Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Policy + Security - CloudNativeCon [clear filter]
Wednesday, December 6


When the Going Gets Tough, Get TUF Going! [I] - David Lawrence & Ashwini Oruganti, Docker
Software distribution and packaging systems are rapidly becoming the weak link in the software lifecycle. In this talk we will look at the security landscape of existing software update systems and signing strategies. We will then introduce The Update Framework (TUF), a new signing framework that looks to address many of the challenges found in existing systems and more.

TUF provides protections against data tampering, rollbacks, key compromise, and other more esoteric attacks. We will investigate how it achieves these protections and show you how to start using it today.

While TUF is a general signing framework, we will also address use cases specific to the Cloud Native Ecosystem. These include how to use TUF signing to de-privilege cluster managers and attach metadata to images and containers in a decentralized manner which can be leveraged for policy management.


David Lawrence

Senior Security Engineer, Docker
Lay security developer that has learned a lot of mistakes the hard way. David started off building authentication systems, moved on to encrypted cloud storage for a few years, and is now working on the Security Team at Docker, presently focused on securing software distribution

Ashwini Oruganti

Ashwini is a Security Engineer at Docker and an open source developer. She is the author of pyca/tls, a pure-python TLS 1.2 implementation with opinionated and secure APIs. In the past, she has worked on Twisted - an asynchronous event-driven networking framework, and Hippy - a PHP... Read More →

Wednesday December 6, 2017 11:10am - 11:45pm
Meeting Room 5ABC, Level 3


The Power of Application Intent Analysis for Container Security [I] - John Morello, Twistlock
As containers gain mainstream momentum and cloud-native applications surge, practices such as DevOps culture, continuous delivery, cloud development and containerization require a reinvention of security. The threats targeting organizations only continue to increase in severity and frequency, and even simple attacks can cause considerable damage. Cloud-native development is a vital evolution for security in the enterprise, as it equips organizations with the same tools and processes that modern fast-moving organizations rely on.

Cloud-native needs to be considered a new culture, not just a technological shift, when it comes to IT. This is because cloud-native changes the processes of DevOps, which requires automated security processes and application awareness. With cloud-native culture, security needs to be truly application aware and based upon developer intent. Using application intent analysis, developers have a new way of looking at applications, specifically containerized apps. They can produce produce a more predictable and secure container environment that can be effectively enforced.

The unique nature of container technology allows the developer intent-based security model to capitalize on the following pillars:

1. Containers are declarative. When a developer writes the code, he/she does not just write the code, he/she writes a manifest that describes how this code should work and how it should interact with its environment. While the developer does not provide you with a real security manifest, you can translate the extra information that you have and try to create a security profile. With containers, you have a Docker file, you might have a pod, and you might have an application group if you’re running on top of mesosphere. There is a lot of information in the system that you could use in order to understand what is supposed to happen.

2. Containers are predictable. When you look at containers, they contain less specific logic and more common building blocks because containers are typically made out of downloadable layers that someone else created.

3. Containers are immutable. In the past, it was hard to understand if something happening with the application was really an attack or not. But in the case of containers, whenever you patch a container or change its real intent, it should not happen in real time. What happens is the developer changes things and then he/she pushes in a new version. He patches the OS or adds new functionality and then pushes in a new container and scratches the old one. This gives you a lot of power from a security standpoint because, for the first time ever, if you see a polymorphic change in the behavior of the application (if it starts behaving differently) that means it’s either a configuration drift or a real attack.

By leveraging these three pillars -- declarative nature, predictability and immutability -- there’s a powerful opportunity to use whitelisting, for example, to approve known good processes. In combination with application intent analysis, enforcement measures help support the intent-based security model and preserve the original intent of the application.

avatar for John Morello

John Morello

CTO, Twistlock
In his day to day role as CTO of Twistlock, John Morello blends his CISO pedigree with a prescient view of the future of enterprise cloud technologies. Instead of seeing containers and cloud infrastructure as inherently less secure, John viewed the unique technology of containers... Read More →

Wednesday December 6, 2017 11:55am - 12:30pm
Meeting Room 5ABC, Level 3


Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments [I] - Evan Gilman, Scytale
Modern infrastructure patterns like microservices, container orchestration, and hybrid/multi-cloud deployments have turned conventional models for datacenter authentication and security on their heads. In the face of highly dynamic compute and network resources, a new challenge has risen: how to authenticate and secure service-to-service traffic in this brave new world? Enter the problem known as service identity.

Getting service identity right is surprisingly hard, with requirements extending well beyond simple secret management. What kind of credentials to settle on, how to rotate them, how to automatically (and securely) bootstrap them... and even more importantly, how to make sure a wide variety of external systems can authenticate them appropriately? These questions represent only a subset of the points that must be solved for.

In this talk, we introduce both SPIFFE and SPIRE - a new open source project designed to solve exactly these problems. SPIRE, backed by the SPIFFE open standard, performs seamless node and workload attestation across various platforms, and automatically issue short-lived certificates based on those attestations in a controlled manner. Even better, these certificates work across organizational boundaries and heterogeneous environments thanks to SPIFFE, which introduces a standardized identity format and validation methodology for X.509 certificates.

avatar for Evan Gilman

Evan Gilman

Engineer, Scytale
Evan Gilman is an engineer with a background in computer networks. With roots in academia, and currently working on the SPIFFE project, he has been building and operating systems in hostile environments his entire professional career. An open source contributor, speaker, and author... Read More →

Wednesday December 6, 2017 2:00pm - 2:35pm
Meeting Room 5ABC, Level 3


IAM on Hybrid Cloud: Next Generation Security Model to Create an Interoperable Cloud [I] - Jeyappragash JJ & Kamil Pawlowski, padme.io

Those developing and operating modern software infrastructure face a myriad of complexity when trying to secure it.  While environments like amazon have vastly simplified the supply chain associated with brining up new physical and virtual infrastructure or services, complexity around managing access to and between these services has grown, and continues to expand.  The proliferation of configurations, management tools, and management schemes that exists in the modern datacenter has exploded when dealing with multi-cloud, hybrid (cloud + dc), or legacy systems.

Complexity is the enemy of security.  This heterogeneity is its embodiment. Having many different ways to configure access policies on different cloud providers or with different vendors, makes it impossible to understand whom has access to what in any given infrastructure.  Without this visibility it is impossible to have intelligibility, and hence security.  

Worse, today developers and operators must exist in and support a highly dynamic service environment.  That is to say existing services must evolve to support new functionality, and new services must be rapidly brought on line to support features in a highly competitive business environment.  The miasma of different configuration schemes creates a great deal of friction against this, and impedes security because it is difficult to holistically understand the impact of changes (let alone make them rapidly).  Security must be able to accommodate this temporality.

In this talk we introduce PADME as an architecture for policy admission aimed at solving these problems in a distributed environment.  PADME operates by normalizing access policy information across underlying clouds and system.  It allows policies to be operated up as known fixed building blocks in order to establish end to end security.  Finally, it attacks the problem of policy distribution in a distributed environment so that assertions can be made about the security of a system over time, and in the face of CAP theorem issues.

avatar for JJ Jeyappragash

JJ Jeyappragash

Jeyappragash previously built the team and lead the technical roadmap for Twitter's Cloud Infrastructure Management Platform. This platform helps developers manage their services and provides detailed visibility to the infrastructure and the services that use the infrastructures... Read More →

Kamil Pawlowski

Kamil Pawlowski (Software Engineer) has worked on everything from mobile to high scale/availability systems, network protocols to web stacks. His experience includes early stage startups, large companies, and stages in between. He is presently building services infrastructure for... Read More →

Wednesday December 6, 2017 2:45pm - 3:20pm
Meeting Room 5ABC, Level 3


How Netflix Is Solving Authorization Across Their Cloud [I] - Manish Mehta & Torin Sandall, Netflix
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.

In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).

This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.

avatar for Manish Mehta

Manish Mehta

Senior Security Software Engineer, Netflix
Manish Mehta is Senior Security Software Engineer at Netflix, Los Gatos, CA. He has designed and developed solutions around secure bootstrapping, authentication (service and user), and authorization for cloud-native infrastructure. His professional interests and expertise are cyber... Read More →
avatar for Torin Sandall

Torin Sandall

Software Engineer, Styra
Torin Sandall is a co-founder of the Open Policy Agent (OPA) project. Torin has spent 10 years as a software engineer working on large-scale distributed systems projects. Torin is a frequent speaker at events like KubeCon, DockerCon, Velocity, and more. Prior to working on OPA, Torin... Read More →

Wednesday December 6, 2017 3:40pm - 4:15pm
Ballroom A, Level 1


Building a Secure, Multi-Protocol and Multi-Tenant Cluster for Internet-Facing Services [A] - Bich Le, Platform9
Exposing internal HTTP-based services to the Internet is a well supported and documented feature of Kubernetes. What's less well understood is how to do it for thousands of services running on behalf of hundreds of possibly competing customers, in particular how to do it securely, protect the privacy of each customer, and support binary protocols other than HTTP. This is the problem that our company solved for our SaaS business which requires hosting and operating the control plane of popular infrastructure management software (e.g. Openstack, Big Data, and Kubernetes itself) as a service for our customers. Those control planes contain services exposing protocols as varied as MySQL and AMQP. This talk describes the challenges we faced and how we solved them using multiple technologies from the Kubernetes ecosystem. The solution includes a system that automatically creates namespaces, provisions certificate hierarchies, and manages ingress controllers for new customers, then wraps services with a set of side-car containers to handle tasks such as TLS termination. We describe how we employed Kubernetes native constructs such as Custom Resource Definitions to automate those tasks. For network communications, we discuss how to securely handle ingress, outgress, pod-to-pod, and cross-namespace traffic. To support both HTTP and TCP-based protocols, we describe a two-level network routing system consisting of both a "k8sniff" and an nginx ingress controller. For ensuring customer data privacy we compare these approaches: (1) Network Policy + Layer 2 virtualization; (2) TLS encryption of all pod-to-pod traffic; (3) a combination of the two. Finally, we debate whether the process isolation model of Linux containers is sufficient, and discuss our experience with stronger virtualization-based mechanisms such as Frakti / HyperContainer.

avatar for Bich Le

Bich Le

Chief Architect, Platform9
Co-founder of Platform9 and veteran of VMware. Career in virtualization, cloud management and containerization.

Wednesday December 6, 2017 4:25pm - 5:00pm
Meeting Room 5ABC, Level 3