确保周边安全——使用 CI/CD 管道的 CFCR/CFAR 监管链

中枢持续集成系统 (CI) 自动生成工作代码,而持续交付 (CD) 是将工作代码移交到最终用户手中。这两个概念使公司能够以有效速度进入新市场。但是,由于生成、测试和交付到产出的日益普及,即使使用默认状态保护的不可变容器和 kubernetes,持续集成 (CI) / 持续交付 (CD) 通道也可能用于极其简化整个软件的交付过程。因此,我们需要建立和执行监管链。在本次演讲中,我们将介绍保护监管链的几个方面,包括传输安全、轮换开发人员密钥、签名的 git 提交、独立可重现地生成验证、已签名的发布工件和为不可变容器实现安全的端到端链的投入生产的运行时间权限。
展开查看详情

1.Securing the Perimeter CFCR/CFAR Chain Of Custody With CI/CD Pipelines

2. Who We Are... Keith Strini ... …. Shaozhen Ding ■ Provide operational assistance and guidance ■ Build balanced customer product teams delivering “Platform” as a capability within their organization ■ Establish​ ​and​ ​maintain​ ​continuous​ ​delivery​ ​pipelines​ ​for​ ​deployme nt​ ​of​ ​Pivotal​ ​Cloud​ ​Foundry and​ ​related​ ​products​ ​in​ ​a​ ​customer’s​ ​infrastructure ■ Design​ ​and​ ​implement​ ​continuous​ ​integration​ ​and​ ​continuous​ ​deli very​ ​processes​ ​to​ ​deliver customer​ ​applications​ ​to​ ​production,​ ​fostering​ ​a​ ​culture​ ​of​ ​continu ous​ ​process​ ​improvement

3. Shift the Mindset ”Assume The Continuous Threat of Compromise and Then Continuously Move The Target ” From Reactive Courses of Action into Proactive Security Policy ◆ Recovery Point Objective • The recovery point objective (RPO) is the point in time that you wish to recover to. ◆ Recovery Time Objective • The recovery time objective (RTO) is how long it takes to recover, taken irrespective of the RPO. That is, after the disaster, how long until you have recovered to the point determined by the RPO.

4. A Standard Delivery Pipeline Artifactory binary/containers DVCS Build Deploy To Test Deploy To QA Deploy To Prod Platform As A service

5. Defending the Supply Chain Threat Artifactory Sign the commit binary/containers Sig Verification Sig Verification Sign the binary DVCS Build Deploy To Test Deploy To QA Deploy To Prod Platform As A service

6.Limiting CI/CD Breakout Exposure Artifactory binary/containers DVCS Build Deploy To Test Deploy To QA Deploy To Prod Platform As A service

7. Defending the Application Integrity Artifactory Commit Hash binary/containers Hash Verification Hash Verification Binary Hash DVCS Build Deploy To Test Deploy To QA Deploy To Prod Platform As A service

8.So What Happens During The Push? Code Built, Tested, Create Application Package Security Scanned Pull Application Source Code Install & Configure Dependent Services Install & Configure Runtime on top of a hardened container 1 2 3 4 5 6 7 8 Find Available Hosts Install & Configure Middleware/Backing Services Schedule app container Retrieve dependent libraries Configure Load Balancer Configure Log Collector Load Environment Variables Configure Firewalls 9 10 11 12 13 14 15 16 Deploy Number of Instance Container To Hosts Create SSL Termination to the Application Application in Production Setup Route to the Application Update Health Service Monitoring Tools

9. Defending the Continuous Threat (Privilege Escalation, File System Modification, Container Breakout) User Namespace => Restricted User Scope Mount Namespace + pivot_root => File System Isolation Each Container can have its own root filesystem separate from the host Container1 Container2 Container3 - PCF uses hardened, streamlined Ubuntu stemcell - VMs use hardened, streamlined cflinuxfs3 rootFS - PCF uses a combination of OverlayFS and XFS as a filesystem for containers - The read-only layer in all containers is RootFS - The application binaries are in a very IPC Network Mount PID User UTS small read-write layer of the file system

10. Defending the Continuous Threat (DoS of Containers, DoS of Service to Host, Kernel Mods, MITM Attacks) Network Namespace + port virtualization => Network Isolation CGroups => Resource Isolation (CPU share Capping), Device Access WL Container1 Container2 Container3 Rootless containers App Armor confines untrusted processes Seccomp system call filtering IPC Network Mount PID User UTS

11. Defending the Continuous Threat (Malware) A A A A A A R R R R R R p p p p p p u u u u u u p p p p p p n n n n n n l l l l l l t t t t t t i i i i i i i i i i i i c c c c c c m m m m m m a a a a a a e e e e e e t t t t t t i i i i i i B B B B B B Continuous Zero o P o P o P o P o P o P Downtime CVE Patching n n n n n n (Repair Vulnerable Components) StemCell Ubuntu StemCell Ubuntu StemCell Ubuntu StemCell Ubuntu StemCell Ubuntu StemCell Ubuntu cflinuxfs3 rootFS cflinuxfs3 rootFS

12. Defending the Continuous Threat (Advanced Persistent Threat) Canary Style deployment model plus Infrastructure as code from version control (Repave all system components )

13.Defending the Continuous Threat (Leaked Credentials) Continuous Zero Zero Trust Network Model (Rotation of all system credentials)

14. Bringing it all together WE build the container YOU build the container Continuous delivery Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Github Steeltoe Open Service Broker API Public Cloud Services Pivotal Network Pivotal Application Pivotal Container Pivotal Services Customer Managed Concourse Service (PAS) Service (PKS) Marketplace Services >cf push >kubectl run Pivotal and Partner Products v1 CVEs Java | .NET | NodeJS Elastic | Packaged Software | Spark Product Updates v2 “3Rs” v3 ... Embedded OS NSX-T Repair Repave Rotate — CVEs — Credhub (Windows & Linux) Concourse CPI (15 methods) Azure & vSphere Openstack AWS Google Cloud Azure Stack

15. Conclusion - Move The Target Proactive Security Policy Phase I - Aggressive Rotation of the issued Developer Keys Phase II – Rotation of Environment Credentials, End Point IPs, and Dynamic Management of IP WL/ACLs Phase III - Continuous Verification of the Application Integrity Phase IV – Continuous Authorization for Runtime Validation Phase V – Continuous Paving of the Environment, Rotation of the Keys, Renewal of Authorizing Credentials plus Least Privilege Container Authority

16.

17. What Does Bosh Do Packaging w/ embedded OS Server provisioning on any IaaS ● Cloud Native Security Software deployment across availability zones ○ Repair BOSH is an open source tool Health monitoring (server AND processes) ○ Repave for release engineering, ○ Rotate Self-healing w/ Resurrector deployment, lifecycle management, and monitoring Storage management of distributed systems such Rolling upgrades via canaries as Kubernetes. Easy scaling of clusters Backup and Restore Rotating Server Credentials

18.Enterprise Docker Registry - Harbor ● LDAP Integration ● Clair Security Scanning ● Docker Content Trust via Notary ● Role Based Access Control