Kubernetes 和云原生世界的應用程序安全性.pdf

1、#CiscoLive#CiscoLiveGirish Sivasubramanian,Principal Software Engineer,AppDynamicsDEVNET-3330Application Security for Kubernetes and Cloud Native Worlds 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex

2、 App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 202

3、3 Cisco and/or its affiliates.All rights reserved.Cisco PublicDEVNET-3330Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicOverview of our Sock-Shop AppBrining Security and Operations togetherCloud Security Posture Management+DEMOSecuring the Pipeline and Kubernetes+DEMOSecurit

4、y insights for Cloud Native Applications Observability+DEMOWrap-Up and Next Steps4DEVNET-3330DEVNET-3330Overview of our Sock Shop App 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEVNET-33306 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEV

5、NET-33307 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEVNET-3330“Do you wannadevelop an app?”8 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMicroservices Containers KubernetesDEVNET-33309 2023 Cisco and/or its affiliates.All rights reserv

6、ed.Cisco PublicAmazon EKS architecture*DEVNET-333010*Concepts discussed in presentation are cloud agnostic.AWS has been taken as example cloud provider.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSock-Shop:Microservices Demo AppDEVNET-333011 2023 Cisco and/or its affil

7、iates.All rights reserved.Cisco Public#CiscoLivePrivateCloudJenkinsGitHubPublicCloud(AWS EKS)KubernetesEnterpriseEnd UsersDevelopers&Operations12DEVNET-3330 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCommit all the bugsDEVNET-333013 2023 Cisco and/or its affiliates.All rights r

8、eserved.Cisco Public#CiscoLiveDEVNET-333014 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive15DEVNET-3330Application tracingAppDynamics 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivateCloudJenkinsSecure access for CI/CDSecure Access by Duo

9、GitHubPublic cloud SSOSecure Access by DuoPublicCloud(AWS EKS)Web App MFASecure Access by DuoKubernetesApplication tracingAppDynamicsEnterpriseEnd UsersDevelopers&Operations16DEVNET-3330Kubernetes threat detectionSecure Cloud AnalyticsZero trust public cloudSecure WorkloadPrivate network threat dete

10、ctionSecure Cloud AnalyticsZero trust private networkSecure WorkloadPublic cloud threat detectionSecure Cloud AnalyticsBringing Security and Operations together 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApp TeamFocused on velocity&user experienceSecurity TeamFocused

11、on vulnerabilities&threats18DEVNET-3330 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive19DEVNET-3330Who in the room is operations,DevSecOps?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe game plan proposed by DevOps architect:1.Implement Cl

12、oud Security Posture Management(CSPM)to get asset visibility for compliance.2.Build a Secure Pipeline(and processes)to enable Dev(Sec)Ops and Secure Kubernetes deployment.3.Secure our Sock-Shop app code with Runtime Application Security insights.DEVNET-3330201.Cloud Security Posture Management with

13、Cisco Secure Cloud InsightsCloud security posture managementSecure Cloud Insights 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive22DEVNET-3330How many Cloud environments and DevOps tools are you using?2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCloud

14、Asset Security:Top Use CasesDEVNET-3330Complete visibility into our cloud assets&their security postureAttack surface managementEasily identify security and compliance gaps23 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAsset Discovery and Relationship MappingDEVNET-333

15、0Discover and classify all cloud assetsNative integrations allow for simple discovery of assets from across the security programAgent-less,API-driven configurations use read onlycredentials24 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBenchmark Compliance Reporting Su

16、pportDEVNET-3330Immediately Identify Compliance Statuswith the option to view status by specific benchmarkGap Analysis for compliance status in addition to Evidence collection for proof of compliance25 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePowerful Yet Simple Que

17、ry Language 26DEVNET-3330Customer QuestionsSCI Query ExampleAre my S3 buckets open to public?Which buckets do not logging or encryption enabled?Is MFA enabled for Root users on AWS account What are the production instances?Are there backups for configured for my databases?Find aws_s3_bucket with cla

18、ssification!=public and ignorePublicAcls!=true and restrictPublicBuckets!=true Prebuilt and auto filled queriesDeploying Secure Cloud Insights for AWS EKS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive28DEVNET-3330 2023 Cisco and/or its affiliates.All rights reserved.Cis

19、co Public#CiscoLivePrivateCloudSecure access for CI/CDSecure Access by DuoGitHubPublic cloud SSOSecure Access by DuoPublicCloud(AWS EKS)Web App MFASecure Access by DuoKubernetesApplication tracingAppDynamicsEnterpriseEnd UsersDevelopers&Operations29DEVNET-3330Cloud security posture managementSecure

20、Cloud InsightsJenkins 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe game plan proposed by DevOps architect:1.Implement Cloud Security Posture Management(CSPM)to get asset visibility for compliance.2.Build a Secure Pipeline(and processes)to enable Dev(Sec)Ops and Secu

21、re Kubernetes deployment.3.Secure our Sock-Shop app code with Runtime Application Security insights.DEVNET-3330302.Securing the Pipeline and Kubernetes with Cisco Panoptica*Formerly known as Cisco Secure Application CloudCI/CD Pipeline SecurityCisco Panoptica 2023 Cisco and/or its affiliates.All rig

22、hts reserved.Cisco PublicPipeline and Infra Security:Top Use CasesDEVNET-3330Complete security of the CI/CD pipeline API visibility and protection Protection of the Kubernetes infra and workload 32 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEVNET-333033 2023 Cisco an

23、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEVNET-333034 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDEVNET-333035Deploying Panoptica for AWS EKS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive37DEVNET-3330 2023 Cisco and/

24、or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivateCloudPrivate network threat detectionSecure Cloud AnalyticsJenkinsSecure access for CI/CDSecure Access by DuoGitHubPublic cloud SSOSecure Access by DuoPublicCloud(AWS EKS)Web App MFASecure Access by DuoKubernetesApplication tracingAp

25、pDynamicsEnterpriseEnd UsersDevelopers&Operations38DEVNET-3330Cloud security posture managementSecure Cloud InsightsCI/CD Pipeline SecurityCisco PanopticaProtection of Kubernetes infrastructureCisco Panoptica 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe game plan pr

26、oposed by DevOps architect:1.Implement Cloud Security Posture Management(CSPM)to get asset visibility for compliance.2.Build a Secure Pipeline(and processes)to enable Dev(Sec)Ops and Secure Kubernetes deployment.3.Secure our Sock-Shop app code with Runtime Application Security insights.DEVNET-333039

27、3.Security insights with Cloud Native Application ObservabilityRuntime Application Security insightsSecurity Insights on Cloud Native Application Observability 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive41DEVNET-3330Are you using any tool to detect third-party vulnera

28、bilities or data leakage?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveModern(cloud native)application monitoringCloud-native applications(DevOps,CloudOps,SRE,monitoring admin)Observe modern applications andcloud-hosted workloadsThrough full-stack observabilityPurpose bu

29、ilt from the ground upCloud Native Application ObservabilityCloud Native ApplicationsDEVNET-333042 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInfrastructure PostureSensitive Data RedactionDetect VulnerabilitiesRuntime container vulnerability detection with remediation

30、 guidanceFind configuration issues and vulnerabilities in Kubernetes configurationsAutomatically detect and redact data leakage to maintain complianceBusiness Risk ObservabilitySecurity insights moduleCorrelated with Application and Business contextCloud Native ApplicationsDEVNET-333043 2023 Cisco a

31、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBusiness Risk ObservabilityBusiness Context MappingMapping vulnerabilities and attacks to common transactions provides the business context to help you quickly understand the location and impact of threats.Vulnerability and Threat Intell

32、igenceThreat intelligence feeds from multiple yet complementary sources provide the threat context to understand the likelihood of exploits.Business Risk ScoreScoring composited from analysis of runtime behavior+business impact+intelligence provides complete business risk context to instantly assess

33、 and prioritize action across ITOps and Security teams.+=Provide business context needed to rapidly assess risk and align teams based on potential impactFull-Stack Observability SecureCloud Native ApplicationsDEVNET-333044 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCo

34、mponents of Business Risk assessment45Internet accessibleImportant business transactionSensitive data leakageInsecure Kubernetes configurationExploitable vulnerabilityAccess to dataCloud Native ApplicationsDEVNET-3330 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUncover

35、 Kubernetes security postureIdentify risk introduced by K8s&Containers Identify risk introduced by K8s&Containers Native backend integration with PanopticaInfrastructure risk cross-corelated with application entitiesFindings combined into application context for business risk scoring46Cloud Native A

36、pplicationsDEVNET-3330 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetect and redact sensitive dataMaintain compliance and protect customer dataMaintain compliance and protect customer dataPII leakage insights mapped to source entities to clamp down leakageLeverage pre

37、packaged PII detection expressions to enable faster protectionBuild custom policies and expressions to detect and redact any dataCombine findings into vuln and threat context for business risk scores47Cloud Native ApplicationsDEVNET-3330Security insights demo 2023 Cisco and/or its affiliates.All rig

38、hts reserved.Cisco Public#CiscoLiveZero Friction EnablementInstant ActivationFast Time to ValueNothing to DeployDashboards visible in minutesPart of existing agents and native integrationsQuick path to resolve pain even in non-productionBusiness Risk ObservabilityDEVNET-3330 2023 Cisco and/or its af

39、filiates.All rights reserved.Cisco Public#CiscoLivePrivateCloudPrivate network threat detectionSecure Cloud AnalyticsJenkinsSecure access for CI/CDSecure Access by DuoGitHubPublic cloud SSOSecure Access by DuoPublicCloud(AWS EKS)Web App MFASecure Access by DuoKubernetesEnterpriseEnd UsersDevelopers&

40、Operations50DEVNET-3330Cloud security posture managementSecure Cloud InsightsCI/CD Pipeline SecurityCisco PanopticaProtection of Kubernetes infrastructureCisco PanopticaRuntime Security insightsCisco Cloud Native Application Observability 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

41、blic#CiscoLiveThe game plan proposed by DevOps architect:1.Implement Cloud Security Posture Management(CSPM)to get asset visibility for compliance.2.Build a Secure Pipeline(and processes)to enable Dev(Sec)Ops and Secure Kubernetes deployment.3.Secure our Sock-Shop app code with Runtime Application S

42、ecurity insights.DEVNET-333051Wrap-Up and Next Steps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivateCloudPrivate network threat detectionSecure Cloud AnalyticsJenkinsSecure access for CI/CDSecure Access by DuoGitHubPublic cloud SSOSecure Access by DuoPublicCloud(AW

43、S EKS)Web App MFASecure Access by DuoKubernetesEnterpriseEnd UsersDevelopers&Operations53DEVNET-3330Cloud security posture managementSecure Cloud InsightsCI/CD Pipeline SecurityCisco PanopticaProtection of Kubernetes infrastructureCisco PanopticaRuntime Security insightsCisco Cloud Native Applicatio

44、n ObservabilityKubernetes threat detectionSecure Cloud AnalyticsZero trust public cloudSecure WorkloadPrivate network threat detectionSecure Cloud AnalyticsZero trust private networkSecure WorkloadPublic cloud threat detectionSecure Cloud Analytics 2023 Cisco and/or its affiliates.All rights reserve

45、d.Cisco Public#CiscoLiveYou might be asking yourselfDo I always need all these solutions?It dependsIaaS and up:Secure Workload Secure Cloud AnalyticsPaaS and up:PanopoticaSecurity insightsCloud Native Application ObservabilitySaaS and up:Secure Access by DuoSecure Cloud Insights 54DEVNET-3330 2023 C

46、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow to use these products?Freemium/Free Trial:Cisco Cloud Native Application Observability(Live Demo available or reach out to sales team)https:/ up to 5 nodes):https:/panoptica.app/Secure Cloud Insights(60 days free trial):https:/

47、 Clarity:https:/ Clarity:https:/www.apiclarity.io/DEVNET-333055 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMore resourcesCisco Cloud Native Application Observability:https:/ Panoptica:https:/panoptica.app/Cisco Secure Cloud Insights:https:/ 2023 Cisco and/or its affil

48、iates.All rights reserved.Cisco Public#CiscoLiveDEVNET-333057 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplie

49、s last)!58These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Challenge for every survey completed.DEVNET-3330 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your education

50、Visit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

51、blic#CiscoLive61Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123461 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicDEVNET-3330#CiscoLive