Cloud Native Security

Steve White⌗

CISSP, CKA, Field CISO, Pivotal Labs Platform Advocacy.

Leadership starts at all levels. Get the mission done!

(Personal thanks to Steve for the career advice after-talk!)

Entering Security field⌗

Resume: Showcase ingenuity and adaptability to solve problems and produce outcomes.

Focus job search on what you really want to do.

Keeping calm is a desired trait. One thing most veterans have down solid.

Software is eating the world⌗

Every company is now a software company. Take Starbucks as an example, engagement is now digital, and outsourcing doesn’t create a product customers need.

Cloud Native Definition⌗

4 Pillars of Cloud Native

1. Microservices: Reduces application complication.
2. CI/CD Pipeline: Build & Test quickly.
3. Containers: Provision elastic, on-demand, compute capacity quickly.
4. SRE: Availability budgets, downtime quotas vs introduced change. ‘If downtime quota is consumed by new changes, no more deploys’

Deployment complexity is increasing. Hardware -> Virtual Machines -> Containers.

Sooo many clouds… two typical cases:

1. One cloud and on-prem.
2. Multi-cloud deployment.

App Security Side⌗

More applications more quickly, more changes, more risk.

NPM vulnerabilities, get broadcast to an entire ecosystem.

OSS License auditing.

OWASP Top 10 & OWASP DevSlop

People⌗

Every person in security today has to know how to write code to glue different datasets together.

Culture⌗

Generalists needed in security to bridge the gaps, and specialized.

Security Eng should be building tools that devs want to use.

Spread awareness, quarterly rotations into other divisions, lunch & learns, retros & stories.

Pair Security Eng with Developers writing product, and vise versa.

Inherit controls and clmpliance from the platform. Automate the documentaiton of controls & SSP’s as team motion.

Compliance⌗

open-control.org, always-on always current SSP, exercise top down controls.

Cloud Native Platform Capabilities⌗

• Turnkey Compliance: Apps inherit controls from the platform, simplifying, audits.
• Repair vulnerabilities in software ASAP.
• Repave: platform should be able to be blown away.
• Rotate: User/app credentials should be routinely.

One week max life of every OS Image.

Knock the knees out of most attackers by paving over all images/VMs once a week.

Platform Security Features⌗

Ephemeral servers with immutable images which can be blown away will reduce attack surface. Ability to repave entire platform with patched systems. Thanks GKE!

Most kubernetes clusters managed in house are about 50% ‘there’ as far as ability to upgrade Kubernetes clusters. Not all managed k8s actually allow re-paving clusters.

Everyone has been hacked, and some know it.

Everyone is running kubernetes, and the others know about it.

Security engineers pull applications together into proper immutable containers.

> Repave, don’t Patch.⌗

CloudFoundary powered by Bosh enables repaving Lifecycle management from the golden image.

Stemcells: Bare OS skeletons, immutable image for all infrastructure.

Buildpacks: … frameworks to stitch images together.

Identity & Vaulting⌗

Centralize Identity across organization. Sacrifice goats to SAML….

Platform Admins -> Central IAM <- Developers

Vaulting: no secrets in code, put secrets in Vault, reference them in the platform.

Secure the network as though it were public.

Logging & Scanning⌗

All teams need to integrate with the ability to audit applications and system behavior.

Q&A⌗

Defend for the 99%: ransomeware and web attacks. Physical attacks are far harder and less of a threat to be realistic.

Not all businesses can own all OSS code at all depths.

NPM threats live on. Most businesses are willing to accept the plausible risk.

Airforce Kessel run?? TODO: google…

Container & Dependency Scanning: AquaSec, Contrast, Twistlock, Sneak, Blackduck,