►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Deja Vu: Let's think about security again! - Shripad Nadgowda & Paolo Dettori, IBM
While Crossplane is emerging as the new CNCF project for provisioning and managing cloud infrastructure directly from Kubernetes, according to the National Security Agency (NSA), misconfiguration is still the #1 cloud vulnerability. So as we move the control plane for managing infrastructure to Kubernetes through Crossplane, we need to revisit and re-evaluate security and compliance implications. In this talk, we will review on-going security transformations for cloud-native solutions in the form of DevSecOps, Zero Trust and discuss their potential applicability to Crossplane. At the same time, it is equally critical to identify early if there any any gaps, need for new tools and techniques for developers and security experts and call for common best practices or standards across users and providers.
A
A
B
A
A
So
if
we
see
we,
we
have
seen
that
misconfiguration
is
still
a
number
one
cloud
vulnerability
according
to
the
national
security
agency,
and
there
is
a
high
cost
associated
with
such
misconfigurations
and
it
is
growing
right.
We
listed
the
survey
which
shows
that
the
cost
can
grow
in
trillion
dollars.
A
More
recently,
gartner
has
published
a
report
where
they
are
estimating,
but
that
by
2025
99
of
the
cloud
security
failures
are
going
to
be
responsibility
of
customers
rather
than
the
service
provider.
We'll
put
these
numbers
in
perspective
when
we
discuss
the
role
of
developers
and
importance
of
dev
secours
in
the
cross
plane.
A
Now,
let's
revisit
the
the
security
landscape
from
the
vantage
point
of
four
different
actors.
Now,
first,
we
have
a
cloud
provider,
the
cloud
provider.
They
are
focused
on
improving
the
experience
for
the
cloud
users
right.
There
is
a
tremendous
momentum
in
onboarding
new
services
on
the
cloud
across
aws
azure
ibm.
There
are
more
than
150
products
and
services.
A
We
looked
at
some
of
the
config.
This
service
configuration
exposed
to
the
user
based
on
their
respective
data
from
module
inputs
and
variables,
and
these
input
parameters
input
the
configuration
parameters
they
can
grow
and
in
basically
2030s
or
even
60s
right-
and
this
is
very
easy
for
users
or
developers
to
make
mistake
when
you
have
so
many
inputs
to
care
about
again,
there
are
different
modalities.
A
The
cloud
provider
enables
for
accessing
and
changing
configurations
that
includes
user
interface,
cli
apis
and
some
programming
construct
build
on
top
like
terraform
and
cross
play
right.
So
it
adds
a
new
layer
of
complexity,
because
now
we
need
to
secure
these
additional
layers
and
make
sure
that
they
are
secure.
A
Now,
let's
think
about
the
security
director
right.
So
as
a
security
director,
he
needs
a
visibility
and
awareness
across
the
security
standards.
He
need
to
evaluate
the
portion
of
his
cloud
infrastructures,
his
cloud
workloads
and
now
there
are
some
industry
standards
like
nist,
kubernetes,
cis
docker
cis.
A
A
A
We
are
evolved
from
that
now
we
have
standard
programming
construct,
like
terraform
ansible
cross
plane,
to
enable
this
to
standardize
this
cloud
programming
model,
even
the
devops.
It
has
ensured
that
we
have
consistency
across
build
test
and
deploy
practices
across
industry
across
communities
and
now
the
emerging
practices
of
devsecops,
which
is
essentially
putting
developer
in
the
center
of
the
security
practices.
A
We
don't
we
don't
expect
developers
to
be
a
security
expert
and
we
want
to
keep
it
that
way
and
but
we
want
to
enable
developers
to
identify
the
problems
in
a
security
problem
early
in
its
development
process,
and
so
we
want
to
automate
these
security
checks
and
embed
them
into
the
existing
development
practices.
We
don't
want
to
invent
new
development
practices,
new
tools
so
for
developers
to
learn,
but
whatever
their
existing
practices
are,
we
need
to
strengthen
them
with
the
security
functions.
A
A
Now,
let's
revisit
what
are
the
current
devastation
practices
across
infrastructure
as
well
as
application
code?
Now,
if
you
look
into
the
git
repositories,
all
the
artifacts
that
are
present
in
the
git
repository,
we
can
broadly
classify
them
into
four
different
categories.
We
have
some
artifacts
application
artifacts
like
build
artifacts,
which
includes
your
docker
file.
Our
package,
manifest
that
that
says
how
your
application
is
going
to
get
built.
We
have
deployment
artifacts
like
all
deployment,
journals
and
chat
that
dictate
how
your
application
is
going
to
be
deployed.
A
Then,
finally,
configuration
artifact,
the
config
maps
or
network
policies,
and
our
infrastructure
has
a
core
artifact,
like
your
terraform
cross
plan
or
ansible,
and
we
have
existing
division
of
solutions
that
are
embedded
into
this
network.
So
whenever
a
developer
makes
any
change,
this
security
cr
pipelines
trigger
it,
access
this
source
artifact.
It
performs
various
checks
like
on
the
bill.
Artifact,
we
determine
all
the
dependencies
all
the
open
source
packages
we
determined
there
are
the
vulnerabilities.
A
What
are
the
licenses
that
they
are
using?
What
are
the
risk
of
using
those
vulnerabilities
on
the
deployment
artifact?
We
analyze?
If
there
are
any
misconfigurations
like
you,
haven't,
set
some
resource
limits
or
you're
running
as
a
privilege
when
it
is
not
required.
We
also
measure
the
risk
of
such
misconfigurations.
A
We
check
the
security
the
configuration
artifact
to
see
if
there
are
any
application,
miss
configurations
like
if
I'm
deploying
some
applications.
I
have
a
set
the
right
configurations
for
it
am
I
using
the
right
protocol,
I'm
using
the
right
certificates
and
finally,
the
infrastructure
artifact,
like
our
data
form
or
crossplay.
We
can
evaluate
them
and
identify
any
misconfigurations
of
security
holes
early
in
the
development,
while
we
are
actually
before
even
we're
using
it
for
provisioning
and
then
once
we
have
this
app
pipeline,
our
artifacts
pass
through
the
cia
pipeline.
A
We
diverge
right.
We
have
a
separate
cd
pipeline
for
infrastructures
like
admin
schematics
that
takes
our
infrastructure
as
a
code
artifact
and
provisions
associated
resources
on
the
cloud
and
then
for
the
application.
We
typically
produce
some
intermediary
artifacts,
like
our
images
in
the
registry,
and
then
we
use
cd
pipelines
like
argo,
cd
or
tecton
and
deploy
our
applications
on
the
cluster.
A
We
typically
have
the
second
layer
of
protections
in
the
form
of
admission,
controller
or
gatekeeper
where
we
perform
some
enforcement
checks
like
it
is
basically
second
layer
of
protection,
and
once
our
application
is
deployed,
our
cloud
services
infrastructure
is
provisioned.
We
have
separate
monitors,
we
have
continuous
monitors
to
see
if
the
new
security
issues
get
stopped.
B
Power,
thank
you
shilpat.
So,
first
of
all,
the
first
observation
is
that
we
cross
plane
application
infrastructure
can
share
the
same
kubernetes
resource
model,
the
same
krm
so
that
the
basically
allowed
to
now
use
the
same
infrastructure,
the
same
tool
chain
for
basically
doing
the
pipeline
for
both
application
infrastructure
deployments.
B
So
the
devsecops
pipeline
for
apps
infrastructure
now
is
the
same.
We
can
use
the
same
tools
because
now
I
don't
need
to
introduce
different
tools.
For
example,
if
I'm
doing
a
deployment
with
terraform,
I
have
to
use
the
terraform
cli,
but
here
I
can
just
use
the
existing
kubectl
cli
for
doing
deployment
of
application
and
infrastructure.
B
If
we
go
to
the
next
chart,
we
see
how
the
pipeline
that
sripad
was
illustrating
earlier
on,
where
we
add
two
separate
pipeline,
one
for
infrastructure,
a
one
for
application
now
can
be
basically
merged
into
one
single
pipeline
because
I'm
sharing
the
same
tool
chain.
So
in
this
case,
I
don't
need
to
have
a
separate,
for
example,
terraform
deployment
pipeline,
but
I
can
have
one
single
pipeline
because
I'm
using
basically
the
same
model,
the
same
tool
chain.
So
I
can
do
things
as
well
here
using,
for
example,
argo
cd
using
tactone.
B
I
don't
need
to
basically
introduce
something
different,
so
this
actually
simplifies
and
makes
some
more
accessible
to
developers,
also
the
ability
now
to
provision
the
infrastructure
they
need
based
on
the
application
requirements,
and
this
is
really
what
we
see
as
the
application,
centric
provisioning
and
configuration
of
infrastructure
when
we
start
using
crossplane
in
this
picture.
Next.
B
B
B
So
we
can
actually
configure
also
security
constraints
around
the
services
we
also
allowed
to
import
existing
cloud
services
in
the
provider
and
as
a
roadmap.
We
are
currently
adding
more
support
for
more
cloud
apis
from
ibm
cloud
and
looking
also
a
code
generation
from
open
api
definitions
of
the
provider.
B
B
And
finally-
and
this
is
the
say-
the
interesting
part
that
crossplane
allows-
I
can
get
in
the
same
pane
of
glass-
also
information
about
the
security
of
my
infrastructure
configuration
and
all
this
configuration,
of
course
is
amount
dictated
by
the
security
controls
such
as
nist
security
controls,
so
other
standards
that
the
compliance
officer
set
up
for
me
as
a
developer
and
then,
of
course,
I
get
a
more
clear
indication
of
exactly
what
I
need
to
do
in
order
to
be
compliant
to
those
controls.
For
example.
B
A
Thanks
paolo
so
we're
thinking
like
what
will
be
the
sustainable
security
model
right.
So
there's
some
thoughts
like
if
you
make
a
security,
a
default
configuration
for
every
cloud
service,
so
that
would
essentially
means
that
as
a
developer,
whenever
I
create
some
cloud
resource,
it
is
by
default.
It
is
secure.
I'm
I'm
asked
by
physically
it's
mandatory
for
me
to
provide
all
the
necessary
security
controls
or
security
configurations,
and
only
configurations
that
are
available
are
to
disable
the
security
cards.
A
So
as
a
developer,
I
am
well
aware
when,
whenever
I'm
making
any
security
misconfigurations
right
and
whenever
I'm
doing
it
right,
it's
basically
obscure
for
me,
it's
oblivious
to
me,
so
I
think
the
subliminal
security
is
going
to
be
very
important.
Now.
If
you
look
into
the
stack
of
the
standards
that
are
available
right
so
for
virtual
machines,
we
have
standards
like
cis-ness
security
control.
That
guide
us
on
how
we
should
configure
virtual
machines.
How
we
can
we
should
configure
our
operating
systems.
A
Then
we
have
kubernetes
plane.
On
top
of
that,
we,
where
we
have
some
cs
benchmark,
which
guide
us
on
how
we
should
configure
our
worker
nodes,
our
master
node,
our
core
services
for
our
workloads.
We
have
docker
cis
benchmark,
linux,
pci,
dss
and
all
not
many
other
security
controls
for
cloud
services.
We
are
against
some
list
security
controls.
So
essentially
we
have
security
controls
across
the
stack,
but
the
cross
plane
right.
So
these
are.
A
This
is
essentially
the
question
that
we
are
trying
to
ask
that
at
cross
plane
are
the
runtime
and
the
runtime
providers
right.
Do
we
consider
them
as
the
workload
on
top
of
kubernetes
and
they
be
subjected
to
the
workload
security
profile
or
they
are
part
of
the
core,
kubernetes
control
plane
and
need
to
be
subjected
to
the
kubernetes
cis
profile
security
profiles,
or
we
actually
need
a
separate
category
to
model
the
security
profile
for
cross
plane?