《Cloud Native Security 101_CNSCon23.pdf》由会员分享,可在线阅读,更多相关《Cloud Native Security 101_CNSCon23.pdf(43页珍藏版)》请在三个皮匠报告上搜索。
1、Rafik HarabiCloud Native Security 101:Building Blocks,Patterns and Best Practices1Who Am I?Senior Solution Architect at Sysdig,Cloud Security AdvocateFocus on Cloud Native Security and ObservabilityPreviously working on go to Cloud programmesrafik8_rafikharabi2Who are you?Who is here for the first t
2、ime?Who knows one of those acronyms:CWPP,CSPM,KSPM,CIEM,CNAPP,CDR?Who knows two of them?Who knows three?All of them?3Agenda Cloud Native Security acronyms Anatomy of Cloud Native application Lifecycle of Cloud Native application Cloud Native Security Platform building blocks.Attack vectors.Patterns&
3、Best Practices.Personas and Workflows.45Network/SecurityManagementIdentity and AccessDataPlatformsWorkloadAnatomy of Cloud Native Application Cloud ProviderLogs&MonitoringMessaging ServiceCloud LoadBalancerSecurity GroupsStorageObject storageInstanceServerlessDatabaseManaged SQL IAMCloud Infrastruct
4、ureContainersAudit logsKubernetesContainer as a Service6Cloud Native AcronymCWPPCloud Workload Protection PlatformWorkload and application security(Container,VM,Serverless).Network/SecurityManagementIdentity and AccessDataPlatformsWorkloadLogs&MonitoringMessaging ServiceCloud LoadBalancerSecurity Gr
5、oupsStorageObject storageInstanceServerlessDatabaseManaged SQL IAMContainersAudit logsKubernetesContainer as a Service7Cloud Native AcronymCSPMCloud Security Posture ManagementCloud assets configuration security:Protect the cloud control plane,basically tracking cloud resources and verifying the sta
6、tic configuration of the cloudNetwork/SecurityManagementIdentity and AccessDataPlatformsWorkloadLogs&MonitoringMessaging ServiceCloud LoadBalancerSecurity GroupsStorageObject storageInstanceServerlessDatabaseManaged SQL IAMContainersAudit logsKubernetesContainer as a Service8Cloud Native AcronymKSPM
7、Kubernetes Security Posture ManagementSecurity configuration assessment for Kubernetes.Network/SecurityManagementIdentity and AccessDataPlatformsWorkloadLogs&MonitoringMessaging ServiceCloud LoadBalancerSecurity GroupsStorageObject storageInstanceServerlessDatabaseManaged SQL IAMContainersAudit logs
8、KubernetesContainer as a Service9Cloud Native AcronymCIEMCloud Infrastructure Entitlement ManagementManage identity and access security for both humans and services.Reducing the risk of excessive permissions and entitlement in the cloud.Network/SecurityManagementIdentity and AccessDataPlatformsWorkl
9、oadLogs&MonitoringMessaging ServiceCloud LoadBalancerSecurity GroupsStorageObject storageInstanceServerlessDatabaseManaged SQL IAMContainersAudit logsKubernetesContainer as a Service10Cloud Native AcronymCDRCloud Detection and ResponseThreat Detection and Response for Cloud Assets and Workloads.Netw
10、ork/SecurityManagementIdentity and AccessDataPlatformsWorkloadLogs&MonitoringMessaging ServiceCloud LoadBalancerSecurity GroupsStorageObject storageInstanceServerlessDatabaseManaged SQL IAMContainersAudit logsKubernetesContainer as a Service11Cloud Native AcronymCNAPPCloud Native Application Protect
11、ion PlatformA platform that combine CSPM,CIEM,CWPP and CDR.Network/SecurityManagementIdentity and AccessDataPlatformsWorkloadLogs&MonitoringMessaging ServiceCloud LoadBalancerSecurity GroupsStorageObject storageInstanceServerlessDatabaseManaged SQL IAMContainersAudit logsKubernetesContainer as a Ser
12、vice12CIEMCDRCSPM(&KSPM)CNAPP Building BlocksCWPPCNAPPVulnerability Management Container/K8s Runtime SecurityServerless SecurityHost/Container Threat DetectionVulnerability Management Cloud Misconfigurations/IaCCloud InventoryCloud Threat DetectionComplianceCloud Threat DetectionContainer/K8s Runtim
13、e SecurityHost Threat DetectionCloud IAM:Identities and PermissionsDetect excessive permissions13Attack Vectors14Cloud Attack VectorsNetworkIdentityControl PlaneDataServers&ServicesCloud network breaches1Unauthorized resource access2Cloud data exfiltration 3Cloud security misconfiguration4Vulnerabil
14、ity exploits512344515Kubernetes Attack VectorsAccess K8S API Server/ETCD API Control Plane Worker NodeImage RegistryAPI serverDashboardETCD ServerControllerSchedulerKubletKube proxyApp 1SecretContainer runtime124361Dashboard misconfiguration 2Malicious container image in registry 3Application with e
15、xploitable vulnerability4Docker daemon misconfiguration 65Gain access to secrets5116ContainerContainer Workload Attack VectorsImage RegistryKernel&OSHardwareContainer EngineWorker NodeContainerDOCKER.SOCKET12345678Vulnerable OS/Container engine 1Vulnerable application2Exposed Container engine3Insecu
16、re image registry4Misconfigured container6Privileged containers5Privilege escalation on host7Insufficient Network isolation817Patterns&Best practices18Lifecycle of Cloud Native ApplicationCODEBUILDRUNDeployContinuous IntegrationDependenciesImage Manifest(Docker file,Podman,Buildah,)Application packa
17、ging(Helm,)Infrastructure Code(Terraform,)Continuous DeploymentContinuous DeliveryMonitoringTroubleshootingIncident ResponseIterationProvisionInfrastructure provisioningInfrastructure configuration19Secure Cloud Native ApplicationCODEBUILDRUNRespond&ForensicsDeployConfiguration ManagementInfrastruct
18、ure as Code ValidationVulnerability ManagementThreat DetectionIncident ResponseCI/CD pipelines,registries,and hostsPrioritization based on in-use vulnsCapture detailed record for forensicsBlock malicious containers/processesCSPM/cloud misconfigurationsCloud InventoryCloud threat detectionWorkload ru
19、ntime securityDrift preventionBlock risky configsIdentity and Access ManagementCIEM/least privilege Prioritization based on in-use permissionsBlock risky imagesBlock risky configAdmission 20Container In-Use vulnerabilities Prioritization Pattern:Prioritize images to be fixed based on packages that a
20、re really in use Why:Image contains usually many packages that are embedded but never used/loaded Result:Focus on what really matter to proritze and fix(avoid engineers fatigue)multi-level vulnerabilities focus:In use?Exploitable?Has fix?Both for containers and Kubernetes hosts21Container In-Use vul
21、nerabilities PrioritizationContainerImage RegistryContainerRuntimeApplication RuntimeReal RiskVulnerabilities in RuntimeYesNoNoYesFix ImmediatelyYesNoThreat mitigationDeveloperThreat TeamIn UseExploitableHas FixHigh Priority22Container Image SigningRisk:Deploy and run non-compliant/trusted imageBene
22、fits:Container image integrityImages are from a trusted sourceSafe handover(from development to production)Production clusterImage SignatureDev RegistryProd RegistryDeveloperTesterOperationsDev clusterQA clusterQA RegistryImage SignatureVerify the signature Verify the signature 23Gatekeeper pattern(
23、AC)Based on Kubernetes Admission controllerRisk:Vulnerability ImageImage from non trusted sourceCompromised ImageBenefits:Avoid deploying and running non compliant workloadsKubernetes ClusterCreate DeploymentNodeAdmission ControllerValidationDecisionImage scan statusImage signing statusImage Contain
24、er Registry/RepositoryManage ExceptionsControlsDeploy24Base Image&Layer Analysis Use a library of base images from a trusted source Start with a minimal base image25Base Image&Layer AnalysisBase image A(1.1)LayerLayerLayerBase image A(2.5)LayerLayerBase image A(1.1)LayerBase image A(1.1)LayerLayerLa
25、yerBase image A(1.2)26Continuous&Actionable Compliance Continuous CSPM:all misconfiguration are flagged,addressed in an automated and continuous way Configuration Drift detection and remediationCODEBUILDRUNRespondDeployCSPM/KSPMIaC SecurityContinuous Assessment of RiskRemediate at source27Risk Asses
26、sment and PrioritizationInventoryEvaluateAssets at riskPrioritizeAssets prioritizedRemediateAuto-fixTODOApply(Patch)Open PRSecOpsDeveloperPatch28Personas&Workflows 29Cloud Security PersonasDeveloperPlatform EngineerDevOpsDevSecOpsSecurity EngineerSecurity ArchitectSecOpsCISOBuilding Platform using I
27、aCPlatform troubleshootingAutomationContinuous IntegrationContinuous Delivery AutomationContinuous IntegrationContinuous DeliveryVulnerability ManagementPolicies implementationBuild secure applicationFix VulnerabilityCompliance Risk GovernanceThreat DetectionForensicsThreat Modeling&Attack SurfaceSe
28、curity PostureDefine PoliciesVulnerabilities ReportsCompliance ReportsImplement Policies 30Cloud Security PersonasDeveloperPlatform EngineerDevOpsDevSecOpsSecOpsSecurity ArchitectSecurity EngineerCODEBUILDRUNIR&ForensicsDeploy31DevSecOps workflow(CI scan)DevSecOps pipelineDeveloperPush container ima
29、ge sourceBuild image Resulting container imageImage ScanFail:You stop the pipeline and notify the developerPass:You push to registry Container RegistryRuntimeSource RepositoryContainer Vulnerability 32DevSecOps(Registry scan)Risks:Skip CI pipeline0-day vulnerability in previously validated imagePull
30、ing non validated image from public repository(introduce malware,cryptomining or high and critical vulnerabilities)Pattern:Continuously scan container registries.DeveloperPush container image sourceBuild image Resulting container imageImage ScanFail:You stop the pipeline and notify the developerPass
31、:You push to registry Container RegistryRuntimeSource RepositoryPublic RegistryRegistry Scan33DevSecOps(workload integrity)Container Vulnerability DeveloperPush sourcesBuild image Resulting container imageImage ScanFail:You stop the pipeline and notify the developerPass:You push to registry Dev Cont
32、ainer RegistryRuntimeSource RepositoryIntegrity Verification SignKMSQA Container RegistryVerify SignatureVerify SignaturePublic RegistryRegistry Scan34DevSecOpsDev Container RegistryQA Cluster Integrity Verification SignKMSQA Container RegistryVerify SignatureVerify Signature35DevSecOps(Admission Co
33、ntroller)Container Vulnerability DeveloperPush sourcesBuild image Resulting container imageImage ScanFail:You stop the pipeline and notify the developerPass:You push to registry Dev Container RegistryRuntimeSource RepositoryIntegrity Verification SignKMSQA Container RegistryVerify SignatureVerify Si
34、gnaturePublic RegistryRegistry ScanKuberntes ClusterAdmission ControllerDeployCheck scan statusCheck signatureImage Scan Result36DevSecOps(Runtime scan)Risks:0-day vulnerability in running images(Log4shell)Pattern:Continuously scan running containers.Container Vulnerability DeveloperPush sourcesBuil
35、d image Resulting container imageImage ScanFail:You stop the pipeline and notify the developerPass:You push to registry Dev Container RegistrySource RepositoryIntegrity Verification SignKMSQA Container RegistryVerify SignatureVerify SignaturePublic RegistryRegistry ScanKubernetes ClusterAdmission Co
36、ntrollerDeployCheck vuln statusCheck signatureNodeHost&Container ScannerImage Scan ResultReportingSIEMTicketing37IaC security(build phase)Container Vulnerability DeveloperPush sourcesBuild image Resulting container imageImage ScanContainer Source RepositoryInfrastructure Source RepositoryIaC ScanPul
37、l RequestMergeRuntimeDeploySuggest FixIaC Scanning12345638DevOpsInfrastructure Source RepositoryMerge Pull RequestKubernetes ClusterNodeDetect DriftSecOpsOpen PRIaC security(run phase)123439Takeaways Cloud Native security implementation is a team and collaboration matter.Cloud native security should
38、 be adopted gradually:It depends on your cloud journey stage.Always start with the most important use cases for your business.40Further reading CNAPP Cloud Security:https:/ Cloud Podcast:EP94 Meet Cloud Security Acronyms with Anna Belak Gartner:Innovation Insight for Cloud-Native Application Protection Platforms MITRE ATT&CK Matrix for Containers:https:/attack.mitre.org/matrices/enterprise/containers/41Thank you!Any questions?Dont forget to rate the session and provide your feedback please 4243