Attending this event?
Back To Schedule
Saturday, January 29 • 6:00pm - 6:50pm
Cloud Native? No Security? Bad Match! - A CSP Tale

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Cloud-native tools increase development speed and offer great agility in deploying resources to a wide audience easily. While developing on Cloud comes with a lot of benefits, there is a wide gap in migrating security practices to Cloud. Infrastructural, networking and identity-based misconfigurations open up a broad surface for security breaches. If any of these misconfigurations are to arise in production-environments, it becomes crucial to find and fix these misconfigurations before being exploited.

In this session, we will take a look at common security implications for workloads on cloud, and how we can remediate them using open-source tools, therefore, allowing You to build and ship with more confidence. We will discuss how the threat-plane for workloads on Cloud is bigger than on-premise environments, and therefore requires a well-rounded approach of proactive and reactive methods to secure our workloads faster than attackers could attack it.

We will see how without applying continuous security practices at the right stages in SDLC, our environments are left vulnerable for longer, which makes fixing them more critical and expensive. We will be talking about shifting security left by integrating continuous security across the SDLC—from infrastructure as code through the runtime. The shifting-left strategy is to detect and resolve misconfiguration early on during development and later maintain security in runtime. This is also commonly called DevSecOps, breaking the tech SILOs between Development, Operations, and Security.

We will walk through an open-source Cloud-security tool—Checkov 2.0—for securing cloud resources and deployments on AWS using Terraform with GitOps. Terraform will provision EKS and other AWS-resources, alongside provisioning workloads on EKS. We will then carry out Checkov security scans in our CI/CD GitOps-workflow, which will statically scan terraform modules for security risks, in our AWS infrastructure, and in Kubernetes deployments, before provisioning a potentially insecure infrastructure. Checkov also has support for adding custom policies or skipping certain checks during scans, which we will take a look at during the walk-through.

Once workloads are running inside EKS, we will use a dynamic-security scanning, open-source tool called Falco. With Falco, we will be able to continuously scan and monitor our containers on EKS for security breaches as they are running. To collect these logs, we will use a Fluentd-based service in AWS, which can also transform these logs and send them to a monitoring platform. This way, we will have added static and dynamic security scanning in our cloud-native workloads on AWS.

Towards the end, we will also talk about runtime-security best practices for managing Cloud resources in-and-out of Terraform (Brownfield deployments) by using Cloud Security Posture Management or CSPM tools.

By the end of this session, you will have gained an understanding of how security breaches operate differently on Cloud which creates the need to implement security practices into the early stages of SDLC. You will also have learned about open-source tools which mitigate Cloud security risks allowing you to practice continuous security and reduce operational burden without disrupting development pipelines.

Session chairs: Michal Ruprich and Lucie Vrtelova

avatar for Shruti Chaturvedi

Shruti Chaturvedi

Founding Engineer, MeetKlara
Shruti is the Founding Engineer of MeetKlara, where she is currently overlooking the development of secure CI/CD pipelines using Open Source tools. Shruti is also a member of the CDFoundation community, and has been working on building a CloudEvents integration for Jenkins as a way... Read More →

Saturday January 29, 2022 6:00pm - 6:50pm CET
Session Room 2