Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

(1)

Emerging Approaches in a

Cloud-Connected Enterprise:

Containers and Microservices

Anil Karmel

Co-Founder and CEO, C2 Labs

Co-Chair, NIST Cloud Security Working Group

[email protected]

(2)

Take Back Control © C2 Labs, Inc.© C2 Labs, Inc.

Emerging Cloud Technologies and Trends

Cloud is Our Reality

• Evolving Cloud Models

–

_{Private Cloud (IaaS)}

–

_{Public Cloud (SaaS, PaaS, IaaS)}

– Hybrid Cloud is becoming the defacto norm

• What About Security?

– OPM Breach

(3)

Relative to 2006, cyber crimes increased by 782%

:

• A malware activity every 3 minutes

• 65% of attacks target financial services, healthcare,

manufacturing and entertainment

• 89% of callback activities were linked with Advanced

Persistent Threat (APT) tools made in China or by Chinese

hacker groups

2013 Advanced

Threat Report

(4)

NIST Cloud Computing Reference Architecture

SP500-292

Cloud Consumer Cloud Consumer Cloud Provider Cloud Provider Cloud Service Management Cloud Service Management Cloud Carrier Cloud Carrier Cloud Auditor Cloud Auditor Cloud Consumer Cloud Consumer Provisioning/ Configuration Provisioning/ Configuration Portability/ Interoperability Portability/ Interoperability Security Audit Security Audit Privacy Impact Audit Privacy Impact Audit Performance Audit Performance Audit Business Support Business Support

Physical Resource Layer Physical Resource Layer

Hardware Hardware

Facility Facility

Resource Abstraction and Control Layer

Resource Abstraction and Control Layer Service Layer Service Layer IaaS IaaS SaaS SaaS PaaS PaaS Cloud Orchestration

Cross Cutting Concerns: Security, Privacy, etc

Cloud Broker Cloud Broker Service Intermediation Service Intermediation Service Aggregation Service Aggregation Service Arbitrage Service Arbitrage

(5)

Cloud Demystified

What is a Cloud Ecosystem?

Software as a Service Platform as a Service Infrastructure as a Service

S

ec

u

ri

ty

/

C

o

n

tr

o

l

(6)

Distributed Architecture =

Split Control / Responsibilities

Cloud Clients

(Browsers, Mobile Apps, etc.)

Cloud Clients

(Browsers, Mobile Apps, etc.)

Software as a Service (SaaS) (Application , Services)

Infrastructure as a Service (VMs, Load Balancers, DB, etc.)

Physical Hardware

(Servers, Storage, Networking)

Physical Hardware

(Servers, Storage, Networking)

Platform as a Service (PaaS) (APIs, Pre-built components)

CLOUD ENVIRONMENT CLOUD ECOSYSTEM

(7)

What you can manage…

IaaS

PaaS

SaaS

Y

ou

m

a

na

ge

(8)

Organizational Challenges

Modernizing IT

• Agility

–

_{Organizations are struggling to deliver more in a fiscally and}

resource constrained environment

• Flexibility

–

_{Existing IT investments are typically problematic to reconfigure or}

scale to meet new application demands

• Transparancy

– Difficult to quantify the cost of optimizing legacy infrastructure to

support new applications

(9)

Organizational Challenges

Modernizing IT – Cloud, Mobile, Social, Big Data

• Cloud

– _{Powerful ROI story with real security challenges}

• Mobile

– BYOD with Mobile Application Management result in security and privacy concerns

• Social

– Agency data inadvertently ends up on public social networks via geotagging

• Big Data

– Unstructured data unveils actionable intelligence but what about the Mosaic effect?

How does you balance time to market, cost concerns, security, manageability and risk in the move to a cloud-connected enterprise?

(10)

• REDEFINE CONTEXT

–

_{Who is the user?}

–

_{What data are they trying to access?}

– Where is the user and the data?

– How are they accessing the information?

Context Aware IT

Level of assurance of the data defines the required level of trust

How do we revolutionize our investments?

(11)

Context Aware IT

Data Centric Approach

• Understand your Data

–

_{Identify and understand the value of the data in your organization}

• Decompose Your Data

–

_{Break down applications and data into building blocks}

• Monitor Your Data

– Understand Risk to your Data using the Risk Management

Framework for Cloud

– Employ Continuous Monitoring of your Systems to identify and

limit the damage an adversary has to your data

(12)

Emerging Cloud Technologies and Trends

Microservices and Containers

• Microservices

– _{Decompose Complex Applications into Small, Independent Processes} communicating with each other using language-agnostic API’s

– _{Highly Decoupled and Modular with services organized around} capabilities (e.g. User Interface, Billing)

– Allows for Continuous Integration

• Containers

– Much like Virtualization abstracts the Operating System from Hardware, Containers abstracts to Applications from the Operating System

– Applications are isolated from other Applications on the same Operating System

– Allows for Cloud Portability and Scale Up/Out

– _{Security issues need to be evaluated and addressed in native container} deployments

(13)

Emerging Cloud Technologies and Trends

Virtual Machines vs Containers

(14)

Container Security

Challenges

• Increased Attack Surface

– _{Containers are far more complex than VM’s wherein a single Application} can consist of 1000’s of microservices

– _{Underlying Linux Operating System complexities can be exploited by} attackers to compromise all containers on a host OS

– Runtime Compromise / Vulnerabilities / Misconfiguration

• Secure Software Development

– Containers can have code pushed to them from untrusted sources

• Log Management

– _{Big Data Problem: How do you view and manage logs across 1000’s of} containers

• Orchestration

– _{Infrastructure now runs as code (Puppet/Chef/Ansible)}

(15)

Container Security

Solutions

• Increased Attack Surface

– _{Employ MicroVM’s (Just Enough VM)}

– _{Monitor Containers at Runtime / Real-time scan for Vulnerabilities and} Misconfiguration and Remediate

• Secure Software Development

– Whitelist/Blacklist Containers

– Establish a secure container registry – Sign containers and code (MD5)

• Log Management

– _{Centralize container logs including developer actions}

• Orchestration

– Employ orchestration platform to manage containers across environments (DEV,TEST,QA,PROD) and across clouds