Home > Technology > Docker Docker - Docker Security - Docker

Docker Docker - Docker Security - Docker

Date post: 22-Jan-2018
Category:
Author: boyd-hemphill
View: 2,026 times
Download: 2 times
Share this document with a friend
Embed Size (px)
of 71 /71
@behemphi @stackengin e DOCKER DOCKER DOCKER…SECURITY…DOCK ER BOYD HEMPHILL, DIRECTOR OF EVANGELISM
Transcript
  1. 1. @behemphi @stackengin e D O C K E R D O C K E R D O C K E R S E C U R I T Y D O C K E R B O Y D H E M P H I L L , D I R E C T O R O F E V A N G E L I S M
  2. 2. @behemphi @stackengin G O A L S Understand Why Docker is Such a Big Deal Love to @petecheslock
  3. 3. @behemphi @stackengin G O A L S Understand Why Docker is Such a Big Deal Consider Docker Security Concerns Love to @petecheslock
  4. 4. @behemphi @stackengin G O A L S Understand Why Docker is Such a Big Deal Consider Docker Security Concerns Ponder a Rational Docker Adoption Strategy Love to @petecheslock
  5. 5. @behemphi @stackengin B O Y D H E M P H I L L As and Ops director, I am personally guilty of pooping rainbows on security concerns.
  6. 6. @behemphi @stackengin W H O A M I ? Technologist
  7. 7. @behemphi @stackengin W H O A M I ? Technologist Community Builder
  8. 8. @behemphi @stackengin W H O A M I ? Technologist Community Builder Extroverted Nerd
  9. 9. @behemphi @stackengin W H O A M I ? Technologist Community Builder Extroverted Nerd Evangelist
  10. 10. @behemphi @stackengin - T H E A U S T I N D E V O P S C O M M U N I T Y Come to Docker Austin and Austin DevOps. Your participation will move the conversations towards your passion - security.
  11. 11. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? Docker Docker Docker
  12. 12. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? Docker Docker Docker Orchestration, Service Discovery, Community
  13. 13. @behemphi @stackengin T H I S T H I N G O F W H I C H Y O U S P E A K ? Docker Docker Docker Orchestration, Service Discovery, Community Like what you hear? Come join the conversation: http://goo.gl/YyyJOx
  14. 14. @behemphi @stackengin - B O B Q U I L L I N - C E O Buy copious amounts of StackEngine goodness.
  15. 15. @behemphi @stackengin W H O A R E Y O U ? Have heard of Docker
  16. 16. @behemphi @stackengin W H O A R E Y O U ? Have heard of Docker? Have experimented with Docker on the job?
  17. 17. @behemphi @stackengin W H O A R E Y O U ? Have heard of Docker? Have experimented with Docker on the job? Are using Docker in a production environment?
  18. 18. @behemphi @stackengin - S E C U R I T Y H O B B I T S Unicorns nothing, Balrogs is more like it!
  19. 19. @behemphi @stackengin C O M M O N G R O U N D Philosophy
  20. 20. @behemphi @stackengin C O M M O N G R O U N D Philosophy Model
  21. 21. @behemphi @stackengin C O M M O N G R O U N D Philosophy Model Implementation
  22. 22. @behemphi @stackengin C O M M O N G R O U N D Philosophy Model Implementation Tooling
  23. 23. @behemphi @stackengin Dont be a tools
  24. 24. H T T P S : / / G O O . G L / R T 2 S W F
  25. 25. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals
  26. 26. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals Containers are infrastructure boundaries for services
  27. 27. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals Containers are infrastructure boundaries for services Extraordinary business for early adopters.
  28. 28. @behemphi @stackengin M I C R O - S E R V I C E S M I C R O - T E A M S Docker makes micro- service philosophy available to mere mortals Containers are infrastructure boundaries for services Extraordinary business for early adopters. Terrifying
  29. 29. @behemphi @stackengin - T H E U N E N L I G H T E N E D ? Developer freedom is antithetical to practical security
  30. 30. @behemphi @stackengin P R O C E S S D E N S I T Y ~2.2% of US power is data centers. http://goo.gl/1TBdd7
  31. 31. @behemphi @stackengin P R O C E S S D E N S I T Y ~2.2% of US power is data centers. Docker adoptions are cutting infrastructure spend by 50% to 80% http://goo.gl/vB4UDF
  32. 32. @behemphi @stackengin P R O C E S S D E N S I T Y ~2.2% of US power is data centers. Docker adoptions are cutting infrastructure spend by 50% to 80% Density comes with its own problems
  33. 33. @behemphi @stackengin D E V O P S Lessons learned from early Ops adoption will inform security efforts.
  34. 34. @behemphi @stackengin Q U I C K S U M M A R Y Significant business advantages Cost Savings linux.com - https://goo.gl/CJM6ZX Increase feature velocity Increase innovation Reduce communication friction Understand the pitfalls and plan for them Dont reject new, make it better
  35. 35. @behemphi @stackengin D O C K E R A N D $ 1 , 0 0 0 , 0 0 0 , 0 0 0 Docker is worthy of your consideration.
  36. 36. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T You are root and so is anyone else who can `docker run`
  37. 37. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T You are root and so is anyone else who can `docker run` Orchestration tools such a StackEngine address this.
  38. 38. @behemphi @stackengin I D E N T I T Y M A N A G E M E N T You are root and so is anyone else who can `docker run` Orchestration tools such a StackEngine address this. Look for ACLs at the API, CLI and GUI levels.
  39. 39. @behemphi @stackengin S O M E B A D A C T O R O R - S O M E D E V E L O P E R W I T H A G O O D I D E A `docker run --privileged --entrypoint "rm -rf /root" -v /root:/root:rw stackhub/haproxy`
  40. 40. H T T P : / / G O O . G L / U H I K P R
  41. 41. @behemphi @stackengin I M A G E V E R I F I C A T I O N This is not a new problem
  42. 42. @behemphi @stackengin I M A G E V E R I F I C A T I O N This is not a new problem Docker Content Trust
  43. 43. @behemphi @stackengin I M A G E V E R I F I C A T I O N This is not a new problem Docker Content Trust Caveats: Not enabled by default Image authors must make the effort
  44. 44. http://goo.gl/lU7zLk
  45. 45. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom http://goo.gl/4VyTKv
  46. 46. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Project Inception Date Docker 2013 Xen 2003 KVM 2005
  47. 47. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Project Lines of Code Reference Docker 300k goo.gl/m8lIn0 Xen 500k goo.gl/xu2uVc KVM 13,500k goo.gl/9wSPM7
  48. 48. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Code Churn D O C K E R X E N D O C K E R L A N G K V M
  49. 49. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Code Churn Rate of Change Project Commits per month - previous 12 months Docker 627 Xen 204 KVM 5894
  50. 50. @behemphi @stackengin D O C K E R A S A H Y P E R V I S O R Venom Battle Hardening Complexity - Lines of Code Code Churn Rate of Change Contributors Project Contributors - previous 12 months Docker 634 Xen 116 KVM 3580
  51. 51. Project Incep- tion Lines of Code churn Commits per month Contri- buters Docker 2013 300k 627 634 Xen 2003 500k 204 116 KVM 2005 13,500k 5894 3580
  52. 52. @behemphi @stackengin B O Y D H E M P H I L L If nothing else, running Docker in a Hypervisor as a security measure should be considered more closely. Thanks https://www.openhub.net/ !
  53. 53. @behemphi @stackengin B L A C K B O X T E S T I N G
  54. 54. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps
  55. 55. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec
  56. 56. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec Black Box testing with full cheats
  57. 57. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec Black Box testing with full cheats Security is a form of Quailty. Move it as far to the front of the SDLC as possible.
  58. 58. @behemphi @stackengin D E V O P S 2 . 0 Ops is a bottleneck, then DevOps Sec is a bottleneck, now DevSec Black Box testing with full cheats Security is a form of Quailty. Move it as far to the front of the SDLC as possible. Attack yourself, make it a game and build it in to daily workflows.
  59. 59. @behemphi @stackengin P A R A P H R A S I N G A D R I A N C O C K C R O F T Attack yourself, celebrate your breaches.
  60. 60. @behemphi @stackengin S T R A N G L E R P A T T E R N http://goo.gl/YkrgqE Replace one thing at a time and do it well
  61. 61. @behemphi @stackengin Evolution, not revolution. Revolutions are bloody and never achieve the original goal.
  62. 62. @stackengin e @behemphi J O H N N Y A P P L E S E E D Questions, comments, tomatoes?

Recommended