Slides from webinar by Mirantis and Zettaset about how to encrypt containerized data. Watch the recording at: https://bit.ly/container-data-encryption

1. Copyright © 2020 Mirantis, Inc. All rights reserved
Securing Your
Containers Isn't
Enough
How to Encrypt
Containerized Data
WEBINAR | April 8, 2020

2. 2
Tim Reilly
CEO
Featured Presenters - Zettaset
Tim brings more than 25 years of successful public and
private experience in the high-tech industry filling key
operational roles within product line business units and
venture capital funded companies through all stages of
growth. During his time at Zettaset, the company has
successfully grown its software-defined encryption
portfolio to provide a comprehensive data protection
solution across all physical, virtual and cloud
environments.
Prior to joining Zettaset, Tim took on a variety of roles at
companies including Trapeze Networks, Nicira, netVmg,
and WorldxChange. He has a BS in Accounting from the
University of Southern California and currently resides in
the San Francisco Bay Area.
Maksim
Yankovskiy
VP Engineering
Maksim has over 20 years of experience delivering and
managing enterprise encryption and database software
across all the major high tech industries. During his
tenure at Zettaset, he has been responsible for the
engineering team that delivered the entire XCrypt
product portfolio. He has also filed patents related to
distributed and high-performance encryption.
Prior to Zettaset, Maksim worked at Ingrian Networks
and held various roles related to distributed database
systems at Siemens Medical Solutions, Ross Stores and
Adobe Systems.

3. 3
Bryan Langston
Cloud Solutions
Architect
Featured Presenter - Mirantis
Bryan Langston has been with Mirantis for five years and
is currently a Pre-Sales Senior Cloud Architect. Other
roles he's had in Mirantis include Director of Architecture
for Openstack and Kubernetes professional services, and
a product manager for Mirantis' Operations and
Business Support Systems (OSS/BSS) products.
Prior to joining Mirantis, Bryan worked at IBM Research
for 17 years where he built a Linux-based supercomputer
for web-scale crawling, indexing and mining, and led
multiple first-of-a-kind projects in the cloud computing
space.

4. 4
A Little Housekeeping
● Please submit questions in the
Questions panel.
● We’ll provide a link where you
can download the slides at the
end of the webinar.

5. 5
● What we're trying to achieve
● Where containers are today
● DevOps, DevSecOps and common security issues
● Encrypting containerized data
● What all of this means for customers
● Q&A
Agenda

6. 6
XCrypt Container Encryption for Docker Enterprise - Fixed Topology
Anthem (Key3
)
United Health (Key1
)
Docker Enterprise Host 1
Cigna (Key2
)
Highly Available Storage VolumeLegend Container Host
Docker Enterprise Host 2
Container1
United
Health
Billing
Container2
Cigna
Analytics
Container3
Anthem
Electronic
Health Records
Anthem (Key4
)
Cigna (Key5
)
Container4
Anthem
Patient Registration
Container5
Cigna
Call Center

7. Copyright © 2020 Mirantis, Inc. All rights reserved
Container Adoption
Today

8. 8
Containers in Production
Use of Containers since 2016 Use of Containers in Production
• 69% of respondents intend to store sensitive data in containers
• 76% of container usage from Tech, FinServ & Healthcare
• 89% of container runtime is Docker
• 94% experienced a security incident in last 12 months
• Security is top barrier to further container adoption

9. 9
● Improving customer experience
● Supporting new business models
● Increasing operational efficiency
● Examples:
○ 40x more deployments per day helps leading bank innovate faster
○ 700 apps running 15k containers at an online payment processor
helps build a consistent operating model across multiple clouds
○ 10x scalability increase and 65k+ transactions/sec for global payment
technology company delivers efficiency
Current State of Container Utilization

10. 10
DevOps
The Good
Well-defined
pipeline
automation helps
coordinate activities
across Dev, Test and
Prod environments
The Bad
Introduces
“unknown
unknowns” to an
organization
The Ugly
Cultural barriers
inhibit the
realization of full
value of container
adoption

11. 11
● Keeping default values
● Implementing concept of “least privilege”
● Establishing solid RBAC support
● Trusted content
● Related to establishing operational boundaries, defining and
enforcing network policies that control N/S, E/W traffic flows
Common Security Issues

12. 12
What is it? The augmentation of DevOps to
allow for the integration of security practices
DevSecOps
Advantages
● Greater speed and agility for security teams
● Ability to respond to change & needs rapidly
● Better collaboration and communication
among teams
● More opportunities for automated builds and
quality assurance testing
● Early identification of vulnerabilities in code
● Team member assets are freed to work on
high-value work
Examples of Activities
● Integrate security scanners for containers
● Centralize user identity and access control
capabilities
● Isolate containers running microservices
from each other and the network
● Encrypt data between apps and services

13. Copyright © 2020 Mirantis, Inc. All rights reserved
Encrypting
Containerized Data

14. Protect the Data
What are your top 3 storage challenges with containers?
2019 Container Adoption Survey, Portworx and Aqua Security
What are your top 3 security challenges with containers?
Ensuring data security
Concerns about data loss
Planning for disaster recovery and
business continuity
Legacy storage technologies not a
good fit for container workloads
Storage doesn't effectively scale
with number of containers
Inadequate tools for managing
container storage
Block devices like Amazon EBS are
slow to mount
Provisioning storage takes too
long
Data security
Vulnerability management
Runtime protection
(e.g. blocking of anomalies)
Exposure of secretes
(passwords, keys, certificates)
Runtime monitoring
and visibility
Network segmentation
Trusted image deployment
Pipeline (CI/CD) security
automation
Hardening hosts and
orchestration

15. So, how do you protect your data?
Top three data
breach protection
methods universally
recommended by
security experts and
organizations in
many surveys and
panels:
Encrypt data throughout the process of collection, viewing
and manipulation - preferably at the source.
1
2
3
Any sensitive data that must be stored or is "at rest" needs
to be encrypted and the keys can't be stored at the same
location as the data.
All access and manipulation of data must be logged.

16. DevSecOps for Containers
The castle has many forms of defense
Moat, geography, routes in, thick walls, watch towers, guards
Traditional tools are applied in new form ensure integrity of container
• RBAC
• Monitoring & Logging
• Policy enforcement
But what if they get inside the castle and find the treasure?
Need to protect the most valuable asset….the DATA
Encryption provides data protection and last line of defense

17. ▪Transparent integration via volume driver
▪ All required services run in containers: key manager, certificate
authority, license server
▪Automated management of host storage
▪Dedicated volume group allocated for each container volume
▪Container volumes cryptographically tied to containers
Container Encryption
17

18. Protecting Data at Rest in Containerized Environments
Secure Container
Storage
Key Points
Encryption must follow storage. Containers will share
storage in multi-tenant environment, but they must not
share encryption keys. Otherwise, one compromised
container compromises the entire environment.
1
2
3
Storage must be independent of host and containers.
Using legacy approach of hardware-defined storage
provisioning will lead to data loss if host reboots or dies.
Separation of duties. Developers and platform operators
should not have visibility into or knowledge of encryption
keys and processes. Encryption must be granular, yet
transparent.

19. Anthem (Key3
)
United Health (Key1
)
Docker Enterprise Host 1
Cigna (Key2
)
XCrypt Container Encryption for Docker Enterprise - Fixed Topology
Highly Available Storage VolumeLegend Container Host
Docker Enterprise Host 2
Container1
United
Health
Billing
Container2
Cigna
Analytics
Container3
Anthem
Electronic
Health Records
Anthem (Key4
)
Cigna (Key5
)
Container4
Anthem
Patient Registration
Container5
Cigna
Call Center

20. 1. On creation, the container
requests a particular-sized
encrypted storage volume
2. Zettaset’s volume driver requests
a volume from the host
3. Zettaset’s volume manager
constructs a volume from various
partitions on the device and
creates a volume group
4. Volume manager communicates
with the key manager to create a
key and encrypt the volume
5. On container destruction, the
encryption key is destroyed, and
volumes are made available
again
Container Encryption – Where to implement

21. ▪ Cybersecurity and DevOps are forever linked
▪ Security is not the enemy
▪ No one technology will address all security challenges
▪ Encryption is an essential tool and the last line of defense
Protect your Containers and Step towards DevSecOps
Takeaways

22. Copyright © 2020 Mirantis, Inc. All rights reserved
Thank You
Q&A
Download the slides from: bit.ly/mirantis-zettaset
We’ll send you the slides and recording later this week.