Cloud Native Computing Foundation Kubernetes Day India 2019, 29 Mar 2019

Previous Meeting

Next Meeting

⏯

youtube image

►

From YouTube: How to Secure Your Kubernetes Clusters - Cindy Blake, GitLab

Description

How to Secure Your Kubernetes Clusters - Cindy Blake, GitLab

About Cindy Blake
I am a solutions strategist at the core with a focus on cyber security. I'm passionate about making application security mainstream by changing the way app sec tools are used, by whom, and what outcome is expected. Ask me about pragmatic steps to truly integrate security into DevOps using workflows that are more effective, efficient, and transparent.

Join us for KubeCon + CloudNativeCon in San Diego November 18 - 21. Learn more at https://bit.ly/2XTN3ho. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy and all of the other CNCF-hosted projects.

A

Hi happy Holi, I I know it's a day. Late, I had fun with that. Yesterday, a gitlab reseller of ours Lyra was kind enough to take me into their office, and let me experience the Holi festival with them, so I'm happy to be here from get lab, oops wrong direction and I'm going to be talking about how to secure your kubernetes clusters, but I also want to make sure to talk more broadly about cloud security in general, because kubernetes is at a piece of that.

A

But if you're not looking at the overall picture, you won't be secure and manage your risk and I really believe that we're into a new era where security is going to be much more of a software-defined environment and I'll explain a little bit about why that is. But you can imagine, applications in general are becoming almost a networked unto themselves, so you've got pods and clusters and everything's talking to each other within an environment. It's very, very different than the traditional on-premise environment, where it's much more about protecting the perimeter.

A

So as an application moves around from cloud to cloud that security needs to follow it, and so it's a different mindset and a different approach, and, along with that, some of the key trends that kind of to bear. You know everyone wants to shift left and recognizes that it's far less expensive to identify vulnerabilities and remediate them early in the lifecycle.

A

But that's easier said than done: there's good a tendency to take security tools and toss them over to developers and say: ok now you need to use this tool and developers don't want to be security professionals, and so really the key is enabling development to create secure code and one of the key challenges.

A

Is you have this very iterative process for development, followed by what historically has been more of a waterfall process at the end for securing you know, security gates that you have to get past and those two things conflict, and so what has to happen is that security needs to be built into that iterative development process so that it's congruent with that serverless cloud kubernetes.

A

They all represent additional attack, surfaces and I'm, going to show you some of that here shortly and that's something to think about, and then the fact that you want to be agnostic and be able to move your applications from one cloud to another in one environment to another, as I said, really creates a different mindset for how you need to think about your security and it comes down to zero trust, but zero trust has been around for a long time.

A

It's been a hot topic, though recently I started by Forrester and now Gartner and others are talking about it, which kind of tells you that it's becoming a little bit more mainstream and the premise is that there's not a perimeter to protect that the bad guys are going to get in. So you need to look at the security of your data and your applications, assuming that the bad guys are going to get into your to your networking and get exposed.

A

Microservices is another really important piece as well as api's and dependencies, so you've got there's a reluctance. I think, in sum to worry about scanning for vulnerabilities in dependencies because there's the thought that well so many people are using open-source. That surely, is secure and that's really not the case. That's that's one of the weakest links, because if a bad guy can get a vulnerability into an open-source component, that's used by lots and lots of companies. They've just broadened their scope and their reach. So it's a very vulnerable area and.

A

Microphone, allistic application into many more applications that sort of breaks a traditional application, security approach, where you're scanning your applications, usually sometime in the test, environment and you're, getting charged by the application. Now, if I talked to a customer on Monday and they were taking a monolithic application and breaking it into 42, well that just increased their security cost at 42 times so you've got to think about this a little bit differently.

A

Now cloud requires a shared accountability and I created this slide to show not definitive roles and responsibilities, but more of primary roles and responsibilities. So the cloud providers doing some of this security vendors are doing some and the cloud providers are starting to do more. I, don't know if you saw a couple weeks ago at our say in in California, Microsoft and Google, both announced more or less sim capabilities, and so security information and event management capabilities.

A

So the landscape here is changing and when I ran this by our infrastructure people, they said you know, we really deal with something in every box here. So you know take this with a grain of salt, but in terms of primary responsibilities. It's a shared environment. Now, when you take the application layer- and you wrapper that in containers- and you wrapper that in orchestration, it increases your attack surface. So now you need to think in the container space.

A

You need to think about the images about the registry and about the east-west traffic and that's that's the the way that the applications within the containers communicate back and forth from an orchestration standpoint.

A

Authentication and access is really key. So what Liz showed around role-based access? That's really really important in in the kubernetes space and as well as network policies, and you saw some of that and it's really kind of the Wild West right now in terms of setting those policies. There are some best practices, but it's still I think very early as an industry. We're kind of an alert there, so I want to show you hi I, attended a demonstration of a kubernetes attack at RSA a couple weeks ago and actually Liz.

A

Her demonstration was very very similar to what what these folks showed and I want to give credit here to JBL I've been Guardians. They were the ones that did this they're a pen, testing company and the biggest takeaway I had from that was.

A

If your pen testers aren't doing some of what he's doing and looking at containers and kubernetes here, you're missing out on some big areas, but what he showed was he went in through I think it was a wordpress application and a dependency and vulnerability in a dependency there and an allowed remote code execution, which then allowed him to move from one pod to another until he was able to find a pod that could talk to the API server and once he could do that, then he could ask for the AWS credentials and get it ultimately to the secrets and control the cloud environment.

A

So again, it kind of goes back to the wing weak link, which oftentimes is the open source dependency. So you want to make sure that you're scanning those now in terms of kubernetes threats, the new stack, has a good ebook here. I get labs. All about reusing things when we can and giving credit where it's due. So this is a really good yvette ebook.

A

We have nothing to do with it, but the information was really helpful in terms of looking at the different threats and ways of preventing that and again it comes back to authenticate, not relying on the defaults.

A

In fact back here, one of the things that I missed key point is 90% of the the preventive measures here have to do with configuration and configuration is very challenging right now, but but that is it's very important as well and in fact, there's a center for internet security has a benchmark, and this I'm told is one of the best places. If you want to do your own configuration I.

A

Think if it were me, I'd want to hire somebody like Karthik, but instead tell me no, but if you, if you're taking the do-it-yourself approach, this is a little hard to find by the way so I start it. It's under virtualization platforms and cloud, because there's the benchmarks are vast and there's lots of information here, but I would encourage you to think about which settings you need to make in order to really be secure, because a lot of the default settings are not the most secure so that you really have to think through.

A

All of those which brings me to the the broader picture of cloud computing and secure and cloud I would argue that there's three key principles going forward. I want to give you some thoughts on where I think this is. This. Space is going to go so that, if you're looking for where to you know what tools to invest in who to follow that sort of thing will give you some direction and some ideas there so number one security needs to be an outcome, not a department.

A

Now the seaso at via vmware at he was on stage at RSA as a keynote, and I love this quote. He said your most important security product won't be a security product and we've seen that with 451. Also there are an analyst company and they really felt like there's the the new direction is that securing your applications is going to come from a combination of your cloud provider and more likely your software development lifecycle tools, so you're going to embed security into your development process and that's the way that it's going to be successful.

A

So key principle number two would be breath before death. So if you're focusing, for instance, only on kubernetes security, you're missing the container side of things, you're missing the dependency vulnerabilities, you're missing a lot of other elements. If you are doing vulnerability scanning and let's say, you're only doing SAS tour you're only doing so static or dynamic testing and you're going really deep on particular applications.

A

You may be leaving the window open here in terms of additional applications that are your weak link in the backdoor, and so you can't think about just mission-critical apps, because remember I can laterally traverse and go from one application to another, and so you need to think through those kinds of permissions. So when you're thinking through yours to your kubernetes settings, for instance, if I have an application for HR, probably shouldn't be talking to my point-of-sale application.

A

So those are the of settings that you can you can make in kubernetes, but you want to make sure that you're thinking broadly now, one way to think broadly would be to test every line of code. The traditional application security approach would be I'm gonna test, my mission-critical applications and I'm gonna.

A

Do it again sort of near the end of my development lifecycle and I'm gonna go really really deep, but the problem with that is then I've got to get that information back from security over to development and prioritize and chase down those vulnerabilities and get them get them triage. If you can do all of these tests, so static, dynamic dependency, scanning containers scanning and license management all right within your pipeline.

A

When you commit your code, then you're, taking that broad approach of testing everything you know another, a good analogy to that would be when you go to the airport and everybody gets scanned right. If you have a ticket and you're going in you're gonna have to you know, stand in the Machine and get scanned all of your bags get scanned. Now some get pulled aside for a more thorough scan, but they're scanning everything. At least you know at least at some level. So you should think through application security testing in a similar way.

A

I would encourage you to scan everything all the time, even if it's not a super super deep scan and then save for deep scans for for special circumstances.

A

What this allows you to do, then, by by scanning everything when you commit your code, is have much faster cycle time. So we talked about the clash between the iterative development process and the security at the end. Well, the way to resolve it is if you're testing everything every time you commit your code, then the developers getting information back so I write this code, a committed, here's, the vulnerabilities that it created so I've removed. All of that friction in the process where things could happen.

A

You know the testing happens later and comes back maybe a week later, and you have to track down what line of code was it that caused the problem? You know where was it that I need to go to fix this, so if you're doing it more iteratively in smaller bites, the other advantage to that is my scans. Take less time because I'm doing it for whatever code change, I make not the whole thing and- and it can just be much more efficient and effective.

A

So then, what goes on to your security department are those things that you, the developers not able to resolve, so maybe you're not sure if there's a compensating control so you're, not sure if you should dismiss this yeah vulnerability or not or you're, not sure of the best way to resolve it or it's going to take a long time and really need to be prioritized. So you want to create an issue for that later.

A

All of that can be done most easily if you're, using one tool that offers that into end from the code repository to see ICD, 2 security.

A

Now the last point that, in terms of key directions for the new IT and caring, the new IT is that simplicity and integration will always win. I'd like to use the analogy between your cell phone and your camera, and your other one would be your microwave. How many buttons you have on your microwave and you usually just use the one-minute one right or the popcorn, maybe for the the cell phone. You know you.

A

There are times when you want to use your camera, because you want all the special settings and the special lighting and what-have-you, but the downside of it is when you think about it: it's not integrated with anything.

A

You know with gitlab we're all remote and we have an employee meetup for globally, every 9 or 10 months, and we were in South Africa in August and I took my digital camera, because I thought I'm gonna get these spectacular pictures, but in the end I realized I, don't want the pictures to just stay on my phone I want to share them, and so I have my cell phone with me all the time. I. Don't necessarily always have my camera. You know with the separate camera you got to make sure it's charged.

A

You got to make sure it's got. Storage, I, take the picture, it's good enough with my phone and immediately I can upload it to Facebook or text it to my kids or whatever, and it's that integration that is so so important. So when you think about having one application across the entire software development lifecycle that simplicity and that integration is really something that can add value that you can't get when you're stitching together a DevOps tool chain, the other element of that is kind of a single source of truth and so everybody's.

A

Looking at the same thing, dev SEC, Ops, I, think in the end the SEC of DevOps is going to disappear. If we're all successful, suck will become ubiquitous and just built into dev and ops. So I hope those are good thoughts for you and I know I'm. The only thing standing between you and lunch, so I appreciate your your attention in your patients. Thank you. So much.