Re: Container Security

[Jason Borinski <jason.borinski () DEXCOM COM>]

Thanks, Kevin. Sysdig was on our list but I'm bumping it up based on your feedback. I'll connect with you further. 
Thank you

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Cleary, Kevin
Sent: Tuesday, June 4, 2019 6:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Container Security

Hi Jason,

Another tool to potentially consider would be Sysdig - https://sysdig.com/<https://sysdig.com/> .

At UB, we're running a OpenShift on-prem.  So we needed something that could provide a depth of visibility across the 
many layers of keub/docker/OS software stack.

We did also consider Aqua.

--
Kevin Cleary
Manager, Systems Software
CIT Enterprise Infrastructure Services
University at Buffalo
305 Computing Center
Buffalo NY 14260-1407
Phone:  716-645-4767

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jason Borinski
Sent: Monday, June 3, 2019 9:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Container Security

Hi all,

I'm looking for input from this group on how you are handling container security. Are you primarily relying on native 
container platform features, open source or commercial third party tools? We're ramping up our use of Google Kubernetes 
Engine (GKE) and are both assessing it's native security features while also considering third party tools to augment 
capabilities, particularly around detection/response.

On the plus side GKE seems to have cluster/node security covered. Google also offers a number of native add-on services 
such as Container Analysis<https://cloud.google.com/container-registry/docs/container-analysis> (image scanner, still 
in beta), Cloud Security Scanner<https://cloud.google.com/security-scanner/> (light weight web app scanner), and Event 
Threat Detection<https://cloud.google.com/event-threat-detection/> which shows promise but has recently been put on 
hold. There is a WAF in alpha for Cloud Armor<https://cloud.google.com/armor>. Cloud Security Command 
Center<https://cloud.google.com/security-command-center/> shows promise but has so far been underwhelming. These 
add-ons seem to be low in maturity and lacking threat detection and response capabilities.

So evidently NGFW/IPS is out of fashion and kludgy for container security, so we're exploring cloud-native security 
architectures. Also looking at third party products - does anyone have any experience with tools like Twistlock, Aqua, 
Stackrox, or Trend Deep Security? If so would appreciate your recommendations or lessons learned.

Thank you,
Jason

Jason Borinski
Senior Manager Information Security | Dexcom
6350 Sequence Drive, San Diego, CA 92121
858-203-6178 | jason.borinski () dexcom com<mailto:jason.borinski () dexcom com>