Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Open Source Tools to Secure Containers and Clouds

Published byGeorgina Lee Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Open Source Tools to Secure Containers and Clouds"— Presentation transcript:

1 Using Open Source Tools to Secure Containers and Clouds
Derek Thurston @derekthurston Nirmal Mehta @normalfaults Booz Allen Open Tech @boozallen

2 About Derek Started working with open source in 1997 with Red Hat Linux 4.×. I have been an advocate for Open Source since that day I have worked on a wide variety of projects for both government and commercial businesses. Love playing board and video games Constantly looking for a way to innovate everything! IANASE (I Am Not A Security Expert) Derek @derekthurston @normalfaults

3 About Nirmal 7 years of system integration in Government IT systems
Manually STIG’d 100s of systems in multiple environments (Still recovering) Red Hat Innovation Award 2013 I enjoy: Automating all the things PC Gaming Hacking Getting excited about new technology Docker Learning Go Pythonista Nirmal @derekthurston @normalfaults

4 Booz Allen Open Tech @derekthurston @normalfaults

5 Booz Allen Open Tech Open Source continues to drive the latest information technology trends, making a significant impact on Cloud, Big Data, and IoT. Booz Allen has been active in driving open standards, architectures, data, and technology for some time, and it has now formalized it's commitment by creating BOT: Booz Allen Open Tech.   BOT is a specialized practice focused on: Acceleration: building and contributing to open technology Application: helping clients effectively and securely use Open Source Assembly: applying the latest framework and technologies to build open systems Nirmal @derekthurston @normalfaults

6 Why are we here? How devastating would your identity being stolen be?
What if someone drained your bank account today? What about your families identities? Derek if you google identity theft, you get a bunch of ads for identity theft protection and tips from the government to protect your identity I see some irony with the last one @derekthurston @normalfaults

7 Open Source software can help
Why Open Source? Security Foundations Using OpenSCAP for maintaining security Container security Docker image governance/provenance Secrets in containers with Keywhiz Proactive monitoring and management Nirmal @derekthurston @normalfaults

8 Why Open Source software?
Evolution through community (OpenSSL/TLS vs S2N) Transparency Cost Value is in heuristics and analysis Nirmal @derekthurston @normalfaults

9 Protect! Encrypt, Patch, Layers of Defense, Educate, Secure
Security Foundations Protect! Encrypt, Patch, Layers of Defense, Educate, Secure Automate! Deployments, Event management, Infrastructure (as code) Test! Code, Infrastructure, Backups Derek @derekthurston @normalfaults

10 Using OpenSCAP for maintaining security
Security Content Automation Protocol (SCAP) was created to standardize the approach to automatically verifying: The presence of patches Checking system security configuration settings Examining systems for signs of compromise. OpenSCAP supports the following formats: XCCDF, OVAL®, Asset Identification (ver. 1.1), ARF, CCE™, CPE™, CVE®, CVSS Derek @derekthurston @normalfaults

11 Using OpenSCAP for maintaining security
Why OpenSCAP? OpenSCAP provides the ability to monitor, maintain, and remediate your container or instance’s security posture OpenSCAP can be run from the command line! \o/ The community! The OpenSCAP community, the related projects, and the security compliance communities make it easy to use OpenSCAP You get PAT… Protect, Automate, Test Derek @derekthurston @normalfaults

12 Using OpenSCAP for maintaining security (Demo)
OpenSCAP is made of: Library – The OpenSCAP library is the API Toolkit – oscap is a command line tool SCE – the Script Check Engine (run your bash or whatever scripts!) Derek @derekthurston @normalfaults

13 Using OpenSCAP for maintaining security (Demo)
We have containerized our demo of the OpenSCAP using the GovReady scripts git clone cd docker-oscap-demo docker build –t docker-oscap-demo . docker run -it docker-oscap-demo /bin/bash /root/govready.sh docker cp <container-id>:/myfisma <local directory> open the local directory and view the report in a browser derek @derekthurston @normalfaults

14 Using OpenSCAP for maintaining security (Demo)
OpenSCAP Related Projects (CPE definitions are wrong) scap-workbench yum install epel-release.noarch yum install scap-workbench yum install scap-security-guide derek @derekthurston @normalfaults

15 Container security (the quick stuff)
Use TLS for communication between the Docker Engine and clients AppArmor <- built into docker is in the upstream Kernel as of Distros that include app armor: Annvix, Arch Linux, Debian, Gentoo, Mandriva, openSUSE, Pardus Linux, PLD, Ubuntu SELinux <- built into docker --selinux flag on Docker Daemon setenforce 1 ( Only trusted users should be allowed to control your Docker daemon Don’t run as root in container (will be fixed in future release of Docker) Run up-to-date kernel Nirmal @derekthurston @normalfaults

16 Container security (Demo)
Docker CIS benchmark - demo run Immutable containers recycle in groups- compromised application connections are dropped go statically linked language, no shell, ssh Nirmal @derekthurston @normalfaults

17 Docker image governance/provenance
The Notary project comprises a server and a client for running and interacting with trusted collections. With Notary, publishers can sign their content offline using keys kept highly secure. Once the publisher is ready to make the content available, they can push their signed trusted collection to a Notary Server. Sign Docker images, establish provenance Nirmal @derekthurston @normalfaults

18 Secrets in containers with Keywhiz
Keywhiz is a system for managing and distributing secrets. Every organization has services or systems that require secrets. Secrets like: TLS certificates/keys, GPG keys, API tokens, database credentials Common practices include putting secrets in config files next to code or copying files to servers out-of-band. The former is likely to be leaked and the latter difficult to track. Keywhiz servers in a cluster centrally store secrets encrypted in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI. To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins. Nirmal @derekthurston @normalfaults

19 Proactive monitoring and management
cAdvisor (native support for docker) Elastic, Kibana, Logstash (ELK) Nagios prometheus sensu sysdig The assimilation project Derek @derekthurston @normalfaults

20 Proactive monitoring and management
Test your code for vulnerabilities breakman Rails security Scanner Open Web Application Security Project (OWASP) Lots of tools here! findbugs – for java Cloud Application Security Brokers Sit between your gateway and the cloud gateway security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention Is this a gap in Open Source? Code should be testable @derekthurston @normalfaults

21 Please talk to us! @derekthurston @normalfaults

Download ppt "Using Open Source Tools to Secure Containers and Clouds"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
Mike Azocar Sr. Developer Technical Specialist Microsoft Corporation

Mike Azocar Sr. Developer Technical Specialist Microsoft Corporation
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
Tim Vander Kooi Systems

Tim Vander Kooi Systems
Platform Manager Simple, Secure, Remote Application Management.

Platform Manager Simple, Secure, Remote Application Management.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
AUTOBUILD Build and Deployment Automation Solution.

AUTOBUILD Build and Deployment Automation Solution.
Model a Container Runtime environment on Your Mac with VMware AppCatalyst DevOps @ VMworld Fabio Rapposelli - @fabiorapposelli.

Model a Container Runtime environment on Your Mac with VMware AppCatalyst VMworld Fabio Rapposelli

Similar presentations

Ads by Google