SlideShare una empresa de Scribd logo

Avoiding Container Vulnerabilities

Mighty Guides, Inc.
Mighty Guides, Inc.

https://info.lacework.com/avoiding-container-vulnerabilities?_ga=2.180934759.159353699.1554896554-756931316.1544692700

Software
1 de 15
Descargar para leer sin conexión
AVOIDINGCONTAINERVULNERABILITIES Seven experts discuss potential risks associated with containers and how to address those risks. Sponsored by
2 INTRODUCTION Containers offer an unprecedented opportunity to scale cloud-based services, make incremental changes without disrupting larger processes, and rapidly respond to changing operational requirements. They also introduce a new uncertainty into the cloud-security picture. Containers and their use are still evolving and maturing. To get a better understanding of potential risks associated with containers and how best to address those risks, we asked the security experts the following question: What vulnerabilities do containers create, and how do you protect against them? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
3 FOREWORD Containers and Orchestration Create New Vulnerabilities Over the last few years we have seen a dramatic rise in the use of containers and container orchestration systems for the coordination and management of cloud services. Among other things, containers allow for rapid deployment, ephemeral workloads, and autoscaling of applications at scale. For organizations that work in an agile way and deploy services continuously, it’s an enormously popular piece of their infrastructure. Popular types of containers include: Kubernetes, Docker Swarm, OpenShift, and Mesosphere. Containers are a new and important component of modern environments, but as they still have to live in a shared host and cloud account facing similar threat vectors, their security cannot be treated in isolation. Lacework provides a holistic approach to container security as it supports this natively, while at the same time provides security for hosts and AWS accounts which if compromised can cause even larger scale damage to any container environment. Many organizations rely on containers to help them orchestrate among applications and data sources, and as this approach grows, security teams are discovering a corresponding increase in their overall threat surface. The people interviewed in this book offer insightful proof that while containers provide distinct advantages for workloads and applications, they also require focused, automated security to remain safe. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 09 Mauro Loda, Senior Security Architect McKesson.......................................................... 11 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 08 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 12 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 10 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 13 Ross Young, Director Capital One........................................................ 06
6 “CONTAINERS RUNNING SER- VICES OR APPLICATIONS ARE OFTEN OVERPRIVILEGED FOR THE FUNCTIONS THEY PERFORM.” There’s a lot to like about containers, but also a lot not to like from a security perspective. For one thing, they make the environment considerably more complex, which introduces potential vulnerabilities. For example, let’s say you have a normal Amazon EC2 server running something like a Linux-based operating system. Then you have to install a Docker engine on top of that. Now you have two types of vulnerabilities, one being whether you keep your host operating system (OS) patched and up to date, and the other is whether you configured your Docker engine correctly. Then if you install two applications as containers, the challenge becomes how you check to see if things are operating as they should. Historically one might look at network traffic from one EC2 instance to another. But in this simple example, there's no network traffic leaving that EC2 instance. You need better tools capable of inter- container monitoring of activity within one EC2 instance, and more inter- container access control and authentication. Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
7 Another problem is that containers running services or applications are often overprivileged for the functions they perform. For instance, they are often set up with admin privileges for an application that doesn’t require those privileges. That means they now have the ability to see everything in the host OS, and also see other containers that are on that same EC2, including data. Solving this requires tools that run the service with the least privileges it needs so that it can’t break out of its container and get to the host OS. Another best practice that has started to evolve is using very small containers with minimum necessary privileges, and making them read-only containers so they can’t be changed. If you get hacked, the container still runs as intended. Ultimately, developers need to incorporate security to the point where they create security policy as code. This involves using tools that do security scanning during development and give developers instant feedback about vulnerabilities. n
8 “MANY PEOPLE DON’T REALIZE THE POTENTIAL FOR HAVING A SINGLE POINT OF FAILURE WITH MULTIPLE CONTAINERS GOING DOWN.” The easier it is to deploy code or apps, the greater the potential for propagating vulnerabilities. You need to manage these processes carefully and not get too comfortable with how easy it is to deploy and scale apps. Containers themselves are pretty secure. However, many people don’t realize the potential for having a single point of failure with multiple containers going down, for instance if a host server is lost. The impact of this kind of event depends on a number of factors, including how the original environment is configured for density. Securing an environment requires a layered approach that involves having security appliances at each step of the way, whether it’s a layer-three device, the endpoint itself, and how you authenticate into a system. The most important part of container security is access control. Once something has access to a system, there may be controls to detect behavior, and someone who is already in a system may approach very cautiously to avoid detection. It all comes back to appropriate access control. n Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
9 “SEGREGATIONOFDUTIES,AND SEGREGATIONOFACCESS…KEEPS YOURPRODUCTIONCONTAINER LOGICALLYSEPARATEDFROMITS DEVELOPMENTANDTESTSTATES.” Container security begins with enforcing roles and responsibilities during development, testing, and production. Ideally you will have segregation of duties and segregation of access, which keeps your production container logically separated from its development and test states. Defining roles and responsibilities, and turning those on and off, determines who or what process can promote a container from development to test, and from test to production. These definitions become an integral part of your change- management process. n Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
10 “IT IS VERY IMPORTANT WHEN YOU ARE PULLING CONTAINER IMAGES TO DRIVE A PROCESS, THAT YOU VERIFY THE AUTHEN- TICITY OF THOSE IMAGES.” One potential vulnerability with containers is that if one container is infected, that compromise can spread to the host. That’s because, unlike segmented environments where different applications can run on different operating systems, container environments typically run all the containers on top of one operating system, and the containers take their functionality from that operating system. This is why it is very important, when you are pulling container images to drive a process, that you verify the authenticity of those images. You need to verify the sources and make sure you are using a known, secure URL. Cloud-platform functions can help enforce the verification of images. For example, Amazon Web Services has an auto-scaling feature that monitors container activity. If a container is reaching capacity, AWS will automatically spin up an identical container to take on some of the load. If there is a reduction in load, AWS automatically destroys that container. The system will send notifications of these actions, which can be monitored on a dashboard. That’s important in environments hosting high-volume computing activity. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
11 “THE BIG CHALLENGE IN A MAS- SIVELY SCALED CONTAINER EN- VIRONMENT IS THE NEED TO CON- TINUOUSLY SCAN AND MONITOR FOR NONCOMPLIANT IMAGES…” Containers have many advantages, but the way containers sit on a common OS kernel creates a situation where compromising one single container can provide access to the OS kernel and all other containers associated with it. This requires continuous monitoring, and it requires a different approach to patch management. In a traditional environment, you patch all the time. However in a container environment, you do not continuously patch containers. When a vulnerability becomes known, you immediately update the container image and deploy completely new containers. This changes your entire approach to patch management. The big challenge in a massively scaled container environment is the need to continuously scan and monitor for noncompliant images, and authenticate images across different container platforms. Tools used to monitor container activity need to be adaptable to different situations at any point and time. A container that is streaming an application right now may not be in 10 seconds. The tools need to be intelligent, perhaps artificial intelligence (AI) driven. Everything is pattern based, behavior based, and risk based. The tools need to be able to protect you in a way that dynamically adapts to the current state of your constantly changing environment. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
12 “ANOTHER CHALLENGE FOR CONTAINERIZED ARCHITECTURES IS THAT THEY MAKE FORENSICS DIFFICULT.” The biggest security concern when using containers is that they come out of a centralized distribution area. This means if one file gets infected, that can affect everything in the environment. The big challenge for environments that use containers is how you minimize the risk of that centralized architecture. Another challenge for containerized architectures is that they make forensics difficult. In an environment that instantly spins up a machine to provide on-demand services and then eliminates that container when it is no longer needed, if the container is compromised, what did it do while it was up? For instance, if something jumped from a computer to an image and then got access from that image to another server before the image spun down, the image is now gone but the damage is already done. Even if you have good monitoring tools that triggered an alert on a machine that is now gone, you no longer have access. The bad guys, depending on what kind of access they get, can erase logs and do other things to cover their tracks. From a forensics point of view, once you’ve discovered you’ve been breached, the way containers work can make it very difficult to go back and trace the steps of an attack. If you have a large enough budget, you may be able to log everything, but that may not be feasible in a massively scaled environment. Addressing these challenges will fall on the way containerized environments are architected and built. Most developers are not taught and do not think about security first. They think application first and making it work. n James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
13 “THE REAL ISSUE IS WHETHER YOU HAVE A DISCIPLINE IN PLACE TO ENSURE SECURE USE OF CONTAINERS.” It’s not that the container creates the vulnerability. The real issue is whether you have a discipline in place to ensure secure use of containers. If you’re simply creating containers without monitoring and measuring, then you don’t have a consistent process. Your vulnerabilities will be replicated across your stacks because you don’t have disciplined engineering hygiene, and if that’s the case, things can go downhill fast. You have to focus on making sure those containers are consistent and that they’re healthy. One trend we’re seeing in the industry is this concept of cloud security. It’s a new discipline between the old-school definition of what security was and the concept of cloud, and there’s a shared level of skill between the cloud team and the security team. That’s where you can build a disciplined process across the two teams that works much better in the cloud than the old-school model of security. Part of the challenge is you are dealing with such a dynamic environment. What worked for you yesterday or even four hours ago might not work for you today or tomorrow. You have to be continually paying attention to potential new threats and risks. You need third-party assessments to validate the assumptions you’re making, whether they are accurate, and if you are taking the right steps to mitigate them. You need to take an engineering approach, and in this environment, if you’re running processes manually, you’re going to miss many things. It’s an environment where everything must be automated. n Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
14 KEY POINTS If you’re just creating containers without monitoring and measuring, then you don’t have a consistent process. Your vulnerabilities will get replicated across your stacks because you don’t have disciplined engineering hygiene, and if that’s the case, things can go bad fast. The big challenge in a massively scaled container environment is the need to scan and monitor continuously for noncompliant images, and authenticate images across different container platforms. Tools used to monitor container activity need to be adaptable to different situations at any point and time. Ultimately, developers need to incorporate security to the point where they create security policy as code. This involves using tools that do security scanning during development and give developers instant feedback about vulnerabilities.
15 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Interested in more? Try Lacework for free and validate the security  of your cloud: TRY FOR FREE Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.

Recomendados

Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudMighty Guides, Inc.
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckAmazon Web Services
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of RiskProcore Technologies
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 

Recomendados

Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudMighty Guides, Inc.
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckAmazon Web Services
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of RiskProcore Technologies
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PiecePaul Richards
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdfYounesChafi1
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityMighty Guides, Inc.
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
netskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdfnetskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdftest888649
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Mighty Guides, Inc.
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud securityDavid De Vos
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014Bee_Ware
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsTour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsAlex Danvy
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)Maganathin Veeraragaloo
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
WP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfWP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfChristopher Doman
 
Overcoming the five hybrid cloud adoption challenges
Overcoming the five hybrid cloud adoption challengesOvercoming the five hybrid cloud adoption challenges
Overcoming the five hybrid cloud adoption challengesCloudify Community
 
Cloud security
Cloud security Cloud security
Cloud security Mohamed Shalash
 

Más contenido relacionado

La actualidad más candente

Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PiecePaul Richards
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdfYounesChafi1
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityMighty Guides, Inc.
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
netskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdfnetskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdftest888649
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Mighty Guides, Inc.
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud securityDavid De Vos
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014Bee_Ware
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsTour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsAlex Danvy
 

La actualidad más candente (17)

Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overview
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_Piece
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native Security
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containers
 
netskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdfnetskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdf
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by Design
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the Cloud
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud security
 
Websense security prediction 2014
Websense security prediction 2014Websense security prediction 2014
Websense security prediction 2014
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsTour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)
 

Similar a Avoiding Container Vulnerabilities

Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
WP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfWP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfChristopher Doman
 
Overcoming the five hybrid cloud adoption challenges
Overcoming the five hybrid cloud adoption challengesOvercoming the five hybrid cloud adoption challenges
Overcoming the five hybrid cloud adoption challengesCloudify Community
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Migrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotalMigrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotalkkdlavak3
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Tim Kirby
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal
Migrating_to_Cloud-Native_App_Architectures_PivotalMigrating_to_Cloud-Native_App_Architectures_Pivotal
Migrating_to_Cloud-Native_App_Architectures_PivotalEstevan McCalley
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Dean Bruckman
 
Implementing security groups in open stack
Implementing security groups in open stackImplementing security groups in open stack
Implementing security groups in open stackRishabh Agarwal
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceErlinkencana
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityVAST
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Reactive Architecture
Reactive ArchitectureReactive Architecture
Reactive ArchitectureKnoldus Inc.
 
IRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in CloudIRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in CloudIRJET Journal
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 

Similar a Avoiding Container Vulnerabilities (20)

Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to Security
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
WP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdfWP_ Five Reasons Why_Jan_2023.pdf
WP_ Five Reasons Why_Jan_2023.pdf
 
Overcoming the five hybrid cloud adoption challenges
Overcoming the five hybrid cloud adoption challengesOvercoming the five hybrid cloud adoption challenges
Overcoming the five hybrid cloud adoption challenges
 
Cloud security
Cloud security Cloud security
Cloud security
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Migrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotalMigrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotal
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal
Migrating_to_Cloud-Native_App_Architectures_PivotalMigrating_to_Cloud-Native_App_Architectures_Pivotal
Migrating_to_Cloud-Native_App_Architectures_Pivotal
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
 
Implementing security groups in open stack
Implementing security groups in open stackImplementing security groups in open stack
Implementing security groups in open stack
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 compliance
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Reactive Architecture
Reactive ArchitectureReactive Architecture
Reactive Architecture
 
IRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in CloudIRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in Cloud
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 

Más de Mighty Guides, Inc.

7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for EndpointMighty Guides, Inc.
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App DeliveryMighty Guides, Inc.
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience Mighty Guides, Inc.
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Mighty Guides, Inc.
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionMighty Guides, Inc.
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyMighty Guides, Inc.
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceMighty Guides, Inc.
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)Mighty Guides, Inc.
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field MarketingMighty Guides, Inc.
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityMighty Guides, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI Mighty Guides, Inc.
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowMighty Guides, Inc.
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROIMighty Guides, Inc.
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationMighty Guides, Inc.
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageNtiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageMighty Guides, Inc.
 
Iron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationIron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationMighty Guides, Inc.
 

Más de Mighty Guides, Inc. (20)

7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel
 
7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign Execution
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee Experience
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating Liquidity
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You How
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace Transformation
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageNtiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
 
Iron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationIron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital Transformation
 

Último

MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 

Último (20)

MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 

Avoiding Container Vulnerabilities

  • 1. AVOIDINGCONTAINERVULNERABILITIES Seven experts discuss potential risks associated with containers and how to address those risks. Sponsored by
  • 2. 2 INTRODUCTION Containers offer an unprecedented opportunity to scale cloud-based services, make incremental changes without disrupting larger processes, and rapidly respond to changing operational requirements. They also introduce a new uncertainty into the cloud-security picture. Containers and their use are still evolving and maturing. To get a better understanding of potential risks associated with containers and how best to address those risks, we asked the security experts the following question: What vulnerabilities do containers create, and how do you protect against them? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
  • 3. 3 FOREWORD Containers and Orchestration Create New Vulnerabilities Over the last few years we have seen a dramatic rise in the use of containers and container orchestration systems for the coordination and management of cloud services. Among other things, containers allow for rapid deployment, ephemeral workloads, and autoscaling of applications at scale. For organizations that work in an agile way and deploy services continuously, it’s an enormously popular piece of their infrastructure. Popular types of containers include: Kubernetes, Docker Swarm, OpenShift, and Mesosphere. Containers are a new and important component of modern environments, but as they still have to live in a shared host and cloud account facing similar threat vectors, their security cannot be treated in isolation. Lacework provides a holistic approach to container security as it supports this natively, while at the same time provides security for hosts and AWS accounts which if compromised can cause even larger scale damage to any container environment. Many organizations rely on containers to help them orchestrate among applications and data sources, and as this approach grows, security teams are discovering a corresponding increase in their overall threat surface. The people interviewed in this book offer insightful proof that while containers provide distinct advantages for workloads and applications, they also require focused, automated security to remain safe. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
  • 4. 4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
  • 5. 5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 09 Mauro Loda, Senior Security Architect McKesson.......................................................... 11 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 08 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 12 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 10 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 13 Ross Young, Director Capital One........................................................ 06
  • 6. 6 “CONTAINERS RUNNING SER- VICES OR APPLICATIONS ARE OFTEN OVERPRIVILEGED FOR THE FUNCTIONS THEY PERFORM.” There’s a lot to like about containers, but also a lot not to like from a security perspective. For one thing, they make the environment considerably more complex, which introduces potential vulnerabilities. For example, let’s say you have a normal Amazon EC2 server running something like a Linux-based operating system. Then you have to install a Docker engine on top of that. Now you have two types of vulnerabilities, one being whether you keep your host operating system (OS) patched and up to date, and the other is whether you configured your Docker engine correctly. Then if you install two applications as containers, the challenge becomes how you check to see if things are operating as they should. Historically one might look at network traffic from one EC2 instance to another. But in this simple example, there's no network traffic leaving that EC2 instance. You need better tools capable of inter- container monitoring of activity within one EC2 instance, and more inter- container access control and authentication. Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
  • 7. 7 Another problem is that containers running services or applications are often overprivileged for the functions they perform. For instance, they are often set up with admin privileges for an application that doesn’t require those privileges. That means they now have the ability to see everything in the host OS, and also see other containers that are on that same EC2, including data. Solving this requires tools that run the service with the least privileges it needs so that it can’t break out of its container and get to the host OS. Another best practice that has started to evolve is using very small containers with minimum necessary privileges, and making them read-only containers so they can’t be changed. If you get hacked, the container still runs as intended. Ultimately, developers need to incorporate security to the point where they create security policy as code. This involves using tools that do security scanning during development and give developers instant feedback about vulnerabilities. n
  • 8. 8 “MANY PEOPLE DON’T REALIZE THE POTENTIAL FOR HAVING A SINGLE POINT OF FAILURE WITH MULTIPLE CONTAINERS GOING DOWN.” The easier it is to deploy code or apps, the greater the potential for propagating vulnerabilities. You need to manage these processes carefully and not get too comfortable with how easy it is to deploy and scale apps. Containers themselves are pretty secure. However, many people don’t realize the potential for having a single point of failure with multiple containers going down, for instance if a host server is lost. The impact of this kind of event depends on a number of factors, including how the original environment is configured for density. Securing an environment requires a layered approach that involves having security appliances at each step of the way, whether it’s a layer-three device, the endpoint itself, and how you authenticate into a system. The most important part of container security is access control. Once something has access to a system, there may be controls to detect behavior, and someone who is already in a system may approach very cautiously to avoid detection. It all comes back to appropriate access control. n Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
  • 9. 9 “SEGREGATIONOFDUTIES,AND SEGREGATIONOFACCESS…KEEPS YOURPRODUCTIONCONTAINER LOGICALLYSEPARATEDFROMITS DEVELOPMENTANDTESTSTATES.” Container security begins with enforcing roles and responsibilities during development, testing, and production. Ideally you will have segregation of duties and segregation of access, which keeps your production container logically separated from its development and test states. Defining roles and responsibilities, and turning those on and off, determines who or what process can promote a container from development to test, and from test to production. These definitions become an integral part of your change- management process. n Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
  • 10. 10 “IT IS VERY IMPORTANT WHEN YOU ARE PULLING CONTAINER IMAGES TO DRIVE A PROCESS, THAT YOU VERIFY THE AUTHEN- TICITY OF THOSE IMAGES.” One potential vulnerability with containers is that if one container is infected, that compromise can spread to the host. That’s because, unlike segmented environments where different applications can run on different operating systems, container environments typically run all the containers on top of one operating system, and the containers take their functionality from that operating system. This is why it is very important, when you are pulling container images to drive a process, that you verify the authenticity of those images. You need to verify the sources and make sure you are using a known, secure URL. Cloud-platform functions can help enforce the verification of images. For example, Amazon Web Services has an auto-scaling feature that monitors container activity. If a container is reaching capacity, AWS will automatically spin up an identical container to take on some of the load. If there is a reduction in load, AWS automatically destroys that container. The system will send notifications of these actions, which can be monitored on a dashboard. That’s important in environments hosting high-volume computing activity. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
  • 11. 11 “THE BIG CHALLENGE IN A MAS- SIVELY SCALED CONTAINER EN- VIRONMENT IS THE NEED TO CON- TINUOUSLY SCAN AND MONITOR FOR NONCOMPLIANT IMAGES…” Containers have many advantages, but the way containers sit on a common OS kernel creates a situation where compromising one single container can provide access to the OS kernel and all other containers associated with it. This requires continuous monitoring, and it requires a different approach to patch management. In a traditional environment, you patch all the time. However in a container environment, you do not continuously patch containers. When a vulnerability becomes known, you immediately update the container image and deploy completely new containers. This changes your entire approach to patch management. The big challenge in a massively scaled container environment is the need to continuously scan and monitor for noncompliant images, and authenticate images across different container platforms. Tools used to monitor container activity need to be adaptable to different situations at any point and time. A container that is streaming an application right now may not be in 10 seconds. The tools need to be intelligent, perhaps artificial intelligence (AI) driven. Everything is pattern based, behavior based, and risk based. The tools need to be able to protect you in a way that dynamically adapts to the current state of your constantly changing environment. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
  • 12. 12 “ANOTHER CHALLENGE FOR CONTAINERIZED ARCHITECTURES IS THAT THEY MAKE FORENSICS DIFFICULT.” The biggest security concern when using containers is that they come out of a centralized distribution area. This means if one file gets infected, that can affect everything in the environment. The big challenge for environments that use containers is how you minimize the risk of that centralized architecture. Another challenge for containerized architectures is that they make forensics difficult. In an environment that instantly spins up a machine to provide on-demand services and then eliminates that container when it is no longer needed, if the container is compromised, what did it do while it was up? For instance, if something jumped from a computer to an image and then got access from that image to another server before the image spun down, the image is now gone but the damage is already done. Even if you have good monitoring tools that triggered an alert on a machine that is now gone, you no longer have access. The bad guys, depending on what kind of access they get, can erase logs and do other things to cover their tracks. From a forensics point of view, once you’ve discovered you’ve been breached, the way containers work can make it very difficult to go back and trace the steps of an attack. If you have a large enough budget, you may be able to log everything, but that may not be feasible in a massively scaled environment. Addressing these challenges will fall on the way containerized environments are architected and built. Most developers are not taught and do not think about security first. They think application first and making it work. n James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
  • 13. 13 “THE REAL ISSUE IS WHETHER YOU HAVE A DISCIPLINE IN PLACE TO ENSURE SECURE USE OF CONTAINERS.” It’s not that the container creates the vulnerability. The real issue is whether you have a discipline in place to ensure secure use of containers. If you’re simply creating containers without monitoring and measuring, then you don’t have a consistent process. Your vulnerabilities will be replicated across your stacks because you don’t have disciplined engineering hygiene, and if that’s the case, things can go downhill fast. You have to focus on making sure those containers are consistent and that they’re healthy. One trend we’re seeing in the industry is this concept of cloud security. It’s a new discipline between the old-school definition of what security was and the concept of cloud, and there’s a shared level of skill between the cloud team and the security team. That’s where you can build a disciplined process across the two teams that works much better in the cloud than the old-school model of security. Part of the challenge is you are dealing with such a dynamic environment. What worked for you yesterday or even four hours ago might not work for you today or tomorrow. You have to be continually paying attention to potential new threats and risks. You need third-party assessments to validate the assumptions you’re making, whether they are accurate, and if you are taking the right steps to mitigate them. You need to take an engineering approach, and in this environment, if you’re running processes manually, you’re going to miss many things. It’s an environment where everything must be automated. n Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
  • 14. 14 KEY POINTS If you’re just creating containers without monitoring and measuring, then you don’t have a consistent process. Your vulnerabilities will get replicated across your stacks because you don’t have disciplined engineering hygiene, and if that’s the case, things can go bad fast. The big challenge in a massively scaled container environment is the need to scan and monitor continuously for noncompliant images, and authenticate images across different container platforms. Tools used to monitor container activity need to be adaptable to different situations at any point and time. Ultimately, developers need to incorporate security to the point where they create security policy as code. This involves using tools that do security scanning during development and give developers instant feedback about vulnerabilities.