Professional Documents
Culture Documents
Key Points
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Agenda
Level-set on containers
Container wins and success stories
Cloud security impacts
Minimizing risk
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Container Level-set
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Examples
Containers
Orchestration
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
How it works
Source: dotCloud
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Source: ZDNet
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Drivers
Cloud Integration
Docker Cloud
dotCloud
Tutum
StackDock
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Success Story #1
Scenario:
Bug in production code push results in site-wide outage
Outcomes:
Admins created dev container sandbox to debug (~60 seconds, 2
commands)
Dev located issue easily because of ease in reproducing issue (~20
minutes)
Snapshot allowed near-instant restore to patch
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Success Story #2
Scenario:
250 services, focus on SEO and SEM landing pages
Multiple environments, multiple dev teams; increased focus on
microservices
Outcomes:
Achieved consistency between environments
Decrease in delivery time from 2 weeks to 10 minutes
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Container security
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Challenges at scale
Technical Challenges
Sprawl
Sleeper Cells
Unexpected re/allocation or movement
Compounded complexity
Process
Regulatory/Compliance
Entitlements
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Sprawl
Remember this?
Source: Netflix
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Causes:
Proliferation of containers with no clear understanding of how or
when theyll go away
Lack of controls over who/how/when containers can get created,
moved, copied, or duplicated
Impacts:
Exponential decrease in ability to manage environment (without
automation)
Performance issues
Asset management challenges
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Sleeper cells
Source: ABCNews
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Causes:
Lack of management over what containers are fielded, what they
do, and whats on them
Unclear processes for maintenance and hygiene
Impacts:
Challenges enforcing security of/on specific containers
Potential security vulnerabilities in individual applications
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Causes:
Lack of process around movement/modification of containers in
specific environments
Unclear maintenance/control processes
Impacts:
Asset management issues
Challenges maintaining reliable inventory
Difficulty deploying/maintaining security controls for specific
applications
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
App
Compounding complexity
Container
Virtual Host
Physical Host
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Causes:
Intersection between existing technologies and containers:
Impacts:
Difficulty managing the environment
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Process issues
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Getting a leg up
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Multi-Tenancy
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Inventorying
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Discovery
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Summary
Summary
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Resources
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.