AWS re:Inforce 2024
20 Minutes 8 Security Layers Secure Amazon Eks and Kubernetes Tdr327 S

Title: AWS re:Inforce 2024 - 20 minutes + 8 security layers = secure Amazon EKS and Kubernetes (TDR327-S)

Insights:

  • Introduction and Background: Tracy Walker, a senior security engineer at SUSE, discusses securing Amazon EKS and Kubernetes using NuVector, an open-source project acquired by SUSE.
  • Open Source and Accessibility: NuVector is 100% open source and can be used across various Kubernetes platforms like Rancher, OpenShift, Tanzu, and EKS. It is available on the AWS Marketplace with support options.
  • Ease of Installation: NuVector can be installed quickly, often in less than five minutes, using Helm or directly from the Rancher catalog.
  • Security Layers Concept: Emphasizes the importance of multiple security layers as no single layer is perfect. NuVector offers eight security layers, with five that can be configured in less than five minutes.
  • Network-Centric Approach: NuVector's network-centric approach, leveraging nine patents, allows for deep packet inspection beyond what eBPF offers, covering layers 5, 6, and 7 of the network stack.
  • Threat Detection and Zero Trust: NuVector provides signature-based threat detection and zero trust policies, automatically capturing packets during detected threats.
  • Supply Chain Security: Includes vulnerability scanning, CIS security scanning, and Kubernetes native admission control policies to ensure compliance and security at multiple checkpoints.
  • Runtime Security Layers: Features network segmentation, file process segmentation, data leak prevention (DLP), and web application firewall (WAF) for comprehensive runtime security.
  • Integration with Other Tools: NuVector can be used alongside other security tools and network meshes like Istio without disrupting existing setups.
  • Practical Advice: Recommends using multiple scanners for vulnerability assessments to ensure comprehensive security coverage.

Quotes:

  • "Everything that you're going to see today, this is not really a typical vendor pitch, right? I'm not necessarily saying go buy this thing, because what you're about to see is 100% open source."
  • "No layer is perfect. We use more than one security layer. We're just basically applying lots of nets with different size holes to catch the things we're trying to catch."
  • "NuVector can take advantage of eBPF, but that is not our source of truth when we're talking about the network functions, how we inspect network traffic and things like that."
  • "We have nine patents. These are not just like, oh, we're doing something a little bit different, patent it quick. This is actually because in the development of NuVector, our founders had a network background."
  • "If you're using a tool today in Kubernetes in EKS if you want to see if it really is seeing the network traffic, find out if that tool can do packet capture."
  • "Our threat detection also comes with a packet capture. And when they looked at that packet capture, that looks like SQL commands. This looks real."
  • "Zero trust is effective because if we don't have a signature for that attack, and we don't know what it looks like, our threat detection is not going to pick it up, right? So how does zero trust help us with this? Well, we know, we may not know what the attack looks like, but we know what it doesn't look like."
  • "If you're SOC 2 compliant and you haven't had an examination in the last 18 months or so, we're seeing more and more companies that are SOC 2 compliant and need some kind of DLP for the EKS clusters."
  • "If it's five to 10 minutes to install, and within five minutes I can get one, two, three, four, five security layers turned on like that, I think I just made my presentation a true thing it is that easy this is not hyperbole."
  • "We run in those air gap environments, so we don't change your FedRAMP status."
5 Ways Generative Ai Can Enhance Cybersecurity Gai324A Close Look at Compliance with Aws Cloud Audit Academy Grc227