost
of
the
data
breach
is
actually
the
cost
that
enterprises
incur
in
the
lost
business.
That's
quite
substantial,
so
nobody
is
going
to
be
surprised
when
the
net
net
data
breach
occurs.
B
You
know
over
the
past
several
years
and
several
things
that
this
graphs
that
you
see
on
the
screen
show
is
that
the
use
of
containers
have
been
increasing
pretty
dramatically
and
the
containers
using
production
has
also
been
increasing
on
the
second
graph,
especially
if
you
look
at
the
number
of
containers
that
people
run
in
production,
you'll
notice
a
drop
in
the
number
of
containers
using
production
of
clusters,
fifty
and
less
and
fewer
containers.
At
the
same
time,
you'll
notice
the
increase
of
the
number
of
containers
in
a
larger
clusters.
B
So
some
of
the
surveys
indicate
that
69%
of
those
surveyed
they
intend
to
store
sensitive
data
in
containers
and
around
76
percent,
use,
containers
for
storing
and
manipulating
data
that
fall
under
some
sort
of
regulations
and
the
staggering
number
that's
94
percent
of
those
surveyed
experienced
one
or
more
security
incidents
in
the
past
12
month
and
I.
Think
the
other
six
percent
are
just
not
saying.
B
So
what
are
the
challenges?
You
know
why
you
know.
Data
protection
is
such
an
important
topic.
In
fact,
data
protection
and
data
security
is
a
super
important
topic
when
you
talk
to
enterprises
regarding
their
storage
challenges
and
also
it's
in
the
top
three
of
the
security
challenges
with
you
know,
protecting
the
data
in
containers,
along
with
vulnerability
management
and
runtime
protection.
B
68%
of
those
surveys
indicate
that
compliance
is
critical
and
a
must
have
and
those
who
indicate
that
it's
a
nice-to-have
are
probably
those
moving
into
larger
scale
deployments
and
also
moving
to
more
containers
to
production.
So
I
fully
expect
the
numbers
of
this
28%
spill
into
the
68%
and
that
number
increase
as
well.
B
So
this
few
slides,
if
they
show
a
puked,
you
know
if
there
are
few
takeaways
from
this
slide,
is
that
containers
are
on
the
upswing.
Container
environments
are
becoming
more
and
more
prevalent
or
regular
into
10th.
Reprises
are
moving
beta
into
containerized
environments
and
they're,
increasing
the
sizes
of
those
environments
and
storage
and
data
security
and
compliance
are
becoming
one
of
the
several
major
factors
on
their
own
successful
container
deployments.
B
So
how
do
you
protect
your
data
in
general?
Not
just
in
container
environments.
Encryption
is
I
would
say
the
best
form
of
data
protection
and
encryption
by
the
way,
encryption
in
and
of
itself
is
not
the
end.
All
data
protection
for
your
enterprise
environment
data
protection
is
usually
combination
of
tools,
but
would
like
to
call
encryption
kind
of
the
last
line
of
defense.
After
you
file,
your
firewall
is
compromised
and
your
environments
are
broken
in.
B
The
next
thing
you
have
is
the
safe
kind
of
the
safe
in
your
living
room
that
stores
your
most
vulnerable
information,
so
you
have
to
increase
throughout
the
process.
You
have
to
start
a
collection,
you
have
to
increase
all
data,
manipulation
pipelines,
and
preferably
you
do
that
at
the
time
when
data
is
created,
any
sensitive
information
might
must
be
stored.
That
must
be
stored
must
be
encrypted
and,
of
course,
you
have
to
logo
and
monitor
all
data
activity,
because
oftentimes
log
mining
is
one
of
these
tools.
B
B
Well,
also
encryption,
it
means
to
be,
and
some
of
the
current
encryption
solutions
still
are
not
simple
to
manage.
You
have
to
identify
which
data
you
want
to
encrypt,
and
then
you
have
to
manage
the
encryption
solution.
You
cannot
just
point
and
increase
and
you
can
be
able
to.
Enforcement
of
policy
is
one
of
the
other
is
another
achieve.
You
know
horrible
to
adopt
encryption
and,
of
course,
with
increase
in
cloud
and
on-premise
and
hybrid
deployments.
B
It's
concerning
for
people
how
well
encryption
is
supported
in
those
hybrid
deployments.
Of
course,
with
the
rise
of
cloud
and
virtualized
environment
system,
scalability
becomes
a
problem.
We
used
to
just
deploy
an
encryption
server
in
the
data
center
and
call
it
a
day,
but
now
we
might
not
even
have
access
to
the
data
center
and
number
of
environments
is
increasing,
number
of
containers
is
increasing
and
therefore,
obviously
the
number
of
cryptographic
keys
that
are
used
to
protect
those
environments
is
increasing.
B
So
it's
not
easy
integration,
integrating
encryption,
it
has
not
been
easy
and
it's
still
not
so
when
your
enterprise
is
at
the
point
where
it
has
to
either
comply
with
the
regulation
or
is
just
doing
kind
of
a
good
housekeeping
of
protecting
their
customers.
Data
and
you
are
tasked-
or
one
of
your
colleagues
is
start
with
choosing
an
encryption
solution.
What
is
that
that
you
look
for
work?
What
does
it
mean
to
have
a
good
encryption
solution
in
your
enterprise?
B
Now,
as
we
already
talked
performance,
is
super
critical,
so
you
want
a
solution
that
introduces
performance
penalty,
but
in
a
very
small
percentage
numbers.
Encryption
is
not
free,
even
with
today's
crypto
accelerators
and
may
differ.
Encryption
support
in
internships.
Encryption
still
cost
performance
cycles,
but
you
want
to
keep
that
to
the
minimum
businesses
they
don't
want
to
have
any
impact
on
their
existing
processes.
If
you
talk
to
some
of
the
especially
healthcare
providers
they
cannot
have,
they
cannot
be
adding
even
a
minute
to
a
patient
appointment,
because
their
practice
essentially
runs
all
sevens.
B
Scalability
of
physical
environments,
virtual
environments,
hybrid
environments,
the
environments
come
and
go.
They
get
deployed
several
times
a
day.
They
get
decommissioned
several
times
a
day
and,
of
course
you
cannot
have
you
know
a
person
run
to
the
data
center
and
so
security
appliance
every
time
a
new
environment
comes
onboard,
so
Pantheon
tech
engine
would
say
back
in
my
day,
but
back
in
the
late
20th
century
and
even
early
21st
century
Enterprise
is
said
to
have
take
dedicated
people
on
their
stuff
that
understood
what
how
encryption
works,
how
encryption
is
deployed?
B
What's
encryption
key
was
a
key
rockin
key.
What's
a
hash
key,
what
type
of
algorithms
are
recommended
or
types
or
not,
and
you
know
what
after
you
deploy
it?
How
do
you
manage
and
troubleshoot
that
system
and
it's
pretty
difficult
and
pretty
expensive,
and
so
anything
we
can
do
anything
encryption
solutions
can
do
to
make
it
simpler
to
manage
and
simple
to
deploy
and
anything.
B
These
solutions
can
do
to
make
sure
that
you
don't
need
specialized
cryptographic,
expertise
that
makes
a
better
solution
and
of
course
there
is
a
number
of
compliance
initiatives
going
around
since
the
first
data
breach
is
back
in
early
2000
that
compromised
the
financial
sector
very
severely.
That's
where
much
record
came
up
and
envy
they
came
up
with
the
PCI
or
payment
card
industry
standards,
and
so
all
of
these
compliance
initiatives
around
PCI
and
our
financial
sector,
around
healthcare
sector
that
later
resulted
in
HIPAA
regulations
and
and
so
on
and
so
forth.
B
So
one
thing
I'd
like
to
put
to
rest
right
at
the
beginning
or
at
the
beginning
of
a
more
technical
part
of
this
presentation,
is
there
have
been
tools
that
have
been
created
over
the
years
that
attempt
to
simplify
or
make
it
simpler
to
deploy
in
picture
and
to
manage
encryption,
and
some
of
them
are
so
complete
encryption
drives.
Some
of
them
are
file,
encryption
solutions
and
and
and
so
on
and
so
forth,
and
so
why
would
we
just
not
use
them?
B
So
on
the
left
of
this
slide,
you
can
see
a
what
I
would
call
the
encryption
stack,
which
is
essentially
a
software
stuff
with
and
hardware
stack
where
you
can
apply
encryption,
starting
from
the
card
where
you
can
go
all
the
way
to
application
level
encryption.
The
interesting
thing
about
that
stuff
is
that,
as
you
go
higher
up
the
stack
you're
talking
about
more
purpose-built
solutions
and
you're
talking
about
greater
performance
degradation
as
you
go
lower
of
the
stack.
We
are
talking
about
more
generalized
solution
and
you're
talking
about
better
performance
but
oftentimes.
B
You
have
to
sacrifice
some
granularity,
especially
in
databases
and
applications
where
you
might
not
be
in
Crete.
You
might
not
be
able
to
in
create
a
column
in
the
database.
You
might
have
to
encrypt
the
entire
table
or
you
might
not
be
able
to
complete
our
table.
You
have
to
encrypt
an
entire
partition
that
the
database
stores
files
on
so
the
goal
of
this
slide
is
to
show
that
there
needs
to
be
a
compromise
between
performance
and
kernel.
Arity
and
certain
Krypton
drives
are
very
on
the
step
very
appealing,
but
they
are
not
a
compromise.
B
We're
going
to
talk
about
what
does
it
take
to
make
a
good
encryption
solution
that
you
can
trust
with
protecting
your
data
to
make
it
short
on
this
slide?
We're
just
going
to
say
that
subtle
kitchen
drives
are
certainly
not
going
to
help
make
you
good
an
efficient
solution,
because
not
only
their
key
management
is
worldwide
non-existent.
What
if
it
does
exist,
it's
very
much
substandard.
Also,
how
do
you
manage
a
data
center
of
10,000
self
encrypting
drives
when
you
need
to
replace
or
manage
those
installations?
B
And
finally,
if
you're
in
the
college
environment,
do
you
really
have
a
choice
as
to
whether
or
not
something
from
two
tribes
are
used?
How
often
there
are
definitions
on
how
often
they're
replaced
so
not
the
answer,
and
with
that
we're
going
to
talk
about
DevOps
tap
setups,
and
why
do
we
need
to
put
security
in
place
at
the
design
time
and
why
securities
are
not
preferred
is
a
very,
very
bad
idea.
B
B
Hopefully
it's
a
combination
of
both,
and
so
how
do
you
balance
security
with
the
regulatory
compliance
and
the
reason
I
bring
this
up
explicitly
is
because
revenue
rule
compliance
is
usually
done
on
a
time
line
and
enterprises
open
times
attempt
to
achieve
compliance
with
the
least
amount
of
investment
investment
in
security
initiatives.
So
there
is
a
fine
line.
There
is
a
balance
that
you
have
to
figure
out
between.
How
do
you
make
environment
more
secure
and
also
achieve
compliance?
B
You
have
to
look
at
what
security
solutions
are
appropriate
for
your
environments,
not
just
today,
but
going
forward
as
well
and
tempting
as
it
may
be.
To
just
say
you
know:
environments
come
with
secrets
and
passwords
and
all
different
kinds
of
ways
to
store
your
sensitive
data
and
secrets
and
passwords
are
great.
They
are
very
important,
they're
critical
to
environment
functionality,
but
they
protect
your
processes.
They
do
not
protect
your
data,
so
a
good
security
solution
is
the
good.
B
A
security
is
a
security
solution
to
contrast
that,
if
you
can't
trust
your
security
solution
that,
then,
why
bother
deployments
in
the
first
place?
Security
solutions?
We
talked
is
a
combination
of
components
and
all
those
components
talk
to
each
other.
They
have
to
be
able
to
trust
each
other.
That
is
why
pretty
much
every
security
solution
needs
to
have
one
or
another
form
of
what's
called
the
certificate
authority,
which
is
think
of
it.
B
B
My
favorite
neurology
is
that
you
know
you
encrypt
your
environment,
you
have
one
more
encryption
key,
and
so,
where
do
you
put
you
in
fiction
keys?
You
need
to
have
a
key
manager,
a
system
that
is
capable
of
securely
and
safely.
Storing
those
keys,
I
mean
you
wouldn't
put
your
house
key
under
the
doormat.
In
some
sense,
some
of
us
do
some
of
us
put
it
in
the
wheel.
B
B
You
can
opt
for
hardware
based
key
managers,
that's
up
to
you,
but
when
you
look
at
a
security
solution
and
it
doesn't
make
a
specific
mentioning
of
how
to
stores
and
protect
your
keys,
I
say,
move
somewhere
else
and
of
course
there
should
be
a
root
of
trust
and
when
I
say
root
of
trust.
I
mean
the
root
of
cross
for
storing,
what's
called
the
master
key.
Essentially,
your
key
manager
will
protect
your
most
valuable
assets.
Is
the
encryption
keys
so
who
protects
you
key
manager?
And
for
that
there's
a
special
component
in
security
solutions?
B
That's
called
the
security
module
and
there
are
a
number
of
security
modules
which
are
hardware
based
our
number
of
security
measures,
which
are
software
based,
but
that's
kind
of
a
given
that
if
you
have
a
key
monitor,
it
needs
to
have
a
specific
security
module
component
so
that
the
encryption
they
are
key
database
is
protected
and
encrypted
itself.
With
the
security
module
where
the
key
is
stored
in
the
security
module
and
the
security
module
knows
how
to
store
in
a
small
number
of
master
keys
and
stores
and
secure
and
compliant
way,.
B
So
containerized
environments
they're
quite
different.
They
look
profile
when
you're
within
the
container.
You
can't
really
say
necessarily
that
you're
within
the
container,
because
the
containerized
and
virtualization
environments,
they
do
a
pretty
good
job
of
hiding.
The
fact
that
you
are
within
a
small
container
from
developer
or
from
the
end
user,
but
containerized
environments
are
very,
very
different,
so
storage
in
containers
is
different
and
therefore
the
data
and
especially
sensitive
data,
might
be
protective
protected
in
different
ways.
B
The
first
one.
The
first
key
point
is
that
encryption
was
power,
storage,
which
means
in
multi-tenant
container
environments.
The
storage
will
be
sure,
but
even
if
you
share
the
storage,
you
should
never
share
an
encryption
key
I
mean
to
me
and
then
to
a
lot
of
people.
You
know
if
I
say
it
slightly
different.
Is
that
you
better
trust
the
people
you
give
your
house
keys
to
right,
that's
kind
of
obvious
I'm
a
little
bit
surprised
why?
B
You
know
not
sure
encryption
key
is
not
so
obvious,
but
what
apparently
it's
not
storage
must
be
independent
or
forced
to
the
containers,
meaning
today,
your
container
my
run
on
one
post
tomorrow,
it
might
run
another
post.
That
actually
means
that
you
know
the
storage
might
be
shared
between
containers.
So
we
cannot
use
legacy
approach
of
hardware
defined
storage
where
the
storage
is
directly
and
physically
tied
to
the
host.
We
cannot
use
that
approach
when
managing
storage
for
containers
and
last
but
not
least,
and
also
super
critical.
It
is
the
separation
of
duties.
B
We
have
different
roles
and
different
actors.
Now
developers
platform
appears
we
have
administrators,
we
have
number
of
other
roles,
but
there
needs
to
separation
of
duties
and
not
that
you
shouldn't
trust
your
developer,
but
the
developers
are
not
in
the
best
position:
they're,
not
the
best
people
to
ask
to
make
security
decisions.
These
decisions
have
to
be
made
elsewhere
in
the
enterprise
and
you
want
to
maintain
that
separation
of
duties.
B
So,
let's
look
at
an
example
of
a
topology
that
you
may
see
in
a
typical,
maybe
even
simpler,
docker
environments,
where
you
have
one
or
more
doper
hosts
and
each
host
runs.
One
or
more
containers.
Containers
are
obviously
belong
to
different
applications.
That's
the
whole
purpose
of
virtualization
is
sharing
resources
between
containers
and
sharing
resources
between
tenants.
So
you
can
have
different
docker
host
running
different
containers
for
different
applications
belonging
to
different
customers.
B
The
key
point
is:
is
the
storage
and
the
containers,
every
storage
unit
associated
with
every
container
must
be
encrypted
with
its
own
unique
key.
Why
is
that
so
important?
Because
compromises
happened?
We
talked
at
the
beginning
of
the
presentation
that
environments
will
be
compromised
when
the
environment
is
compromised.
You
want
to
limit
the
exposure.
You
don't
want
one
of
your
environments.
If
somebody
compromised
my
development
environment
I,
don't
want
that
exporter
to
spill
out
to
my
payroll
environment
or
my
finance
environment.
B
If
I
am
a
solution
provider
and
if
I
host
more
than
one
customer
I,
certainly
don't
want
one
compromised
customer
to
compromise
my
entire
multi-tenant
environment.
So
that
is
why
no
sharing
of
keys.
So
how
would
we
know?
How
would
you
do
this?
How
would
we
accomplish
that?
Let's
say
with
with
docker:
we
would
look
at
docker
storage
mechanisms
and
we
would
create
a
what's
called
an
encryption
volume
driver.
So
at
the
time
that
container
requests
storage,
it
would
be
given
the
storage
volume
that
is
already
repeated.
B
B
This
is
done
by
directly
integrating
with
increases
volume
driver
that
is
part
of
docker,
and
we
are
going
to
have
some
sort
of
ballin
provisioning
and
some
sort
of
volume
management.
What
we
show
here
is
a
very
simplified,
very
simplistic
following
provisioning
based
on
a
traditional
energy
storage
model,
but
the
volume
group
provisioning
might
as
well
look
at
provisioning,
specific
cloud-based
storage
in
AWS
or
in
Google
Cloud.
The
most
important
part
is
that
by
the
time
container
gets
the
volume
the
volume
is
already
included.
B
Kubernetes
has
number
of
worker
nodes
similar
to
docker
nodes,
but
now
containers
can
run
very
much
anywhere
in
docker
world
it
with
there's
some
association
between
work
container
and
today
and
where
the
container
will
run
when
is
restarted
tomorrow,
the
container
can
be
scheduled
on
one
node
and
rescheduled
on
another
node
at
different
times,
depending
on
the
environment
load.
That's
that's
the
kubernetes
way
of
running
containers,
the
storage
is
most
likely
shared.
B
The
same
storage
paradigm
is
that
every
storage
unit
associated
with
every
container
has
to
be
encrypted
with
its
own
unique
key
and
notice
to
specifically
emphasize
that
on
the
kubernetes
master
level,
we
have
secrets
and
the
secrets,
as
we
all
know,
stores
in
a
CD
key
value
pairs
up
until
the
latest
revisions
of
kubernetes
at
CD
was
not
encrypted.
Now
there
is
an
option
to
encrypt
it,
but
an
important
part
to
realize
is
that
secrets.
Just
like
I
said
at
the
beginning,
it's
kind
of
like
a
password
file.
B
It
is
critical,
absolutely
to
Java
developer
secret,
so
kind
of
odd
jks
keystore.
So
what
do
we
store?
Any
key
store
with
store
keys
with
drawer
passwords,
with
drawer
certificates
and
so
on
and
so
forth,
but
we
don't
use
the
key
store
or,
and
we
don't
use
secrets
to
store
encrypted
data,
and
so
the
same
approach
would
be
beneficial
to
that
type
of
environment
is
you'd,
see
a
kubernetes
code,
lay
out
a
volume
claim
for
a
particular
storage
unit
or
a
storage
class
as
root
cause
in
kubernetes.
B
That
storage
class
would
hopefully
refer
to
an
encrypted
volume
driver
that,
just
like
a
specialized
volume.
Drivers
know
how
to
provision,
NFS,
storage
or
AWS
storage
or
any
other
type
of
storage.
An
encrypted
volume
driver
would
know
how
to
provision
an
encrypted
volume
on
request.
An
important
thing
to
note
is
that
every
part
will
get
its
own
separate
and
distinct
wallet,
and
every
volume
will
get
sewn,
separate
and
distinct.
Gription
key
and
soul
support,
indistinct
bacon
storage,
so
that
backing
storage
will
be
transparent
to
the
provisions
in
the
encrypted
State
by
the
included
CSI
driver.
B
So
this
type
of
approach,
it
lends
itself
very
very
well
for
enterprise
use
cases
where
again,
as
we
talked
earlier,
encryption
is
not
the
one
to
solve
every
data
perception
problem.
A
big
problem
of
data
protection
is,
can
you
trust
your?
Can
you
trust
your
environment
and
so
in
the
example
of
arrest
and
OpenShift,
where
they
provide
an
infrastructure
and
framework
for
essentially
certifying
containers
and
kubernetes
operators?
B
That
gives
you
a
certain
level
of
certain
additional
level
of
assurance
and
security
that
whenever
something
develop,
someone
develops
and
certifies
a
solution.
It
is
going
to
a
certain
certification
process
that
assures
that
container
images
are
built.
On
top
of
a
trusted
platform
that
you
can
trust
the
container
image.
You
can
trust
the
deployment
mechanism.
B
B
So
we
talked
about
different
places
and
different
levels
at
which
we
can
apply
encryption
and
what
are
some
of
the
advantages
of
implementing
encryption
in
the
way
that's
native
to
containers.
We
already
talked
about
unique
keeper
valid,
so
each
persistent
volume
is
encrypted
with
its
own
cryptographic
key,
so
one
compromised
container
does
not
compromise
the
inter
multi-tenant
environment.
B
We
talked
about
secrets
are
not
protected
by
default,
although
they
can
be
now
protected,
who
later
later,
ranae's
releases.
But
important
notion
is
that
they
do
not
protect
the
data.
So
separate
data
protection
solution
is
required.
As
we
talked
at
as
we
talked
earlier,
passport
files
don't
protect
data,
they
protect
your
environments
and
jks
is
don't
protect
your
data,
they
protect
your
environment,
so
every
UNIX
system
has
a
password
file,
but
that
doesn't
mean
that
every
UNIX
system
doesn't
have
a
separate
encryption
and
security
solution
that
it
comes
with.
B
One
huge
way
very
large
benefit
of
native
container
encryption
is
that
you
can
securely
with
a
property
management
infrastructure.
You
can
securely
erase
the
data
without
actually
having
to
erase
the
data
and
there
is
done
by
decommissioning
the
cryptographic
key
in
the
key
manager,
and
so
therefore,
when
the
container
goes
away
and
if
the
container
was
to
come
up
again,
it
won't
be
able
to
acquire
an
encryption
key
necessary
to
defeat
the
data.
B
So
if
the
number
of
nodes
on
the
pad
for
growth,
sometimes
the
nose
gets
compromised,
sometimes
nodes
need
to
be
decommissioned
and
replaced.
And
if
this
nose
have
sensitive
data,
you
don't
always
have
an
ability
to
connect
to
a
node
and
do
it
the
sensitive
data
with
a
secure,
node
removal
feature.
You
can
actually
do
that
by
executing
an
administrative
command.
So
then,
even
if
the
node
is
compromised
or
if
even
if
the
notice
later
brought
up
and
connected
to
its
native
network,
the
corporate
network,
it
will
not
be
able
to
access
the
data.
B
That's
again
done
by
managing,
what's
called
a
certificate.
Revocation
lists
in
the
key
manager,
and
last
but
not
least,
is
the
container
storage
separation.
We
already
talked
about
why
it's
important
to
encrypt
each
container
volume
with
its
own
unique
key.
So
the
container
storage
separation
allows
you
to
go
even
deeper
on
that,
where
every
container
volume
is
mapped
to
a
unique
logical
volume
and
that
logical
volume
is
only
available
when
it's
induced
by
one
or
more
containers.
B
So
these
are
the
things
that
you
want
to
look
for
in
a
software-based
security
solution
in
any
security
solution,
region
to
deploy,
and
hopefully
with
proper
deployment
mechanisms
and
with
proper
identifying
of
solutions,
you'll
be
able
to
deploy
solution
in
your
enterprise
that
will
protect
you
data.
It
will
protect
your
enterprise
from
breaches
and
it
will
protect
your
enterprise
and
hope
that
it
stays
in
compliance.
That's
I
think
that
covers
that
covers
the
entire
presentation
for
today
and.
A
Awesome
thanks
Maxim
for
a
great
presentation
and
reminder
to
folks
that
we
do
have
a
Q&A
box
at
the
bottom
of
your
screen.
So
if
you
do
have
a
question
for
Maxim
feel
free
to
drop
it
in
and
it
looks
like
we
do.
Have
one
question:
I'll
read
it
aloud
for
you
Maxim
and
it's
from
Miguel.
It
says
about
encryption
storage.
My
first
concern
is
reliability.
A
B
Okay,
very
good
question
and
yes,
encryption
isn't
essentially
in
an
additional
process
and
that's
done
on
the
data,
so
it
does
put
a
heavier
load:
heavier
load
on
storage.
So
it's
a
very
valid
control
as
to
how
do
we
recover
from
lost
or
damaged
or
even
worn-out?
Bytes
on
storage
is
especially
if
you
look
at
things
like
as
we.
B
If
you
will
could
be
some
of
the
more
recent
developments
in
the
storage
methodologies
and
you
look
at
solid-state
drives
there.
They
are
known
for
their
work,
so
Carl
Lewis
you
deploy
a
proper
storage
mechanisms
that
provide
you
a
certain
level
of
redundancy.
You
backup
your
storage
regularly
and
you
use
specialized
backup,
not
just
the
rain,
not
just
highly
available
disk
volumes.
You're
also
backing
up
the
data
regularly.
When
you
deploy
encryption,
one
of
the
critical
portions
of
your
data
pipeline
become
your
encryption
key.
B
So
therefore
one
thing
you
look
for
in
a
security
solution
is
what
kind
of
cement
or
infrastructure
they
provide.
They
provide
key
manager,
crate,
that's
already
put
them
in
hello.
Many
security
solutions
is
that
key
manager
highly
available?
Is
it
hosting
the
data
or
is
destroying
the
data
on
highly
available
storage
columns,
because
that's
essentially,
what
you
want
to
do
is
to
make
sure
that
not
only
your
data
is
protected,
but
your
keys
are
also
protected.
A
B
Right
so
this
is
essentially
good
again
good
question.
It's
essentially,
how
do
you
take
your
environment,
where
the
goal
of
the
environment
is
to
quickly
deliver
quality
solutions
to
an
environment
where
encryption
and
security
rather
is
part
of
that
quality
differentiator,
so
you'd
like
to
not
just
say
I'm
in
DevOps,
which
is
kind
of
like
agile,
quickly
develop
solutions
that
have
a
certain
level
of
quality.
Also,
security
become
parts,
the
implicit
part
of
quality
that
that's
the
transition
from
DevOps
to
def
settlers.
B
So
kubernetes
secrets
are
not
protected
by
default.
Secrets
are
centrally
stored
in
SCE,
which
is
part
of
the
quorum
kubernetes
deployment
has
city
as
a
key
value:
pair
storage
and
the
storage
that's
used
by
SCE
to
store
the
key
value
pairs
it's
not
encrypted
by
default.
So
if
you,
if
your
HDD
is
compromised
than
the
store
which
is
exposed
and
the
secrets
are
exposed,
later
versions
of
kubernetes
provide
a
way
for
you
to
encrypt
the
secret
store,
and
that
adds
a
certain
level
of
protection.
A
Reads
all
right:
well,
I,
think
that
covers
all
the
questions
today,
thanks
again
maxim
for
a
great
presentation.
That's
all
the
time
that
we
have
for
today,
just
a
reminder
that
the
webinar
recording
and
slides
will
be
online
later
today,
thanks
again,
and
we
look
forward
to
seeing
you
all
at
a
future,
CN
CF
webinar
have
a
great
day.