SlideShare a Scribd company logo

Securing Your Containers is Not Enough: How to Encrypt Container Data

Mirantis
Mirantis

Slides from webinar by Mirantis and Zettaset about how to encrypt containerized data. Watch the recording at: https://bit.ly/container-data-encryption

Related slideshows

The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
Securing danish healthcare using cloudnative
Securing danish healthcare using cloudnativeSecuring danish healthcare using cloudnative
Securing danish healthcare using cloudnative
 
1 of 22
Download to read offline
Copyright © 2020 Mirantis, Inc. All rights reserved Securing Your Containers Isn't Enough How to Encrypt Containerized Data WEBINAR | April 8, 2020
2 Tim Reilly CEO Featured Presenters - Zettaset Tim brings more than 25 years of successful public and private experience in the high-tech industry filling key operational roles within product line business units and venture capital funded companies through all stages of growth. During his time at Zettaset, the company has successfully grown its software-defined encryption portfolio to provide a comprehensive data protection solution across all physical, virtual and cloud environments. Prior to joining Zettaset, Tim took on a variety of roles at companies including Trapeze Networks, Nicira, netVmg, and WorldxChange. He has a BS in Accounting from the University of Southern California and currently resides in the San Francisco Bay Area. Maksim Yankovskiy VP Engineering Maksim has over 20 years of experience delivering and managing enterprise encryption and database software across all the major high tech industries. During his tenure at Zettaset, he has been responsible for the engineering team that delivered the entire XCrypt product portfolio. He has also filed patents related to distributed and high-performance encryption. Prior to Zettaset, Maksim worked at Ingrian Networks and held various roles related to distributed database systems at Siemens Medical Solutions, Ross Stores and Adobe Systems.
3 Bryan Langston Cloud Solutions Architect Featured Presenter - Mirantis Bryan Langston has been with Mirantis for five years and is currently a Pre-Sales Senior Cloud Architect. Other roles he's had in Mirantis include Director of Architecture for Openstack and Kubernetes professional services, and a product manager for Mirantis' Operations and Business Support Systems (OSS/BSS) products. Prior to joining Mirantis, Bryan worked at IBM Research for 17 years where he built a Linux-based supercomputer for web-scale crawling, indexing and mining, and led multiple first-of-a-kind projects in the cloud computing space.
4 A Little Housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
5 ● What we're trying to achieve ● Where containers are today ● DevOps, DevSecOps and common security issues ● Encrypting containerized data ● What all of this means for customers ● Q&A Agenda
6 XCrypt Container Encryption for Docker Enterprise - Fixed Topology Anthem (Key3 ) United Health (Key1 ) Docker Enterprise Host 1 Cigna (Key2 ) Highly Available Storage VolumeLegend Container Host Docker Enterprise Host 2 Container1 United Health Billing Container2 Cigna Analytics Container3 Anthem Electronic Health Records Anthem (Key4 ) Cigna (Key5 ) Container4 Anthem Patient Registration Container5 Cigna Call Center
Copyright © 2020 Mirantis, Inc. All rights reserved Container Adoption Today
8 Containers in Production Use of Containers since 2016 Use of Containers in Production • 69% of respondents intend to store sensitive data in containers • 76% of container usage from Tech, FinServ & Healthcare • 89% of container runtime is Docker • 94% experienced a security incident in last 12 months • Security is top barrier to further container adoption
9 ● Improving customer experience ● Supporting new business models ● Increasing operational efficiency ● Examples: ○ 40x more deployments per day helps leading bank innovate faster ○ 700 apps running 15k containers at an online payment processor helps build a consistent operating model across multiple clouds ○ 10x scalability increase and 65k+ transactions/sec for global payment technology company delivers efficiency Current State of Container Utilization
10 DevOps The Good Well-defined pipeline automation helps coordinate activities across Dev, Test and Prod environments The Bad Introduces “unknown unknowns” to an organization The Ugly Cultural barriers inhibit the realization of full value of container adoption
11 ● Keeping default values ● Implementing concept of “least privilege” ● Establishing solid RBAC support ● Trusted content ● Related to establishing operational boundaries, defining and enforcing network policies that control N/S, E/W traffic flows Common Security Issues
12 What is it? The augmentation of DevOps to allow for the integration of security practices DevSecOps Advantages ● Greater speed and agility for security teams ● Ability to respond to change & needs rapidly ● Better collaboration and communication among teams ● More opportunities for automated builds and quality assurance testing ● Early identification of vulnerabilities in code ● Team member assets are freed to work on high-value work Examples of Activities ● Integrate security scanners for containers ● Centralize user identity and access control capabilities ● Isolate containers running microservices from each other and the network ● Encrypt data between apps and services
Copyright © 2020 Mirantis, Inc. All rights reserved Encrypting Containerized Data
Protect the Data What are your top 3 storage challenges with containers? 2019 Container Adoption Survey, Portworx and Aqua Security What are your top 3 security challenges with containers? Ensuring data security Concerns about data loss Planning for disaster recovery and business continuity Legacy storage technologies not a good fit for container workloads Storage doesn't effectively scale with number of containers Inadequate tools for managing container storage Block devices like Amazon EBS are slow to mount Provisioning storage takes too long Data security Vulnerability management Runtime protection (e.g. blocking of anomalies) Exposure of secretes (passwords, keys, certificates) Runtime monitoring and visibility Network segmentation Trusted image deployment Pipeline (CI/CD) security automation Hardening hosts and orchestration
So, how do you protect your data? Top three data breach protection methods universally recommended by security experts and organizations in many surveys and panels: Encrypt data throughout the process of collection, viewing and manipulation - preferably at the source. 1 2 3 Any sensitive data that must be stored or is "at rest" needs to be encrypted and the keys can't be stored at the same location as the data. All access and manipulation of data must be logged.
DevSecOps for Containers The castle has many forms of defense Moat, geography, routes in, thick walls, watch towers, guards Traditional tools are applied in new form ensure integrity of container • RBAC • Monitoring & Logging • Policy enforcement But what if they get inside the castle and find the treasure? Need to protect the most valuable asset….the DATA Encryption provides data protection and last line of defense
▪Transparent integration via volume driver ▪ All required services run in containers: key manager, certificate authority, license server ▪Automated management of host storage ▪Dedicated volume group allocated for each container volume ▪Container volumes cryptographically tied to containers Container Encryption 17
Protecting Data at Rest in Containerized Environments Secure Container Storage Key Points Encryption must follow storage. Containers will share storage in multi-tenant environment, but they must not share encryption keys. Otherwise, one compromised container compromises the entire environment. 1 2 3 Storage must be independent of host and containers. Using legacy approach of hardware-defined storage provisioning will lead to data loss if host reboots or dies. Separation of duties. Developers and platform operators should not have visibility into or knowledge of encryption keys and processes. Encryption must be granular, yet transparent.
Anthem (Key3 ) United Health (Key1 ) Docker Enterprise Host 1 Cigna (Key2 ) XCrypt Container Encryption for Docker Enterprise - Fixed Topology Highly Available Storage VolumeLegend Container Host Docker Enterprise Host 2 Container1 United Health Billing Container2 Cigna Analytics Container3 Anthem Electronic Health Records Anthem (Key4 ) Cigna (Key5 ) Container4 Anthem Patient Registration Container5 Cigna Call Center
1. On creation, the container requests a particular-sized encrypted storage volume 2. Zettaset’s volume driver requests a volume from the host 3. Zettaset’s volume manager constructs a volume from various partitions on the device and creates a volume group 4. Volume manager communicates with the key manager to create a key and encrypt the volume 5. On container destruction, the encryption key is destroyed, and volumes are made available again Container Encryption – Where to implement
▪ Cybersecurity and DevOps are forever linked ▪ Security is not the enemy ▪ No one technology will address all security challenges ▪ Encryption is an essential tool and the last line of defense Protect your Containers and Step towards DevSecOps Takeaways
Copyright © 2020 Mirantis, Inc. All rights reserved Thank You Q&A Download the slides from: bit.ly/mirantis-zettaset We’ll send you the slides and recording later this week.

More Related Content

Securing Your Containers is Not Enough: How to Encrypt Container Data

  • 1. Copyright © 2020 Mirantis, Inc. All rights reserved Securing Your Containers Isn't Enough How to Encrypt Containerized Data WEBINAR | April 8, 2020
  • 2. 2 Tim Reilly CEO Featured Presenters - Zettaset Tim brings more than 25 years of successful public and private experience in the high-tech industry filling key operational roles within product line business units and venture capital funded companies through all stages of growth. During his time at Zettaset, the company has successfully grown its software-defined encryption portfolio to provide a comprehensive data protection solution across all physical, virtual and cloud environments. Prior to joining Zettaset, Tim took on a variety of roles at companies including Trapeze Networks, Nicira, netVmg, and WorldxChange. He has a BS in Accounting from the University of Southern California and currently resides in the San Francisco Bay Area. Maksim Yankovskiy VP Engineering Maksim has over 20 years of experience delivering and managing enterprise encryption and database software across all the major high tech industries. During his tenure at Zettaset, he has been responsible for the engineering team that delivered the entire XCrypt product portfolio. He has also filed patents related to distributed and high-performance encryption. Prior to Zettaset, Maksim worked at Ingrian Networks and held various roles related to distributed database systems at Siemens Medical Solutions, Ross Stores and Adobe Systems.
  • 3. 3 Bryan Langston Cloud Solutions Architect Featured Presenter - Mirantis Bryan Langston has been with Mirantis for five years and is currently a Pre-Sales Senior Cloud Architect. Other roles he's had in Mirantis include Director of Architecture for Openstack and Kubernetes professional services, and a product manager for Mirantis' Operations and Business Support Systems (OSS/BSS) products. Prior to joining Mirantis, Bryan worked at IBM Research for 17 years where he built a Linux-based supercomputer for web-scale crawling, indexing and mining, and led multiple first-of-a-kind projects in the cloud computing space.
  • 4. 4 A Little Housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
  • 5. 5 ● What we're trying to achieve ● Where containers are today ● DevOps, DevSecOps and common security issues ● Encrypting containerized data ● What all of this means for customers ● Q&A Agenda
  • 6. 6 XCrypt Container Encryption for Docker Enterprise - Fixed Topology Anthem (Key3 ) United Health (Key1 ) Docker Enterprise Host 1 Cigna (Key2 ) Highly Available Storage VolumeLegend Container Host Docker Enterprise Host 2 Container1 United Health Billing Container2 Cigna Analytics Container3 Anthem Electronic Health Records Anthem (Key4 ) Cigna (Key5 ) Container4 Anthem Patient Registration Container5 Cigna Call Center
  • 7. Copyright © 2020 Mirantis, Inc. All rights reserved Container Adoption Today
  • 8. 8 Containers in Production Use of Containers since 2016 Use of Containers in Production • 69% of respondents intend to store sensitive data in containers • 76% of container usage from Tech, FinServ & Healthcare • 89% of container runtime is Docker • 94% experienced a security incident in last 12 months • Security is top barrier to further container adoption
  • 9. 9 ● Improving customer experience ● Supporting new business models ● Increasing operational efficiency ● Examples: ○ 40x more deployments per day helps leading bank innovate faster ○ 700 apps running 15k containers at an online payment processor helps build a consistent operating model across multiple clouds ○ 10x scalability increase and 65k+ transactions/sec for global payment technology company delivers efficiency Current State of Container Utilization
  • 10. 10 DevOps The Good Well-defined pipeline automation helps coordinate activities across Dev, Test and Prod environments The Bad Introduces “unknown unknowns” to an organization The Ugly Cultural barriers inhibit the realization of full value of container adoption
  • 11. 11 ● Keeping default values ● Implementing concept of “least privilege” ● Establishing solid RBAC support ● Trusted content ● Related to establishing operational boundaries, defining and enforcing network policies that control N/S, E/W traffic flows Common Security Issues
  • 12. 12 What is it? The augmentation of DevOps to allow for the integration of security practices DevSecOps Advantages ● Greater speed and agility for security teams ● Ability to respond to change & needs rapidly ● Better collaboration and communication among teams ● More opportunities for automated builds and quality assurance testing ● Early identification of vulnerabilities in code ● Team member assets are freed to work on high-value work Examples of Activities ● Integrate security scanners for containers ● Centralize user identity and access control capabilities ● Isolate containers running microservices from each other and the network ● Encrypt data between apps and services
  • 13. Copyright © 2020 Mirantis, Inc. All rights reserved Encrypting Containerized Data
  • 14. Protect the Data What are your top 3 storage challenges with containers? 2019 Container Adoption Survey, Portworx and Aqua Security What are your top 3 security challenges with containers? Ensuring data security Concerns about data loss Planning for disaster recovery and business continuity Legacy storage technologies not a good fit for container workloads Storage doesn't effectively scale with number of containers Inadequate tools for managing container storage Block devices like Amazon EBS are slow to mount Provisioning storage takes too long Data security Vulnerability management Runtime protection (e.g. blocking of anomalies) Exposure of secretes (passwords, keys, certificates) Runtime monitoring and visibility Network segmentation Trusted image deployment Pipeline (CI/CD) security automation Hardening hosts and orchestration
  • 15. So, how do you protect your data? Top three data breach protection methods universally recommended by security experts and organizations in many surveys and panels: Encrypt data throughout the process of collection, viewing and manipulation - preferably at the source. 1 2 3 Any sensitive data that must be stored or is "at rest" needs to be encrypted and the keys can't be stored at the same location as the data. All access and manipulation of data must be logged.
  • 16. DevSecOps for Containers The castle has many forms of defense Moat, geography, routes in, thick walls, watch towers, guards Traditional tools are applied in new form ensure integrity of container • RBAC • Monitoring & Logging • Policy enforcement But what if they get inside the castle and find the treasure? Need to protect the most valuable asset….the DATA Encryption provides data protection and last line of defense
  • 17. ▪Transparent integration via volume driver ▪ All required services run in containers: key manager, certificate authority, license server ▪Automated management of host storage ▪Dedicated volume group allocated for each container volume ▪Container volumes cryptographically tied to containers Container Encryption 17
  • 18. Protecting Data at Rest in Containerized Environments Secure Container Storage Key Points Encryption must follow storage. Containers will share storage in multi-tenant environment, but they must not share encryption keys. Otherwise, one compromised container compromises the entire environment. 1 2 3 Storage must be independent of host and containers. Using legacy approach of hardware-defined storage provisioning will lead to data loss if host reboots or dies. Separation of duties. Developers and platform operators should not have visibility into or knowledge of encryption keys and processes. Encryption must be granular, yet transparent.
  • 19. Anthem (Key3 ) United Health (Key1 ) Docker Enterprise Host 1 Cigna (Key2 ) XCrypt Container Encryption for Docker Enterprise - Fixed Topology Highly Available Storage VolumeLegend Container Host Docker Enterprise Host 2 Container1 United Health Billing Container2 Cigna Analytics Container3 Anthem Electronic Health Records Anthem (Key4 ) Cigna (Key5 ) Container4 Anthem Patient Registration Container5 Cigna Call Center
  • 20. 1. On creation, the container requests a particular-sized encrypted storage volume 2. Zettaset’s volume driver requests a volume from the host 3. Zettaset’s volume manager constructs a volume from various partitions on the device and creates a volume group 4. Volume manager communicates with the key manager to create a key and encrypt the volume 5. On container destruction, the encryption key is destroyed, and volumes are made available again Container Encryption – Where to implement
  • 21. ▪ Cybersecurity and DevOps are forever linked ▪ Security is not the enemy ▪ No one technology will address all security challenges ▪ Encryption is an essential tool and the last line of defense Protect your Containers and Step towards DevSecOps Takeaways
  • 22. Copyright © 2020 Mirantis, Inc. All rights reserved Thank You Q&A Download the slides from: bit.ly/mirantis-zettaset We’ll send you the slides and recording later this week.