Authors: Dima Aronov, Gad Zvi Mehditache and Ram Saiegh
Several Tufin developers were in attendance at DevOpsDays Tel Aviv, a conference that brings development and operations together and encourages greater collaboration among these two teams. Beginning in 2009, the conference has picked up momentum as the DevOps movement continues to grow in popularity. Today, DevOpsDays has a significant global presence, taking place in various locations around the world throughout the year, with new locations frequently being added to the docket.
Here are a few key takeaways from the Tufin team who attended the event.
“The Evolution of Automation”
Nathen Harvey, VP of Community Development at Chef
Adam Jacob, Co-founder of Chef Software and the creator of the Chef IT automation platform
This talk examined the fundamentals of automation, lessons learned over multiple generations of tooling and research, and discussed the path forward.
Key Takeaway: The main topic was how to make today's application more accessible, or in Adam's words, “more humane.” It was more about how we, as developers, must be aware of our audience and our surroundings. Adam encouraged attendees to always attempt to think of Ubuntu, a philosophy that originates from the Bantu dialects of Africa that basically means – “I am because of who we are” – the essence of being human. It is only when we think of Ubuntu while building our software that it becomes more humane as we look beyond ourselves and consider the user as well. --Ram Saiegh, QA DevOps Engineer
“Orchestrating Least Privilege”
Diogo Mónica, security lead at Docker
Container orchestration tools have seen a rise in popularity in the enterprise; however, a lot of these systems have not been developed with security as a priority, leaving holes for an attacker to gain unauthorized access. With the growing popularity of containers in the enterprise, it is critical that we start designing orchestrators with security in mind, and follow the principle of least-privilege, where any participant of the system only has access to the resources that are strictly necessary for its legitimate purpose.
Key Takeaway: The major topic discussed during the talk was the fact that while using Docker is very easy, most organizations are not prepared for the potential security breaches that can result from the use of Docker in their environment. The Docker orchestration suite offers some tools to overcome this challenge. Unfortunately, they aren't widely discussed in the community and are not always implemented. During the talk the presenter demonstrated how to use the available tools to secure the containers and the environment they're running on as much as possible. Alongside the demonstration, the presenter spoke about best practices and how the Docker community can work to alleviate this challenge. --Dima Aronov, DevOps Engineer
The talk highlighted the Principle of Least Privilege. According to this principle, a process must be able to access only the information and resources that are necessary for its legitimate purpose. Vulnerabilities in one process must not be used to exploit the rest of the cluster. Since security isn't always top of mind in the development of container orchestration tools, the talk looked at ways to mitigate risks associated with these tools:
- Mitigating an external attacker: externally accessible service ports are explicitly defined, and administration endpoints are authenticated and authorized
- Mitigating an internal network attacker: requires the authentication of both network and cluster control-plane communication. Service-to-service communication is authorized with orchestrator managed ACLs
--Gad Zvi Mehditache, Solution Architect