SlideShare a Scribd company logo

Microservices docker-security

Download as PPTX, PDF
SecludIT
SecludIT

From virtual to cloud to microservices – 10 tips from a security perspective

Technology
1 of 14
From virtual to cloud to microservices – 10 tips from a security perspective Sergio Loureiro, PhD CEO, Founder at SecludIT sergio@secludit.com https://secludit.com
New technology equals New security risks • Security is an after thought: Embrace change and get over it! • Virtual and Cloud are mastered, right? • Virtualization issues vs isolation: Example VENOM • Cloud Security Alliance Nefarious 12 2
New use case: Shared responsibility 3
Case Study: AWS virtual machines security • 22% of AMIs had private keys • 98% of Windows had known vulnerabilities • 2 VMs compromised in less of 1 hour • NEW: data not erased securely 4
The new kid on the block: Microservices • Applications are composed of small, independent components • Drop-in and highly decoupled blocks • Components communicate with each other using APIs • Drop-in Services are easy to replace • Developer-friendly • Nothing new -> A.K.A. SOA (Service Oriented Architecture) • Recently gained popularity thanks to REST APIs 5
Why Docker? • Simplifies packaging and deployment • Guarantees portability, flexibility, isolation (?) • Minimal requirements • Ideal for building microservice-based architectures 6
Containers to scale in the Cloud – Automation! 7
What about Container Security? • Are containers really isolated? • Are images safe? • How can we know if a container is vulnerable? • How can we assess the security of our microservice ecosystem? 8
Top 10 tips: back to the basics in 3 steps (1/3) • UNDERSTAND and PLAN 1. Audit Regularly your infrastructure, test like you test your code 2. Keep it simple… (KISS) -> containers are a good step to simplify 3. Understand and test attack surface of each technology 9
Top 10 tips: back to the basics in 3 steps (2/3) TEST and CORRECT: Operations 4. Run trusted (=tested) containers 5. Automate everything to avoid manual errors and cost reduction, use APIs, no agents 6. Perform often vulnerability assessment 7. Use tools that cope with bare metal, virtual, cloud and containers (legacy in not going to disappear) 8. Patch and Remediate rapidly or replace containers with updated versions 10
Top 10 tips: back to the basics in 3 steps (3/3) REPORT and SHOW 9. Monitor KPIs and risk, not logs and vulnerabilities -> actionable data 10. Keep C-level informed, your budget depends on that for the next new technology 11
NEW: Elastic Vulnerability Assessment for Containers • Portability of containers to improve Vulnerability Assessment 12 CLONE
Further Reading • CIS Docker Benchmark • https://docs.docker.com/engine/security/security/ • Tools: Seccomp and AppArmor • Docker Capabilities • https://opensource.com/business/14/7/docker-security-selinux • https://elastic-security.com/2016/04/11/docker-best-security-practices/ 13
THANK YOU! sergio@secludit.com http://secludit.com @SecludIT

Recommended

Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast
Codefresh
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - Twistlock
Amazon Web Services
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Elasticsearch
 
Palestra de abertura: Evolução e visão do Elastic Security
Palestra de abertura: Evolução e visão do Elastic SecurityPalestra de abertura: Evolução e visão do Elastic Security
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
DevOps Indonesia
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Sohini Mukherjee
 

Recommended

Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast
Codefresh
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - Twistlock
Amazon Web Services
 
Introducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI PipelinesIntroducing a Security Feedback Loop to your CI Pipelines
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Elasticsearch
 
Palestra de abertura: Evolução e visão do Elastic Security
Palestra de abertura: Evolução e visão do Elastic SecurityPalestra de abertura: Evolução e visão do Elastic Security
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
DevOps Indonesia
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Sohini Mukherjee
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
RSA 2014: Skybox Security Risk Analytics Overview
RSA 2014: Skybox Security Risk Analytics OverviewRSA 2014: Skybox Security Risk Analytics Overview
RSA 2014: Skybox Security Risk Analytics Overview
Skybox Security
 
Patterns for Secure Containerized Applications (Docker)
Patterns for Secure Containerized Applications (Docker)Patterns for Secure Containerized Applications (Docker)
Patterns for Secure Containerized Applications (Docker)
Erica Windisch
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
Elasticsearch
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security Overview
Lacework
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
 
Security for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeSecurity for AWS: Journey to Least Privilege
Security for AWS: Journey to Least Privilege
Lacework
 
Infosec 2014: Who Is Skybox Security?
Infosec 2014: Who Is Skybox Security? Infosec 2014: Who Is Skybox Security?
Infosec 2014: Who Is Skybox Security?
Skybox Security
 
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24
 
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elastic Security: Enterprise Protection Built on the Elastic StackElastic Security: Enterprise Protection Built on the Elastic Stack
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elasticsearch
 
Soha Systems DevOps Summit New York June 2015
Soha Systems DevOps Summit New York June 2015Soha Systems DevOps Summit New York June 2015
Soha Systems DevOps Summit New York June 2015
Robert Berlin
 
Orchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverlessOrchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverless
martinfoster
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV Deployments
OPNFV
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Risk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewRisk Analytics: One Intelligent View
Risk Analytics: One Intelligent View
Skybox Security
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
Archana Joshi
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Skybox Security
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security
 
Elisenia pimentel taller 1
Elisenia pimentel taller 1Elisenia pimentel taller 1
Elisenia pimentel taller 1
elisenia pimentel
 
linkedinresume
linkedinresumelinkedinresume
linkedinresume
Chelsea Glosser
 

More Related Content

What's hot

Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Skybox Security
 

What's hot (20)

Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
 
RSA 2014: Skybox Security Risk Analytics Overview
RSA 2014: Skybox Security Risk Analytics OverviewRSA 2014: Skybox Security Risk Analytics Overview
RSA 2014: Skybox Security Risk Analytics Overview
 
Patterns for Secure Containerized Applications (Docker)
Patterns for Secure Containerized Applications (Docker)Patterns for Secure Containerized Applications (Docker)
Patterns for Secure Containerized Applications (Docker)
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security Overview
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
 
Security for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeSecurity for AWS: Journey to Least Privilege
Security for AWS: Journey to Least Privilege
 
Infosec 2014: Who Is Skybox Security?
Infosec 2014: Who Is Skybox Security? Infosec 2014: Who Is Skybox Security?
Infosec 2014: Who Is Skybox Security?
 
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018
 
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elastic Security: Enterprise Protection Built on the Elastic StackElastic Security: Enterprise Protection Built on the Elastic Stack
Elastic Security: Enterprise Protection Built on the Elastic Stack
 
Soha Systems DevOps Summit New York June 2015
Soha Systems DevOps Summit New York June 2015Soha Systems DevOps Summit New York June 2015
Soha Systems DevOps Summit New York June 2015
 
Orchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverlessOrchestrated - multi tenant architecture at scale with serverless
Orchestrated - multi tenant architecture at scale with serverless
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV Deployments
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
 
Risk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewRisk Analytics: One Intelligent View
Risk Analytics: One Intelligent View
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 

Viewers also liked

Mark VI ST Control Product Overview GEH 6127
Mark VI ST Control Product Overview GEH 6127Mark VI ST Control Product Overview GEH 6127
Mark VI ST Control Product Overview GEH 6127
Mircea Tomescu
 
ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain
ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain
ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain
maruay songtanin
 
คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary
คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary
คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary
maruay songtanin
 

Viewers also liked (14)

Elisenia pimentel taller 1
Elisenia pimentel taller 1Elisenia pimentel taller 1
Elisenia pimentel taller 1
 
linkedinresume
linkedinresumelinkedinresume
linkedinresume
 
Overcoming Impostor Syndrome in an Agile Environment by Ann Wangari Mwangi
Overcoming Impostor Syndrome in an Agile Environment by Ann Wangari MwangiOvercoming Impostor Syndrome in an Agile Environment by Ann Wangari Mwangi
Overcoming Impostor Syndrome in an Agile Environment by Ann Wangari Mwangi
 
Bloc opératoire de l'hueh, 6 conseils pour l'améliorer
Bloc opératoire de l'hueh, 6 conseils pour l'améliorerBloc opératoire de l'hueh, 6 conseils pour l'améliorer
Bloc opératoire de l'hueh, 6 conseils pour l'améliorer
 
Sales director resume page2
Sales director resume page2Sales director resume page2
Sales director resume page2
 
instruments of levelling
instruments of levellinginstruments of levelling
instruments of levelling
 
Insuffler une dynamique positive pour redonner du “sens” au travail et (re)mo...
Insuffler une dynamique positive pour redonner du “sens” au travail et (re)mo...Insuffler une dynamique positive pour redonner du “sens” au travail et (re)mo...
Insuffler une dynamique positive pour redonner du “sens” au travail et (re)mo...
 
Docker en production et la sécurité … _
Docker en production et la sécurité … _Docker en production et la sécurité … _
Docker en production et la sécurité … _
 
відпочинок дітей у пришкільному таборі з денним перебуванням
відпочинок дітей у пришкільному таборі з денним перебуваннямвідпочинок дітей у пришкільному таборі з денним перебуванням
відпочинок дітей у пришкільному таборі з денним перебуванням
 
Mark VI ST Control Product Overview GEH 6127
Mark VI ST Control Product Overview GEH 6127Mark VI ST Control Product Overview GEH 6127
Mark VI ST Control Product Overview GEH 6127
 
New ICT Trends in CES 2016
New ICT Trends in CES 2016New ICT Trends in CES 2016
New ICT Trends in CES 2016
 
IBODE et Chirurgie Biliaire - Rappels anatomiques et Indications
IBODE et Chirurgie Biliaire - Rappels anatomiques et IndicationsIBODE et Chirurgie Biliaire - Rappels anatomiques et Indications
IBODE et Chirurgie Biliaire - Rappels anatomiques et Indications
 
ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain
ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain
ห่วงโซ่การบันทึกทางธุรกรรม The truth about blockchain
 
คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary
คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary
คำอธิบายเกณฑ์รายหัวข้อ 2016 criteria category and item commentary
 

Similar to Microservices docker-security

Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 
The 6 Critical Cloud-Native Computing Components
The 6 Critical Cloud-Native Computing ComponentsThe 6 Critical Cloud-Native Computing Components
The 6 Critical Cloud-Native Computing Components
Gavin Dawson
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Enterprise Management Associates
 

Similar to Microservices docker-security (20)

AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Cloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryCloud Native Summit 2019 Summary
Cloud Native Summit 2019 Summary
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
The 6 Critical Cloud-Native Computing Components
The 6 Critical Cloud-Native Computing ComponentsThe 6 Critical Cloud-Native Computing Components
The 6 Critical Cloud-Native Computing Components
 
Think Small To Go Big - Introduction To Microservices
Think Small To Go Big - Introduction To MicroservicesThink Small To Go Big - Introduction To Microservices
Think Small To Go Big - Introduction To Microservices
 
Maturing IoT solutions with Microsoft Azure (Sam Vanhoutte & Glenn Colpaert a...
Maturing IoT solutions with Microsoft Azure (Sam Vanhoutte & Glenn Colpaert a...Maturing IoT solutions with Microsoft Azure (Sam Vanhoutte & Glenn Colpaert a...
Maturing IoT solutions with Microsoft Azure (Sam Vanhoutte & Glenn Colpaert a...
 
Wavefront-by-VMware-April-2019
Wavefront-by-VMware-April-2019Wavefront-by-VMware-April-2019
Wavefront-by-VMware-April-2019
 
How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run IT
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster ManagementAddressing the 8 Key Pain Points of Kubernetes Cluster Management
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
 
Docker?!?! But I'm a SysAdmin
Docker?!?! But I'm a SysAdminDocker?!?! But I'm a SysAdmin
Docker?!?! But I'm a SysAdmin
 
A Guide on What Are Microservices: Pros, Cons, Use Cases, and More
A Guide on What Are Microservices: Pros, Cons, Use Cases, and MoreA Guide on What Are Microservices: Pros, Cons, Use Cases, and More
A Guide on What Are Microservices: Pros, Cons, Use Cases, and More
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud future
 
App specific app architecture
App specific app architectureApp specific app architecture
App specific app architecture
 

More from SecludIT

More from SecludIT (10)

Scanner de vulnérabilités : recommandés / obligatoires on vous dit tout !
Scanner de vulnérabilités : recommandés / obligatoires on vous dit tout !Scanner de vulnérabilités : recommandés / obligatoires on vous dit tout !
Scanner de vulnérabilités : recommandés / obligatoires on vous dit tout !
 
Elastic Detector vu par un Ethical Hacker
Elastic Detector vu par un Ethical HackerElastic Detector vu par un Ethical Hacker
Elastic Detector vu par un Ethical Hacker
 
Sophia conf securite microservices - 2017
Sophia conf securite microservices - 2017Sophia conf securite microservices - 2017
Sophia conf securite microservices - 2017
 
Top 10 des meilleures pratiques de sécurité AWS - 2017-06-08
Top 10 des meilleures pratiques de sécurité AWS - 2017-06-08Top 10 des meilleures pratiques de sécurité AWS - 2017-06-08
Top 10 des meilleures pratiques de sécurité AWS - 2017-06-08
 
Securite docker generique 2017-03-16
Securite docker generique 2017-03-16Securite docker generique 2017-03-16
Securite docker generique 2017-03-16
 
Cloud workload protection for obs by seclud it
Cloud workload protection for obs by seclud itCloud workload protection for obs by seclud it
Cloud workload protection for obs by seclud it
 
Innovations dans la cybersecurite
Innovations dans la cybersecuriteInnovations dans la cybersecurite
Innovations dans la cybersecurite
 
Deployer son propre SOC !
Deployer son propre SOC ! Deployer son propre SOC !
Deployer son propre SOC !
 
La seule solution de surveillance continue et adaptative : Elastic Detector
La seule solution de surveillance continue et adaptative : Elastic DetectorLa seule solution de surveillance continue et adaptative : Elastic Detector
La seule solution de surveillance continue et adaptative : Elastic Detector
 
The real cost of ignoring network security.
The real cost of ignoring network security.The real cost of ignoring network security.
The real cost of ignoring network security.
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Microservices docker-security

  • 1. From virtual to cloud to microservices – 10 tips from a security perspective Sergio Loureiro, PhD CEO, Founder at SecludIT sergio@secludit.com https://secludit.com
  • 2. New technology equals New security risks • Security is an after thought: Embrace change and get over it! • Virtual and Cloud are mastered, right? • Virtualization issues vs isolation: Example VENOM • Cloud Security Alliance Nefarious 12 2
  • 3. New use case: Shared responsibility 3
  • 4. Case Study: AWS virtual machines security • 22% of AMIs had private keys • 98% of Windows had known vulnerabilities • 2 VMs compromised in less of 1 hour • NEW: data not erased securely 4
  • 5. The new kid on the block: Microservices • Applications are composed of small, independent components • Drop-in and highly decoupled blocks • Components communicate with each other using APIs • Drop-in Services are easy to replace • Developer-friendly • Nothing new -> A.K.A. SOA (Service Oriented Architecture) • Recently gained popularity thanks to REST APIs 5
  • 6. Why Docker? • Simplifies packaging and deployment • Guarantees portability, flexibility, isolation (?) • Minimal requirements • Ideal for building microservice-based architectures 6
  • 7. Containers to scale in the Cloud – Automation! 7
  • 8. What about Container Security? • Are containers really isolated? • Are images safe? • How can we know if a container is vulnerable? • How can we assess the security of our microservice ecosystem? 8
  • 9. Top 10 tips: back to the basics in 3 steps (1/3) • UNDERSTAND and PLAN 1. Audit Regularly your infrastructure, test like you test your code 2. Keep it simple… (KISS) -> containers are a good step to simplify 3. Understand and test attack surface of each technology 9
  • 10. Top 10 tips: back to the basics in 3 steps (2/3) TEST and CORRECT: Operations 4. Run trusted (=tested) containers 5. Automate everything to avoid manual errors and cost reduction, use APIs, no agents 6. Perform often vulnerability assessment 7. Use tools that cope with bare metal, virtual, cloud and containers (legacy in not going to disappear) 8. Patch and Remediate rapidly or replace containers with updated versions 10
  • 11. Top 10 tips: back to the basics in 3 steps (3/3) REPORT and SHOW 9. Monitor KPIs and risk, not logs and vulnerabilities -> actionable data 10. Keep C-level informed, your budget depends on that for the next new technology 11
  • 12. NEW: Elastic Vulnerability Assessment for Containers • Portability of containers to improve Vulnerability Assessment 12 CLONE
  • 13. Further Reading • CIS Docker Benchmark • https://docs.docker.com/engine/security/security/ • Tools: Seccomp and AppArmor • Docker Capabilities • https://opensource.com/business/14/7/docker-security-selinux • https://elastic-security.com/2016/04/11/docker-best-security-practices/ 13