+ All Categories
FrançaisEspañolDeutsch
Home > Technology > Docker Docker - Docker Security - Docker

Docker Docker - Docker Security - Docker

Date post: 22-Jan-2018
Category:

Technology
Author: boyd-hemphill
View: 2,026 times
Download: 2 times
Download Report this document
Share this document with a friend
Embed Size (px)
of 71 /71
@behemphi @stackengin e DOCKER DOCKER DOCKER…SECURITY…DOCK ER BOYD HEMPHILL, DIRECTOR OF EVANGELISM
Transcript
  1. 1. @behemphi @stackengin e D O C K E R D O C K E R D O C K E R S E C U R I T Y D O C K E R B O Y D H E M P H I L L , D I R E C T O R O F E V A N G E L I S M
  2. 2. @behemphi @stackengin G O A L S Understand Why Docker is Such a Big Deal Love to @petecheslock
  3. 3. @behemphi @stackengin G O A L S Understand Why Docker is Such a Big Deal Consider Docker Security Concerns Love to @petecheslock
  4. 4. @behemphi @stackengin G O A L S Understand Why Docker is Such a Big Deal Consider Docker Security Concerns Ponder a Rational Docker Adoption Strategy Love to @petecheslock
  5. 5. @behemphi @stackengin B O Y D H E M P H I L L As and Ops director, I am personally guilty of pooping rainbows on security concerns.
  6. 6. @behemphi @stackengin W H O A M I ? Technologist
  7. 7. @behemphi @stackengin W H O A M I ? Technologist Community Builder
  8. 8. @behemphi @stackengin W H O A M I ? Technologist Community Builder Extroverted Nerd
  9. 9. @behemphi @stackengin W H O A M I ? Technologist Community Builder Extroverted Nerd Evangelist
  10. 10. @behemphi @stackengin - T H E A U S T I N D E V O P S C O M M U N I T Y Come to Docker Austin and Austin DevOps. Your participation will move the conversations towards your passion - security.
  11. 11. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? Docker Docker Docker
  12. 12. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? Docker Docker Docker Orchestration, Service Discovery, Community
  13. 13. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? Docker Docker Docker Orchestration, Service Discovery, Community Like what you hear? Come join the conversation: http://goo.gl/YyyJOx
  14. 14. @behemphi @stackengin - B O B Q U I L L I N - C E O Buy copious amounts of StackEngine goodness.
  15. 15. @behemphi @stackengin W H O A R E Y O U ? Have heard of Docker
  16. 16. @behemphi @stackengin W H O A R E Y O U ? Have heard of Docker? Have experimented with Docker on the job?
  17. 17. @behemphi @stackengin W H O A R E Y O U ? Have heard of Docker? Have experimented with Docker on the job? Are using Docker in a production environment?
  18. 18. @behemphi @stackengin - S E C U R I T Y H O B B I T S Unicorns nothing, Balrogs is more like it!
  19. 19. @behemphi @stackengin C O M M O N G R O U N D Philosophy
  20. 20. @behemphi @stackengin C O M M O N G R O U N D Philosophy Model
  21. 21. @behemphi @stackengin C O M M O N G R O U N D Philosophy Model Implementation
  22. 22. @behemphi @stackengin C O M M O N G R O U N D Philosophy Model Implementation Tooling
  23. 23. @behemphi @stackengin Dont be a tools
  24. 24. H T T P S : / / G O O . G L / R T 2 S W F
  25. 25. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals
  26. 26. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals Containers are infrastructure boundaries for services
  27. 27. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals Containers are infrastructure boundaries for services Extraordinary business for early adopters.
  28. 28. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals Containers are infrastructure boundaries for services Extraordinary business for early adopters. Terrifying
  29. 29. @behemphi @stackengin - T H E U N E N L I G H T E N E D ? Developer freedom is antithetical to practical security
  30. 30. @behemphi @stackengin P R O C E S S D E N S I T Y ~2.2% of US power is data centers. http://goo.gl/1TBdd7
  31. 31. @behemphi @stackengin P R O C E S S D E N S I T Y ~2.2% of US power is data centers. Docker adoptions are cutting infrastructure spend by 50% to 80% http://goo.gl/vB4UDF
  32. 32. @behemphi @stackengin P R O C E S S D E N S I T Y ~2.2% of US power is data centers. Docker adoptions are cutting infrastructure spend by 50% to 80% Density comes with its own problems
  33. 33. @behemphi @stackengin D E V O P S Lessons learned from early Ops adoption will inform security efforts.
  34. 34. @behemphi @stackengin Q U I C K S U M M A R Y Significant business advantages Cost Savings linux.com - https://goo.gl/CJM6ZX Increase feature velocity Increase innovation Reduce communication friction Understand the pitfalls and plan for them Dont reject new, make it better
  35. 35. @behemphi @stackengin D O C K E R A N D $ 1 , 0 0 0 , 0 0 0 , 0 0 0 Docker is worthy of your consideration.
  36. 36. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T You are root and so is anyone else who can `docker run`
  37. 37. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T You are root and so is anyone else who can `docker run` Orchestration tools such a StackEngine address this.
  38. 38. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T You are root and so is anyone else who can `docker run` Orchestration tools such a StackEngine address this. Look for ACLs at the API, CLI and GUI levels.
  39. 39. @behemphi @stackengin S O M E B A D A C T O R O R - S O M E D E V E L O P E R W I T H A G O O D I D E A `docker run --privileged --entrypoint "rm -rf /root" -v /root:/root:rw stackhub/haproxy`
  40. 40. H T T P : / / G O O . G L / U H I K P R
  41. 41. @behemphi @stackengin I M A G E V E R I F I C A T I O N This is not a new problem
  42. 42. @behemphi @stackengin I M A G E V E R I F I C A T I O N This is not a new problem Docker Content Trust
  43. 43. @behemphi @stackengin I M A G E V E R I F I C A T I O N This is not a new problem Docker Content Trust Caveats: Not enabled by default Image authors must make the effort
  44. 44. http://goo.gl/lU7zLk
  45. 45. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom http://goo.gl/4VyTKv
  46. 46. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Project Inception Date Docker 2013 Xen 2003 KVM 2005
  47. 47. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Project Lines of Code Reference Docker 300k goo.gl/m8lIn0 Xen 500k goo.gl/xu2uVc KVM 13,500k goo.gl/9wSPM7
  48. 48. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Code Churn D O C K E R X E N D O C K E R L A N G K V M
  49. 49. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Code Churn Rate of Change Project Commits per month - previous 12 months Docker 627 Xen 204 KVM 5894
  50. 50. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Code Churn Rate of Change Contributors Project Contributors - previous 12 months Docker 634 Xen 116 KVM 3580
  51. 51. Project Incep- tion Lines of Code churn Commits per month Contri- buters Docker 2013 300k 627 634 Xen 2003 500k 204 116 KVM 2005 13,500k 5894 3580
  52. 52. @behemphi @stackengin B O Y D H E M P H I L L If nothing else, running Docker in a Hypervisor as a security measure should be considered more closely. Thanks https://www.openhub.net/ !
  53. 53. @behemphi @stackengin B L A C K B O X T E S T I N G
  54. 54. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps
  55. 55. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec
  56. 56. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec Black Box testing with full cheats
  57. 57. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec Black Box testing with full cheats Security is a form of Quailty. Move it as far to the front of the SDLC as possible.
  58. 58. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec Black Box testing with full cheats Security is a form of Quailty. Move it as far to the front of the SDLC as possible. Attack yourself, make it a game and build it in to daily workflows.
  59. 59. @behemphi @stackengin P A R A P H R A S I N G A D R I A N C O C K C R O F T Attack yourself, celebrate your breaches.
  60. 60. @behemphi @stackengin S T R A N G L E R P A T T E R N http://goo.gl/YkrgqE Replace one thing at a time and do it well
  61. 61. @behemphi @stackengin Evolution, not revolution. Revolutions are bloody and never achieve the original goal.
  62. 62. @stackengin e @behemphi J O H N N Y A P P L E S E E D Questions, comments, tomatoes?

Recommended
Containers, Docker, and Security: State of the Union
Containers, Docker, and Security: State of the Union

Documents

Introduction to docker security
Introduction to docker security

Technology

Docker Security in Production Overview
Docker Security in Production Overview

Technology

Linux Containers (LXC), Docker, and Security
Linux Containers (LXC), Docker, and Security

Technology

Nils Magnus: Docker Security - GOTO Conference · The term „secure“ depends on your security objectives To use Docker is most often more secure compared to not using Docker What
Nils Magnus: Docker Security - GOTO Conference · The term „secure“ depends on your security objectives To use Docker is most often more secure compared to not using Docker What

Documents

System and Network Engineering Security considerations in ... · Security considerations in Docker Swarm networking ... Docker enables automated ... container MAC addresses between
System and Network Engineering Security considerations in ... · Security considerations in Docker Swarm networking ... Docker enables automated ... container MAC addresses between

Documents

Docker Security and Content Trust
Docker Security and Content Trust

Technology

SW Docker Security
SW Docker Security

Technology

Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container

Engineering

Docker security configuration
Docker security configuration

Technology

Visualizing security boundaries in Docker Swarm overlay ... · visualizing security boundaries in docker swarm overlay networks MarcelBrouwers July3,2017 ... overlay/ov_serf.go 2.
Visualizing security boundaries in Docker Swarm overlay ... · visualizing security boundaries in docker swarm overlay networks MarcelBrouwers July3,2017 ... overlay/ov_serf.go 2.

Documents

Microservices docker-security
Microservices docker-security

Technology

Docker & Security - ERNW€¦ · Challenges ¬ CI/CD ¬ ... ¬ Security of the docker host OS + container OS 08.03.2016 #45. Traditional Approach
Docker & Security - ERNW€¦ · Challenges ¬ CI/CD ¬ ... ¬ Security of the docker host OS + container OS 08.03.2016 #45. Traditional Approach

Documents

Docker Containerization Cookbook · Docker Containerization Cookbook iii 3.4 Security dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Docker Containerization Cookbook · Docker Containerization Cookbook iii 3.4 Security dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Documents

Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux

Technology

Testing Docker Images Security José Manuel Ortega ...€¦ · WhoamI 1.Introduction to docker security 2.Security best practices 3.Tools for auditing docker host 4.Tools for auditing
Testing Docker Images Security José Manuel Ortega ...€¦ · WhoamI 1.Introduction to docker security 2.Security best practices 3.Tools for auditing docker host 4.Tools for auditing

Documents

Nano Segmentation - A Docker Security Journey
Nano Segmentation - A Docker Security Journey

Software

Docker Online Meetup #39: Docker Security with Nathan McCauley
Docker Online Meetup #39: Docker Security with Nathan McCauley

Technology