文章目录
- 一文带你了解云原生安全
-
- 1. 背景
-
- RSAC 2022
- 2. 云原生计算基金会(CNCF)云原生安全白皮书发布
- 3. OWASP Docker Top 10
- 4. kubernetes云原生安全概述
-
- Kubernetes安全专家认证-CKS认证
- 5. 云安全解决方案(CWPP、CSPM、CASB、CNAPP)
-
- CWPP
- CSPM
- CSPB
- CNAPP (云原生应用保护平台)
- 参考
一文带你了解云原生安全
1. 背景
2010年,云原生的概念首次出现WSO首席技术官Paul Fremantle博客中提到,后来经历过Pivotal、CNCF加入了其他机构的补充,构建高弹性、高虚拟化、高容错性、自恢复、易管理的分布式架构系统。
据Gartner分析师表示,到2025年,85%以上的企业将接受云优先原则,95%以上的新数字工作负荷将部署在云原平台上,2021年只有30%。
随着云计算技术的不断发展,传统应用存在升级缓慢、结构臃肿、无法弹性扩展和快速迭代等问题。因此,近年来,云源的概念应运而生。企业服务器的成本和虚拟损失以其弹性、敏捷性、资源池和服务特性大大降低。
在此背景下,云原生安全问题逐渐引起人们的关注。
历史经验告诉我们,达摩克里斯之剑悬挂在所有繁荣景象之上,Tripwire 2019年对311位IT安全专业人员进行了调研,发现60%的组织都遭遇过容器安全事故,容器的背后存在着巨大的安全隐患。
从计算发展的简史来看,每次IT技术的演变不仅带来了效率的提高,也带来了新的安全挑战。在这样的背景和趋势下,我们应该如何考虑云原生的安全?
个人理解,首先要从更权威的地方去寻找,他们如何定义和考虑云原生的安全。
RSAC 2022
RSAC 2022年即将举行,谁将成为创新沙盒大赛的最大赢家? 参考URL: https://www.freebuf.com/news/334473.html
2022年6月6-9日,RSA Conference 2022年将在美国旧金山举行。作为全球网络安全行业的年度盛宴,RSAC会议被称为安全界的奥林匹克
首届会议自1991年举行以来,RSAC会议即将进入第31年,会议规模也从一个小型密码论坛发展到当今世界顶级信息安全会议,吸引了全球网络安全企业、大咖啡、极客和优秀企业家。
推荐查看原文
2. 云原生计算基金会(CNCF)云原生安全白皮书发布
官方V2版本:https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md 青藤云翻译安全白皮书青藤云翻译 https://www.doc88.com/p-78339090738580.html
根据CNCF的描述: Cloud native development can be modeled in distinct phases that constitute the application lifecycle: “Develop,” “Distribute,” “Deploy” and “Runtime.” Cloud native security contrasts with traditional security approaches in that there is a tremendous opportunity to ensure that security is injected throughout these distinct phases instead of book ending the lifecycle with separately managed security informed interventions. Continuous learning of these concepts, tools, and processes, are critical for long term adoption and application. Conclusion Cloud native security, when executed strategically across an organization, can provide high availability, assurance, resilience, and redundancy at scale to ensure customers and developers have secure access to required resources at the velocity they expect. Security itself remains an interdisciplinary field that cannot be isolated from the development lifecycle or be treated as a purely technical domain. Developers, operators, and security personnel must all partner, exchange, and collaborate to continue to move the field and industry forward. As with any technical innovation, people who embark upon this journey driven through their passion are the ones who genuinely make the community and cloud native security possible. Introduction This paper intends to provide organizations and their technical leadership with a clear understanding of cloud native security, its incorporation in their lifecycle processes, and considerations for determining the most appropriate application thereof.
总结: 我们应该站在 看容器的全生命周期。 也就是说,我们需要整体DevSecOps在开发过程中,考虑容器的安全性!
3. OWASP Docker Top 10
官网: https://owasp.org/www-project-docker-top-10/ github官方: https://github.com/OWASP/Docker-Security [推荐]云原生安全介绍 参考URL: https://blog.csdn.net/xlsj228/article/details/122834775
几乎每个人都知道安全领域OWASP(开源Web组织将定期发布应用安全项目)Web应用Top 10安全风险列表是了解最重要的攻击方法。
The OWASP? Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
OWASP?基金会致力于通过社区主导的开源软件项目、数百章、数千名成员以及主持当地和全球会议来提高软件的安全性。
威胁模型,原文 总结:OWASP更重要的是,从攻击者的角度来看,如何保护环境的经典方法,并列出攻击的向量。
github原文
tr>| Title | Description |
|---|---|
| D01 - Secure User Mapping | Most often the application within the container runs with the default administrative privileges: root. This violates the least privilege principle and gives an attacker better chances further extending his activities if he manages to break out of the application into the container. From the host perspective the application should never run as root. |
| D02 - Patch Management Strategy | The host, the containment technology, the orchestration solution and the minimal operating system images in the container will have security bugs. Once publicly known it is vital for your security posture to address those bugs in a timely fashion. For all those components mentioned you need to decide when you apply regular and emergency patches before you put those into production. |
| D03 - Network Segmentation and Firewalling | You properly need to design your network upfront. Management interfaces from the orchestration tool and especially network services from the host are crucial and need to be protected on a network level. Also make sure that all other network based microservices are only exposed to the legitimate consumer of this microservice and not to the whole network. |
| D04 - Secure Defaults and Hardening | Depending on your choice of host and container operating system and orchestration tool you have to take care that no unneeded components are installed or started. Also all needed components need to be properly configured and locked down. |
| D05 - Maintain Security Contexts | Mixing production containers on one host with other stages of undefined or less secure containers may open a backdoor to your production. Also mixing e.g. frontend with backend services on one host may have negative security impacts. |
| D06 - Protect Secrets | Authentication and authorization of a microservice against a peer or a third party requires secrets to be provided. For an attacker those secrets potentially enable him to access more of your data or services. Thus any passwords, tokens, private keys or certificates need to be protected as good as possible. |
| D07 - Resource Protection | As all containers share the same physical CPU, disks, memory and networks. Those physical resources need to be protected so that a single container running out of control – deliberately or not – doesn’t affect any other container’s resources. |
| D08 - Container Image Integrity and Origin | The minimal operating system in the container runs your code and needs to be trustworthy, starting from the origin up until the deployment. You need to make sure that all transfers and images at rest haven’t been tampered with. |
| D09 - Follow Immutable Paradigm | Often container images don’t need to write into their filesystem or a mounted filesystem, once set up and deployed. In those cases you have an extra security benefit if you start the containers in read-only mode. |
| D10 - Logging | For your container image, orchestration tool and host you need to log all security relevant events on a system and API level. All logs should be remote, they should contain a common timestamp and they should be tamper proof. Your application should also provide remote logging. |
注意,根据github描述, This is the OWASP Docker Top 10. It’s a work in progress.这是一项正在进行的工作。
4. kubernetes对云原生安全概述
云原生安全概述 官方:https://kubernetes.io/zh-cn/docs/concepts
分层去考虑安全性,云原生安全的 4 个 C 分别是云(Cloud)、集群(Cluster)、容器(Container)和代码(Code)。
-
云(Cloud): 关注的是云提供商安全性、基础设施安全 如果你是在你自己的硬件或者其他不同的云提供商上运行 Kubernetes 集群, 请查阅相关文档来获取最好的安全实践。 官方也给出了 在 Kubernetes 集群中保护你的基础设施的建议:
-
集群(Cluster): 官方 关于集群,也给了相关建议。 集群中的组件(你的应用) 根据你的应用程序的受攻击面,你可能需要关注安全性的特定面,比如: 如果你正在运行中的一个服务(A 服务)在其他资源链中很重要,并且所运行的另一工作负载(服务 B) 容易受到资源枯竭的攻击,则如果你不限制服务 B 的资源的话,损害服务 A 的风险就会很高。 下表列出了安全性关注的领域和建议,用以保护 Kubernetes 中运行的工作负载。
总结:k8s官方 从分层的维度思考管理云原生安全问题。
Kubernetes安全专家认证-CKS认证
CKS是Kubernetes认证体系下的认证,CKS全称是Certified Kubernetes Security Specialist,中文名就是Kubernetes安全专家认证,考取这个证书之后证明考生具备在构建、部署和运行期间确保基于容器的应用程序和Kubernetes平台安全的必要能力,并且有资格在专业环境中执行这些任务。
5. 云安全解决方案(CWPP、CSPM、CASB、CNAPP)
Cloud Security Solutions: CWPP, CSPM, CASB, and More 参考URL: https://www.aquasec.com/cloud-native-academy/cspm/cloud-security-solutions-cwpp-cspm-casb-and-more/ [推荐]What’s The Difference Between CASB, CWPP, CSPM, and CNAPP? 参考URL: https://www.uptycs.com/blog/whats-the-difference-between-casb-cwpp-cspm-and-cnapp 三大云安全工具(CASB、CSPM、CWPP)的使用场景 参考URL: https://blog.csdn.net/m0_37740029/article/details/117324632
云安全毫无疑问已经成为一种趋势,无论是为政企等行业提供云服务平台的企业巨头,还是行业技术领袖,大家已经形成一种共识,就是未来的安全会在云端,云化已经成为一种趋势。我们经常会看到描述云安全的工具的一些术语如CASB,CSPM, CWPP。
其实这些都是 Gartner创造的术语。Gartner曾提出三大云原生安全管理工具,分别是CWPP、CSPM和CASB。
以下是云安全解决方案的主要类别:
-
Cloud workload protection platform (CWPP)—a centralized solution for extending visibility into cloud resources, primarily to secure cloud workloads. CWPP enables you to perform security functions across multiple environments. 云工作负载保护平台(CWPP) - 用于扩展可见性云资源的集中解决方案,。CWPP使您能够在多个环境中执行安全功能。
-
Cloud security posture management (CSPM)—implements continuous, automated security and compliance processes, primarily to secure the infrastructure where workloads are deployed. CSPM helps prevent software configuration vulnerabilities and compliance risks. CSPM(Cloud Security Posture Management) 云安全配置管理 - 实现连续,自动安全和合规过程,主要是为了保护部署工作负载的基础架构。
-
Cloud access security broker (CASB)—solutions are implemented for the purpose of extending in-house visibility into cloud environments. CASB is located between on-premise and cloud infrastructure. (Cloud Security Access Broker) 云访问安全代理 - 该解决方案的实现是为了将内部可见性扩展到云环境中。
CWPP
什么是CWPP 参考URL: https://blog.csdn.net/inthat/article/details/120676278 [推荐]What’s The Difference Between CASB, CWPP, CSPM, and CNAPP? 参考URL: https://www.uptycs.com/blog/whats-the-difference-between-casb-cwpp-cspm-and-cnapp
云工作负载保护平台(CWPP)。
CWPP应该不受地理位置的影响,为物理机、虚拟机、容器和无服务器工作负载提供统一的可视化和控制力。CWPP产品通常结合使用网络分段、系统完整性保护、应用程序控制、行为监控、基于主机的入侵防御和可选的反恶意软件保护等措施,保护工作负载免受攻击。
总结: 简单来说只要是业务的载体(运行平台)都可以叫工作负载,包括物理服务器、虚拟机、容器和无服务器(serverless)。
CSPM
[推荐]What’s The Difference Between CASB, CWPP, CSPM, and CNAPP? 参考URL: https://www.uptycs.com/blog/whats-the-difference-between-casb-cwpp-cspm-and-cnapp
CSPM(云安全态势管理): 云安全态势管理 (CSPM) 是 IT 安全工具的一个细分市场,旨在识别云中的错误配置问题和合规风险,其编程目的是持续监控云基础架构以发现安全策略执行中的安全漏洞。
CWPP从内部保护工作负载,而Cloud Security Postion Management(CSPM)通过评估云平台控制平面的安全且合规的配置,从外部保护工作负载。
CSPB
[推荐]What’s The Difference Between CASB, CWPP, CSPM, and CNAPP? 参考URL: https://www.uptycs.com/blog/whats-the-difference-between-casb-cwpp-cspm-and-cnapp
云访问安全代理(Cloud Access Security Broker,CASB,发音为KAZ-bee)是位于云服务消费者和云服务提供商(CSP)之间的内部或基于云的策略实施点,用于监视与云相关的活动,并应用与基于云的资源的使用相关的安全性、合规性和治理规则。
CASB可以通过API、转发代理、反向代理等方式来实现。
Cloud AccessSecurity Broker(CASB)本质上是用于云服务的防火墙。它提供了一个安全策略实施网关,以确保用户的操作得到授权并符合公司的安全策略。CASB可以识别组织使用的所有云服务,包括影子IT /未经批准或未经管理的SaaS和PaaS产品,并在必要时发出警报。它可以跟踪,报告和记录云使用情况,评估影子IT带来的风险,并进行事件监视。CASB具有审核和报告工具,可用于法规遵从性,包括云存储的数据。这些工具提供了用户身份验证,授权和策略执行,例如移动和加密文件,更改权限以及过滤消息。
CNAPP (云原生应用保护平台)
[推荐]What’s The Difference Between CASB, CWPP, CSPM, and CNAPP? 参考URL: https://www.uptycs.com/blog/whats-the-difference-between-casb-cwpp-cspm-and-cnapp
由Gartner创造的术语Cloud-Native Application Protection Platform(CNAPP)结合了CWPP和CSPM的功能,可扫描开发中的工作负载和配置并在运行时对其进行保护。
参考
快进键启动,一文带你了解云原生时代容器安全 参考URL: https://zhuanlan.zhihu.com/p/372881372 云原生时代,如何确保容器的全生命周期安全? 参考URL: https://segmentfault.com/a/1190000040340382 [推荐]云原生安全介绍 参考URL: https://blog.csdn.net/xlsj228/article/details/122834775 青藤云安全:蜂巢之声之如何确保容器的全生命周期安全 参考URL: https://zhuanlan.zhihu.com/p/160804637 云原生安全成熟度标准解读及信通院工作介绍 参考URL: https://www.doc88.com/p-19459797509286.html