Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Cloud-Native Applications Jason Schmitt CEO

Published bySabrina Hoover Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Cloud-Native Applications Jason Schmitt CEO"— Presentation transcript:

1 Securing Cloud-Native Applications Jason Schmitt CEO

2 Cloud-Native Architecture

3 Microservices Security Challenges
Dynamic nature of microservices invalidates existing network security approaches & reduces deployment velocity Identity, certificates, secrets, and encryption create huge operational problems API is the new resource. AuthN/AuthZ for APIs are done in business logic or not accounted for Cloud, container adoption introduce new threat vectors and new security operational models

4 Core Tenants of a Microservice Security Solution

5 Comprehensive approach is required
API Three layers in microservice security stack Container runtime: host interactions Network access Why take a cross stack view? No silver bullet to security Stronger detection: Correlation of events across the stack Stronger protection: Exercise zero trust least privilege access control across the stack

6 Multi-attribute Identity
Zero Trust AuthN/AuthZ through identity Service identity consists of Vulnerability data from image scans Metadata: Image, build data, type (frontend, backend) User identity JWT scopes assigned by OIDC compliant Identity Provider User [User identity] Service/API [Service identity] Multi-attribute Identity Service/API [Service identity]

7 Monolith on bare-metal
Heterogenous deployments are much more complex Kubernetes cluster ECS Service mesh VM Monolith on bare-metal Private Cloud

8 Best Practices

9 Integrate security into CD pipeline
Manual (impacts velocity) Production deployment with security/compliance Build Unit Test Deploy to stage Acceptance test Production deployment with security/compliance Automated Automated Automated Automated Automate deployment of security through continuous deployment (CD) pipeline so security is no longer a hindrance to deployment velocity. How? Enable declarative security policies – treat security policies as code Decouple security from infrastructure

10 Compute, Network & Storage on Private or Public Cloud
Decouple security policies from infrastructure Authentication, Authorization and Encryption policies for Apps independent of any infrastructure VM or Container managed by your choice of Orchestration & Management tool Compute, Network & Storage on Private or Public Cloud Private DC Public Cloud

11 Microservice API Access Control
Per-API Service to service Based on service identity User to service Based on user identity (certificate, JWT) API Service to service on behalf of user Based on service & user identity API to External Service Per-API access control Automatic TLS External Service Offload Authentication & Authorization of Microservice APIs from business logic Leverage service identity for API authorization. Distribute API authorization to all microservices.

12 Container image layers
Vulnerability Management & Threat Detection CVE databases CD pipeline Base image App SCRATCH Container image layers Host Host interactions Static scan of container image layers and continuous comparison against CVE database Remediate CVEs ASAP Monitor system calls & correlate with network and API events to determine strong indicators of compromise

13 Don’t try to accomplish all this with the network!
Scenario: Host A with IP comes into existence and notifies controller. Controller notifies all host that they MAY talk to Host A (ADD permit /32). Host A talks to Host B Host A dies Controller notifies all host that they MAY NOT talk to Host A (REMOVE permit /32). Host X Controller Host A Host Y Host B 9,997 other host

14 What Aporeto does

15 Aporeto Application Identity-Powered Security
Contextual identity automatically created for every service based on: Who, what, where CI/CD and environmental metadata Intelligent behavioral profiling Threat, vulnerability and risk scoring Distributed security enforcement Adaptive policy distributed to workloads Based on unique workload identity Decoupled from network infrastructure Security control and orchestration Whitelist and control all access and behavior Authentication, authorize and encrypt everything Cloud-native security automation and orchestration Without writing code or changing network Distributed Policy Access Control Threat and Vulnerability Score Encryption Attributed Fingerprint

16 How Aporeto Works S2 S3 S1 x C1 S4 x P1 P2 P3 x x Azure Public Cloud
AWS Security Orchestrator S2 S3 S1 x Unknown request, Default deny all C1 Containers Distributed Policy Enforcement based on Workload Identity Blocked East-West Attempt Whitelist by Policy Virtualized, Private Cloud Windows S4 Linux x P1 Authorized API call P2 Datacenter, Bare Metal P3 x Malware requests denied x M 17

17 Where Aporeto Fits Orchestrators Infrastructure (Public or Private)
Vulnerability scanners Single Sign-On Providers Orchestrators SIEM Host OS Docker Engine App Aporeto Host OS App Aporeto Security Orchestrator CI/CD Pipeline Cloud APIs i.e AWS Infrastructure (Public or Private)

18 Thank you!

Download ppt "Securing Cloud-Native Applications Jason Schmitt CEO"

Similar presentations

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Automating Datacenter Using System Center 2012 Harpreet Singh Rana Consultant Microsoft Corporation MGT328.

Automating Datacenter Using System Center 2012 Harpreet Singh Rana Consultant Microsoft Corporation MGT328.
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
System Center 2012 Setup The components of system center App Controller Data Protection Manager Operations Manager Orchestrator Service.

System Center 2012 Setup The components of system center App Controller Data Protection Manager Operations Manager Orchestrator Service.
UI and Data Entry UI and Data Entry Front-End Business Logic Mid-Tier Data Store Back-End.

UI and Data Entry UI and Data Entry Front-End Business Logic Mid-Tier Data Store Back-End.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Microsoft Virtual Academy.

Microsoft Virtual Academy.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
SC2012 Infrastructure Components Management Justin Cook (Data # 3) Principal Consultant, Systems Management Noel Fairclough (Data # 3) Consultant, Systems.

SC2012 Infrastructure Components Management Justin Cook (Data # 3) Principal Consultant, Systems Management Noel Fairclough (Data # 3) Consultant, Systems.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?

Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.

20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
noun ; Software Defined Enterprise/SDE/ The enterprise who leverages software to flank their traditional business offerings, or to create entirely new.

noun ; Software Defined Enterprise/SDE/ The enterprise who leverages software to flank their traditional business offerings, or to create entirely new.
MICROSOFT AZURE ISV: CloudLink WEB SITE: www.cloudlinktech.comwww.cloudlinktech.com LOCATION: Ottawa, Canada ORG SIZE: 35+ MICROSOFT AZURE ISV PROFILE:

MICROSOFT AZURE ISV: CloudLink WEB SITE: LOCATION: Ottawa, Canada ORG SIZE: 35+ MICROSOFT AZURE ISV PROFILE:

Similar presentations

Ads by Google