In this talk Liz will look at the options in cloud native deployments for controls and policies that can stop security breaches before they happen
As a large fintech provider, Finastra had some struggles around keeping up with Kubernetes security best practices. As most people know it is a very fast moving target, which seems to change on a near daily basis. In this session we will detail six different practices that Finastra implemented which really seemed to help move our security practices to the next level.
Duke Energy’s Agile Transformation Journey: Learn how Duke Energy approached the security challenges of moving to a hybrid cloud environment, and key learnings along the way.
What does DevOps adoption look like at enterprises, and what is the impact of that on cloud-native security? 451 Research presents results from its quantitative and qualitative research into cloud-native security, particularly the relationship between current security practices and DevOps.
Some of the challenges faced by the organizations are: How can one create secure Kubernetes clusters and manage them for on-going compliance? What are the best practices for monitoring and detecting drift in your clusters? How can you patch your clusters quickly in the world of CVE’s with minimal downtime?
In this talk, Prachi and Murali will share and demo the novel open source techniques they have developed to address these problems.
In this session we'll examine a customer case study of a global financial services firm that needed to access CIFS file shares and SQL Server from pods as the user that deployed them using Kerberos, with no service accounts. Kerberos is a mainstay of legacy systems. It's ubiquitous across the Windows enterprise and it's popular amongst big data implementations as well. The goal of these implementations is to avoid using service accounts and instead access systems as the authorized user. How will you do this when you're running a job in Kubernetes? It's much more than just injecting a secret.
Zero trust is the idea that identity, not network location, is what's most important for security. The marketing promise is that zero trust methods improve security and architectural flexibility, allowing you to connect anything running anywhere without relying on perimeter security or VPNs. This talk will explore how that's done in practice using open source and open standard technologies like X.509, ACME, mutual TLS/HTTPS, JWTs, OAuth OIDC, SSH, and WebAuthn.
Multitenancy is a key capability for any cloud platform to gain widespread adoption. Without this, an enterprise will often need to deploy and operate separate Kubernetes clusters for separate teams within the enterprise which would be complex and expensive. In the ideal model of containers running on bare metal, it would be especially inefficient to allocate dedicated bare metal clusters to separate teams in contrast with deploying a smaller number of multi-tenant clusters which can be securely shared by multiple teams operating independently.
Being able to run an application in a completely isolated environment, with only the permissions and resources it needs would be a huge leap forward. We appear to have the building blocks in Namespaces, capabilities, cgroups, seccomp, MAC, or even virtualization but what’s the hold up? HUGE surprise, these kernel level security controls have usability issues. Engineers trying to lock down their applications typically hit an EPERM wall without explanation, and turn off the controls all together. No one thinks about applications in terms of system calls, it’s time we rethink usability in sandboxing, and security as a whole. This talk will delve into these ideas and offer a first step towards a solution.
What do autonomous vehicles and container platforms at Cruise have in common? For starters, we view safety and security as the number one top priority. In this talk, we’ll discuss 5 critical security topics that intersect with container platforms and explore how Cruise tackled their challenges to enable a "Secure by Default" PaaS environment for Self-Driving Cars.
Topics include: Identity, Authentication, Authorization, Secrets Management, & Encryption.
“Simulation” (i.e. playing hacking games on production-like infrastructure) is rising to prominence as a comprehensive training method for penetration testers, Red Teams, and infrastructure engineers. It safely demonstrates the risks an organisation or platform may face by using a controlled environment that looks and feels like production but is only a clone. This allows users to experiment with system security without fear of affecting production traffic or opening unexpected security holes.
Liz Rice is the VP of Open Source with container security specialists Aqua Security, where she also works on container-related open source projects including kube-hunter, kube-benchand manifesto. She was Co-Chair of the CNCF’s KubeCon + CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle.
She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, and competing in virtual races on Zwift.
Nir is an information security executive and expert. He heads the product & data security at Finastra, after holding various leadership and technical roles in information security. Nir was the first CISO for Kabbage, and prior to this position he worked at NCR in several roles, including heading the application security across the software solutions portfolio and leading the divisional information security group as the Retail CISO. His technical experience comes from application security, penetration testing and systems infrastructure security positions. Nir is a frequent speaker at leading conferences around the world, including Black Hat, Defcon, RSA, BSides, and OWASP.
Marc has over 15 years of experience in identity management deployments and implementations. Prior to starting Tremolo Security Marc spent a decade as a consultant implementing identity solutions for many of the largest enterprises in the world as well as multiple US government agencies. In recent years Marc has focused on identity in the Kubernetes and Cloud Native world. Marc's open source contributions include much of the Kubernetes documentation for OpenID Connect as well as adding impersonation capabilities to the dashboard. Marc spoke at KubeCon NA 2017 in Austin on identity and compliance in k8s and has written several blog posts on Kubernetes security. Marc was recently published in LinuxJournal on K8s authentication. Marc is a CKAD with experience deploying Kubernetes for multiple customers across multiple vendors.
Fernando is a Principal Analyst on the Information Security team, based in Toronto. He has broad experience in security architecture, particularly network security for enterprise environments. He currently focuses on covering vendors and industry events in the endpoint security and cloud security spaces. Prior to joining 451 Research, Fernando worked in pre-sales and delivery roles with vArmour, RSA, SilverTail, Crossbeam and Hewlett-Packard. His areas of interest include security economics (particularly behavior economics), data science and network security. Fernando holds a BSc. in Computer Science and several industry certifications.
Mike Malone is the founder and CEO at smallstep based in San Francisco. Smallstep is building proper production identity. We are making it possible for every developer, operator, and logical system component (microservice, container, cron job, function, VM, device, etc) to have a strong cryptographic identity that can be used to securely communicate with everything else no matter what or where it is located. The smallstep solution is standards-based with an open-source core and includes workflows to make Dev/Sec/Ops teams work seamlessly
Principal Software Engineer at Rancher Labs, Inc, has been working on the cloud and infrastructure services domain for over a decade. She has been working on developing orchestration solutions for virtual machines and now for containers mainly involved with Kubernetes platform. Some of her past work involves developing scheduling strategies, authentication and authorization models for the VM and container orchestration platforms and Kubernetes multi-cluster applications. She loves to connect with people to share ideas and collaborate to find solutions to complex problems. While not involved with containers she loves hiking, reading and enjoying her favorite music.
Sanjeev Rampal is a Principal Engineer in the Private Cloud Engineering Group at Cisco Systems, working on engineering and architecture for Cisco Container Platform, a new enterprise ready multi-cloud, multi-cluster management platform based around Kubernetes and Cloud Native technologies. He is also co-lead and maintainer in the Multi-tenancy Working Group of the upstream Kubernetes SIGs community helping development and standardization of multi-tenancy architectures within Kubernetes. He has over 20 years of experience building cloud and networking products that are deployed in production at thousands of locations around the globe. He is an ambassador for the CNCF (Cloud Native Computing Foundation).
Mike is a Staff Security Engineer at Cruise, where he helps in securing one of the world’s best autonomous vehicle platforms. Previously a security lead in VMware's cloud management division, Mike has close to a decade of experience securing, designing, and deploying cloud infrastructure and enterprise storage systems
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native systems, and has battle-hardened experience delivering containerised solutions to enterprise and government. He is a co-founder at https://control-plane.io
