Cloud Native Security Day 2019

Welcome Remarks

Innovation and speed require cloud tools to build, deploy, and run cloud-native workloads. But how do I protect those workloads and mitigate the risks of running those apps in the cloud?  This demo showcases how you can easily isolate Kubernetes clusters to ensure outbound Internet traffic is routed through in-cluster virtual firewalls to protect your resources and intellectual property.

While the industry and the community are starting to pay attention to Kubernetes security, there are many attack paths that aren’t well-documented, and are rarely discussed. This lack of information can make your clusters vulnerable.

In this live demonstration-filled talk, we are going to provide an overview of the Kubernetes control plane before using sigs.k8s.io/kind to show some of the attack surface exposed by a default configuration of Kubernetes. There will be multiple exploits involving various moving parts, including cluster takeovers and host escapes. We’ll show you mitigations, and then show you how to get around those.

The audience will walk away from this talk with a better understanding of Kubernetes’ default attack surface, how it can be exploited, and how to keep their clusters safer.

DevOps was all about getting application developers and operations engineers to work together more effectively.  In large part, automated testing and infrastructure as code enabled repeatable deployments we could be confident would work in production.  Unfortunately, bottlenecks frequently arose in the software delivery process because the security team was never pulled into the fold.  Enter DevSecOps.  In this talk, we’ll cover how to integrate security into every step of the software development lifecycle to build a trusted software supply chain to production and how the Jenkins Templating Engine can accelerate the adoption of these practices at scale in your organization.

In this talk, we'll walk through Plex's journey from role-based access to embracing policy.

To be fair, roles got us far at Plex. Roles can be a completely valid solution, especially for smaller systems. However, as we grew, we knew roles would not be able to solve all of our problems forever. Our solution? Policy.

Through policy, automation and autonomy became a reality. By defining policies upfront, we could include them in our environments and release processes, allowing for changes to be made without any human intervention. Policy also allowed us to focus on what we actually want to secure: data. Developers no longer have to concern themselves with permissions or roles and can just use the APIs they need to get their job done.

Our journey is not over yet, but you can still come hear all about where we started with role-based access control, where we are today, and where we want to be.

Attackers see your digital environment in 3D. They know time is on their side because most vulnerabilities will have to be stumbled upon. For organizations to level the playing field, they need to move from viewing their environment linearly, in two dimensions, to three. To do that, tools need to change. The way data and relationships are mapped needs to change. A graph, not a checklist, is the only way to represent this complexity in a meaningful way. See how LifeOmic streamlines their DevOps process using a graph data model as augmented intelligence to achieve data-driven, automated security operations in the cloud. We’ll share our strategy doing a minimum of 20 deploys/week through a continuous security/compliance approach. View it as ‘compliance as code’.

Web Application Firewall (WAF) blocks incoming web requests using a variety of signatures such as SQL injection, Cross-Site Scripting, and Bots. Proactively identifying and blocking bad requests, which avoid exhibiting the known malicious patterns, is both challenging and essential from security operations perspective. In this talk, I will describe a serverless-based end-to-end system called MLGuard that ingests AWS load-balancers log data, creates a machine-learning model (Isolation Forest) with the frequency distribution of cumulative HTTP response code using Amazon SageMaker, invokes the model using the HTTP API to detect unusual requests, and sends alerts to Slack for the security team to block IPs. MLGuard utilizes various Serverless technologies such as Function-as-a-Service, DynamoDb, and API Gateway, and since its deployment a year ago, it has helped block thousands of bad IPs.

As containers gain mainstream momentum, the cloud-native ecosystem is experiencing rapid growth of new technologies and projects that are spinning off and expanding from the initial core of containers. One particularly intense area of innovation is in workload deployment/management. There are many options in the cloud-native environment and the differences between these technologies are often small and nuanced. This makes it challenging to understand the benefits and tradeoffs between them. It’s helpful to think of the technologies being placed on a continuum. The continuum starts with bare metal and VMs on the left, continue into "light" hypervisors (like Canonical's LXD), and extends into containers and services like AWS Fargate and then, ultimately, serverless. Technologies to the left provide the most isolation and control with the tradeoff of greater management and performance overhead.  Those to the right facilitate more agile development and app density with the tradeoff of less control. In this talk, John Morello, VP of Product for Prisma by Palo Alto Networks, will demonstrate the continuum model, to address different scenarios and efficiently choose what technologies (or combination of technologies) work best for running different workloads. 

This session will cover:

• How each cloud-native technology will address different workload scenarios.
• How to choose which technology (or combination of technologies) is best for running different workloads.
• The characteristics each cloud-native technology offers as it relates to isolation, compatibility and control, and the distinctions between each.

Open Spaces provides the community an opportunity to discuss what topics matter to them most. Unlike the rest of the Cloud Native Security Day agenda, the Open Spaces agenda will be set by the attendees. Attendees will propose topics throughout the morning, and then attendees will vote on topics during lunch. After topics are set, attendees will break into 4-5 small groups to discuss the selected topics for 25 minutes. Each group will discuss a different topic, and attendees can float between each group as they see fit. For each group there should be a scribe that takes notes during the discussion. After 25 minutes, we will rotate topics and start the small group discussions again. At the end of Open Spaces we will reconvene as a group, and briefly share any takeaways from the discussion. For more details on the Open Space concept, you can read the Wikipedia article.

In October of last year, the Kubernetes project created a new Security Audit working group and began Kubernetes’ first comprehensive third-party security assessment. In the months that followed, we worked closely with Trail of Bits and Atredis Partners to assess and improve Kubernetes’ security posture. Through code review and penetration testing, we found and addressed 37 new vulnerabilities. With support from many Kubernetes contributors, the third party security firms and Kubernetes project produced a formal threat model covering eight critical components across six different trust zones. In this talk, we will share our findings, methodology, and vision for future security investments. We’ll discuss what the work uncovered, and what this means to Kubernetes security both now and for the future.