In this talk Liz will look at the options in cloud native deployments for controls and policies that can stop security breaches before they happen
What does DevOps adoption look like at enterprises, and what is the impact of that on cloud-native security? 451 Research presents results from its quantitative and qualitative research into cloud-native security, particularly the relationship between current security practices and DevOps.
As a large fintech provider, Finastra had some struggles around keeping up with Kubernetes security best practices. As most people know it is a very fast moving target, which seems to change on a near daily basis. In this session we will detail six different practices that Finastra implemented which really seemed to help move our security practices to the next level.
This session will speak to the progress and pitfalls JPMC has faced over the previous year as they have secured production Kubernetes offerings.
“Simulation” (i.e. playing hacking games on production-like infrastructure) is rising to prominence as a comprehensive training method for penetration testers, Red Teams, and infrastructure engineers. It safely demonstrates the risks an organisation or platform may face by using a controlled environment that looks and feels like production but is only a clone. This allows users to experiment with system security without fear of affecting production traffic or opening unexpected security holes.
Zero trust is the idea that identity, not network location, is what's most important for security. The marketing promise is that zero trust methods improve security and architectural flexibility, allowing you to connect anything running anywhere without relying on perimeter security or VPNs. This talk will explore how that's done in practice using open source and open standard technologies like X.509, ACME, mutual TLS/HTTPS, JWTs, OAuth OIDC, SSH, and WebAuthn.
What do autonomous vehicles and container platforms at Cruise have in common? For starters, we view safety and security as the number one top priority. In this talk, we’ll discuss 5 critical security topics that intersect with container platforms and explore how Cruise tackled their challenges to enable a "Secure by Default" PaaS environment for Self-Driving Cars.
Topics include: Identity, Authentication, Authorization, Secrets Management, & Encryption.
Duke Energy’s Agile Transformation Journey: Learn how Duke Energy approached the security challenges of moving to a hybrid cloud environment, and key learnings along the way.
Multitenancy is a key capability for any cloud platform to gain widespread adoption. Without this, an enterprise will often need to deploy and operate separate Kubernetes clusters for separate teams within the enterprise which would be complex and expensive. In the ideal model of containers running on bare metal, it would be especially inefficient to allocate dedicated bare metal clusters to separate teams in contrast with deploying a smaller number of multi-tenant clusters which can be securely shared by multiple teams operating independently.
With the endless layers of abstraction running a containerized application in a Kubernetes cluster, how does one approach keeping the cluster secure? In this presentation we look at how taking the must fundamental component of a Linux system (syscall data) and bubbling that up to an API driven application in Userland has given us powerful visibility and control over the complexity of a Kubernetes cluster. We learn about the eBPF protocol, and how it enables us to safely and securely parse this information. Furthermore we look at how we are able to parse this data at runtime.
This session will detail how the DevOps team at Primerica lead the way in moving to a more secure development process. Breaking down the corporate culture of silos and turf protection by proving that security is every employees responsibility and not just one department. We will show the tools that we chose and how we have implemented them and how we are fighting and winning the culture battle.
Some of the challenges faced by the organizations are: How can one create secure Kubernetes clusters and manage them for on-going compliance? What are the best practices for monitoring and detecting drift in your clusters? How can you patch your clusters quickly in the world of CVE’s with minimal downtime?
In this talk, Prachi and Murali will share and demo the novel open source techniques they have developed to address these problems.
In this session we'll examine a customer case study of a global financial services firm that needed to access CIFS file shares and SQL Server from pods as the user that deployed them using Kerberos, with no service accounts. Kerberos is a mainstay of legacy systems. It's ubiquitous across the Windows enterprise and it's popular amongst big data implementations as well. The goal of these implementations is to avoid using service accounts and instead access systems as the authorized user. How will you do this when you're running a job in Kubernetes? It's much more than just injecting a secret.
Being able to run an application in a completely isolated environment, with only the permissions and resources it needs would be a huge leap forward. We appear to have the building blocks in Namespaces, capabilities, cgroups, seccomp, MAC, or even virtualization but what’s the hold up? HUGE surprise, these kernel level security controls have usability issues. Engineers trying to lock down their applications typically hit an EPERM wall without explanation, and turn off the controls all together. No one thinks about applications in terms of system calls, it’s time we rethink usability in sandboxing, and security as a whole. This talk will delve into these ideas and offer a first step towards a solution.
Marc has over 15 years of experience in identity management deployments and implementations. Prior to starting Tremolo Security Marc spent a decade as a consultant implementing identity solutions for many of the largest enterprises in the world as well as multiple US government agencies. In recent years Marc has focused on identity in the Kubernetes and Cloud Native world. Marc's open source contributions include much of the Kubernetes documentation for OpenID Connect as well as adding impersonation capabilities to the dashboard. Marc spoke at KubeCon NA 2017 in Austin on identity and compliance in k8s and has written several blog posts on Kubernetes security. Marc was recently published in LinuxJournal on K8s authentication. Marc is a CKAD with experience deploying Kubernetes for multiple customers across multiple vendors.
Principal Software Engineer at Rancher Labs, Inc, has been working on the cloud and infrastructure services domain for over a decade. She has been working on developing orchestration solutions for virtual machines and now for containers mainly involved with Kubernetes platform. Some of her past work involves developing scheduling strategies, authentication and authorization models for the VM and container orchestration platforms and Kubernetes multi-cluster applications. She loves to connect with people to share ideas and collaborate to find solutions to complex problems. While not involved with containers she loves hiking, reading and enjoying her favorite music.
Danny is a Security Engineer at JPMC, where he helps secure the systems that provide a financial service for ~50% of American households.
Eric Hanselman is the Chief Analyst at 451 Research. He has an extensive, hands-on understanding of a broad range of IT subject areas, having direct experience in the areas of networks, virtualization, security and semiconductors. He coordinates industry analysis across the broad portfolio of 451 Research disciplines. The convergence of forces across the technology landscape is creating tectonic shifts in the industry, including SDN/NFV, hyperconvergence and the Internet of Things (IoT). Eric helps 451 Research's clients navigate these turbulent waters and determine their impacts and how they can best capitalize on them. Eric is also a member of 451 Research’s Center of Excellence for Quantum Technologies.
For more than 20 years, Eric has worked with segment leaders in a spectrum of technologies, most recently as CTO of Leostream Corporation, a virtualization management provider. Prior to that, Eric delivered security solutions for IBM and Internet Security Systems. At Wellfleet/Bay Networks, Sitara Networks and NEC, he was involved in the introduction of many new technologies ranging from high-performance image analysis to rollouts for IPv6.
Eric holds a patent in image compression systems. He is also a member of the Institute of Electrical and Electronics Engineers (IEEE), a Certified Information Systems Security Professional (CISSP) and a VMware Certified Professional (VCP), and he is a frequent speaker at leading industry conferences.
Wes Kanazawa is a Sr. DevOps Engineer at Primerica. Wes and his team are currently engaged in the Digital Transformation of the 42-year-old company. Before Wes moved into information technology, he was a United States Marine for eight years. He has worked in the IT industry for 18 years and his background includes: working in the trenches with desktop support, implementing and supporting enterprise systems and infrastructure, to managing all aspects of Information Technology in a small/medium-sized business. Wes has been leading the charge of incorporating security practices into Primerica’s development practices since starting with the company in 2016.
Mike Malone is the founder and CEO at smallstep based in San Francisco. Smallstep is building proper production identity. We are making it possible for every developer, operator, and logical system component (microservice, container, cron job, function, VM, device, etc) to have a strong cryptographic identity that can be used to securely communicate with everything else no matter what or where it is located. The smallstep solution is standards-based with an open-source core and includes workflows to make Dev/Sec/Ops teams work seamlessly
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native systems, and has battle-hardened experience delivering containerised solutions to enterprise and government. He is a co-founder at https://control-plane.io
Kris Nova, Chief Open Source Advocate at Sysdig, focuses on security, intrusion detection, and the Linux kernel with Kubernetes and eBPF. As an active advocate for open source, Nova is an ambassador for the CNCF and the creator of kubicorn, a successful Kubernetes infrastructure management tool. Nova joins Sysdig from Heptio/VMWare, where she was a Senior Developer Advocate. Prior to VMWare, Nova was at Deis/Microsoft, where she was a developer advocate and an engineer on Kubernetes.
Sanjeev Rampal is a Principal Engineer in the Private Cloud Engineering Group at Cisco Systems, working on engineering and architecture for Cisco Container Platform, a new enterprise ready multi-cloud, multi-cluster management platform based around Kubernetes and Cloud Native technologies. He is also co-lead and maintainer in the Multi-tenancy Working Group of the upstream Kubernetes SIGs community helping development and standardization of multi-tenancy architectures within Kubernetes. He has over 20 years of experience building cloud and networking products that are deployed in production at thousands of locations around the globe. He is an ambassador for the CNCF (Cloud Native Computing Foundation).
Liz Rice is the VP of Open Source with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter, kube-benchand manifesto. She was Co-Chair of the CNCF’s KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle.
She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, and competing in virtual races on Zwift.
Curtis specializes in helping companies find success through modern, cloud-native development practices built on AWS. As a Solutions Architect he has a focus and passion on containers technologies, app dev and DevOps.
Mike is a Staff Security Engineer at Cruise, where he helps in securing one of the world’s best autonomous vehicle platforms. Previously a security lead in VMware's cloud management division, Mike has close to a decade of experience securing, designing, and deploying cloud infrastructure and enterprise storage systems
Carlos Traitel is a Senior DevOps engineer with experience and success leading projects, project teams, implementing and overseeing technology programs. He has a proven catalyst in designing, developing, planning and directing projects that provide innovative IT and client solutions. He started his professional career with the United States Marine Corps back in 2001 and was involved in the 2003 conflict in Iraq. After bouncing around from career to career, which ranged from banking to factory work, he landed a great opportunity within the IT field at ADP. Here he helped implement an automated delivery solution which led to a cleaner and more stable customer experience. He is currently working for Primerica on transforming the application delivery process.
Nir is an information security executive and expert. He heads the product & data security at Finastra, after holding various leadership and technical roles in information security. Nir was the first CISO for Kabbage, and prior to this position he worked at NCR in several roles, including heading the application security across the software solutions portfolio and leading the divisional information security group as the Retail CISO. His technical experience comes from application security, penetration testing and systems infrastructure security positions. Nir is a frequent speaker at leading conferences around the world, including Black Hat, Defcon, RSA, BSides, and OWASP.
