OpenShift Container Security

OpenShift Security for Network Visibility and Runtime Protection

RedHat OpenShift and Kubernetes provide the tools to deploy and manage containers at scale. But how can OpenShift security be integrated into the workflow? In this briefing, NeuVector CTO Gary Duan introduces the docker container threat landscape and the Openshift security requirements for the Build, Ship, and Run phases. Runtime visibility and Kubernetes security is especially difficult and requires automation and built-in intelligence to scale. He shows how NeuVector inspects and visualizes network connections and protects OpenShift managed containers during runtime. NeuVector uses behavioral intelligence to discover the container application stack and network connections, and builds a whitelist-based security policy to protect containers as they scale up or down.

Gary also demonstrates how NeuVector captures network connections for applications deployed with OpenShift and provides multiple security layers for protecting and auditing an OpenShift environment. A demo of the Dirty Cow linux exploit on a container demonstrates how the NeuVector OpenShift security container can detect violations and privilege escalations in a kubernetes container environment.

Presentation Highlights:

• Complete OpenShift security requires a layered security strategy for the build, ship, and run phases of the CI/CD pipeline. NeuVector calls this ‘continuous security’ for containers.
• The migration from monolithic applications to microservices has created an explosion in east-west internal traffic. Traditional security tools are blind to this traffic and can’t keep up with the dynamic nature of containers.
• The increased use of open source in containers has introduced increased risk of vulnerabilities. Even without this trend, new zero-day exploits frequently target previously unknown vulnerabilities to compromise container based applications.
• The declarative nature of containers makes it possible for security to be automated and built into the CI/CD process. Security is now able to scale as containers scale, but must have intelligence at the network layer to be truly effective.
• OpenShift security should address the use cases of ransomware, insider attacks, container break outs, and hybrid container / non-container environments.