Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 •...
Transcript of Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 •...
![Page 1: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/1.jpg)
![Page 2: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/2.jpg)
Hot, hotter, hottestrunning a compliant container platform
for the banking industry
Containers Today (27-06-2019)
ABN AMRO
Roland Schijvenaars & Wiebe de Roos
![Page 3: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/3.jpg)
About us – Wiebe de Roos
3
Wiebe de Roos
CI/CD Consultant & Engineer
https://www.linkedin.com/in/wiebe-de-roos
![Page 4: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/4.jpg)
About us – Roland Schijvenaars
4
Roland Schijvenaars
Cloud native consultant
https://nl.linkedin.com/in/rschijvenaars
![Page 5: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/5.jpg)
Table of Contents
1
Introduction
2
Recap Containers Today 2018
3
Container Security
4
Managed Container Platform
5
Compliance as Code
6
Containers Tomorrow5
![Page 6: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/6.jpg)
1. Introduction - ABN AMRO
6
ABN AMRO is a leading bank
with an operating income of EUR 8.588 million
22,000 employees servicing retail, private
and corporate finances worldwide
Headquartered in Amsterdam
5,000 associates working in IT
350+ agile teams
![Page 7: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/7.jpg)
1. Container Journey
2017 2018 2019 Q1 2019 Q2 2019 Q4?
First Docker PoCs Twistlock
Jenkins Core in AWS Container platform EKS Container platform AKS
2019 Q3
Open Policy Agent
7
![Page 8: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/8.jpg)
2. Container Initiatives – 2017-2018
2017 2018 2019 Q1 2019 Q2 2019 Q4?
First Docker PoCs Twistlock
Jenkins Core in AWS Container platform EKS Container platform AKS
2019 Q3
Open Policy Agent
8
![Page 9: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/9.jpg)
2. Recap – Containers Today 2018
9
✓ Docker use cases
✓ Docker (image) pipelines
✓ CI platform: from VMs to Containers
✓ Containers in the enterprise
✓ Container security
Dockerizing the Enterprise – fast & secure
![Page 10: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/10.jpg)
3. Container Security - Twistlock
2017 2018 2019 Q1 2019 Q2 2019 Q4?
First Docker PoCs Twistlock
Jenkins Core in AWS Container platform EKS Container platform AKS
2019 Q3
Open Policy Agent
10
![Page 11: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/11.jpg)
3. Container Security Journey
11
2018H2
2019Q1
• Container
Security RFP
• Twistlock selected
• Twistlock in
Production
• Docker image
pipeline + Twistlock
scans
• Scanning 3d party
Docker Images 2019Q2
• Standards & guidelines
• Rollout for all teams
• Container scanning in
current way of working
2019Q3
• Fix critical issues
• Runtime protection
• Triage process in place
Communication, knowledge sharing, training
![Page 12: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/12.jpg)
3. Context of Twistlock
12
Main features:
✓ Vulnerability scanning
✓ Runtime protection
AWS Azure DevOps On prem
Twistlock console
(AWS)
Policies & rules
![Page 13: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/13.jpg)
3. Vulnerability Scanning Example
13
Criticals should
be fixed or mitigated
![Page 14: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/14.jpg)
3. Container Runtime Protection Example
14
docker: Error response from daemon: OCI runtime create failed: [Twistlock] Image operation blocked by policy: allow-whitelisted-images-only, has 1 compliance issues:
This container is not allowed, since the image is not whitelisted by ABNAMRO. Only images from ABN AMRO NEXUS are allowed.
Docker pull
![Page 15: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/15.jpg)
Stratus
“low-level clouds characterized by horizontal layering with a uniform base.”
Container platform team
![Page 16: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/16.jpg)
4. Managed Container Platform
2017 2018 2019 Q1 2019 Q2 2019 Q4?
First Docker PoCs Twistlock
Jenkins Core in AWS Container platform EKS Container platform AKS
2019 Q3
Open Policy Agent
16
![Page 17: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/17.jpg)
4. Main Objectives
17
Provision in minutes
One stop shop for
developers
All workloads supported
Easy to use
Security framework in
place
Vulnerability &
Compliance detection
Container protection
Everything as code
Compliance framework
Knowledge of containers,
Kubernetes etc.
Workloads can run on
AWS and Azure
Loose coupling cloud
native components
Secure ReusablePortable
Build a platform which is:
![Page 18: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/18.jpg)
4. Conceptual Framework
18
Pipeline
Platform
Governance
Application
ManagedContainerPlatform
Assessment
Go Live
![Page 19: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/19.jpg)
4. Component overview
19
ORCHESTRATION
INFRA
PROVISIONING
RUNTIME
SEC
UR
ITY
MO
NIT
OR
& L
OG
GIN
G
APPLICATION
Leve
l
Docker RegistryAutomation & Config
App definition & Image build CI/CD
Persistent storage NetworkContainer runtime Secrets
Scanning
…Azure AKS
Azure DevOps
Compliance
To be determined
![Page 20: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/20.jpg)
5. Compliance as Code - Open Policy Agent (OPA)
20
2017 2018 2019 Q1 2019 Q2 2019 Q4?
First Docker PoCs Twistlock
Jenkins Core in AWS Container platform EKS Container platform AKS
2019 Q3
Open Policy Agent
![Page 21: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/21.jpg)
5. Policy Enforcement with OPA
21
Compliance
Officers
Container
Platform Team
OPA Policies
Cluster Policies Infra as Code PipelineHelm PipelineDocker Pipeline
AzureAKS
![Page 22: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/22.jpg)
5. OPA Policy Enforcement Example
Prevent deployments of containers with a public facing endpoint,
applications can only be accessed via the ABN AMRO internal network.
22
![Page 23: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/23.jpg)
6. Containers Tomorrow
2017 2018 2019 Q1 2019 Q2 2019 Q4?
First Docker PoCs Twistlock
Jenkins Core in AWS Container platform EKS Container platform AKS
2019 Q3
Open Policy Agent
23
![Page 24: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/24.jpg)
6. Reuse for AKS
Goal:
• Support workloads on Microsoft Azure while re-using as much as
possible.
Advantages of Container Platform:
• Build once – run in AWS and Azure
• One source of truth for (code) compliance
• Security is maintained centrally
• Workloads are truly portable
• Kubernetes knowledge is spread at the organization
24
![Page 25: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/25.jpg)
Wrap up
25
The Stratus Container Platform is:
Easy to use ReusablePortableSecure
![Page 26: Hot, hotter, hottest - Containers Today · 3. Container Security Journey 11 2018H2 2019Q 1 • Container Security RFP • Twistlock selected • Twistlock in Production • Docker](https://reader035.fdocuments.net/reader035/viewer/2022071003/5fc04c77c2b8f567b2662b64/html5/thumbnails/26.jpg)
Questions?
26
Roland Schijvenaars
https://nl.linkedin.com/
in/rschijvenaars
Wiebe de Roos
https://www.linkedin.com/
in/wiebe-de-roos