Cloud Native Security

Application Security

Protect your application and secure cluster access, network, pods and containers, keys and credentials.

Day 1: July 1, 2020

• Replay

  Opening Keynote - Container Security, How do you make security easier to consume
  

  Speakers: Dan Walsh

  The Opening Keynote will cover ideas on container security. Dan will explain the three entities involved in running a container, and explain how each entity has influence on the security of the container. Dan will explain ideas on how we can do this in as user friendly manner as possible.

• Replay

  IBM Garage Best Practices: Developing Secure Applications for Enterprise Clients
  

  Speakers: Chris WeberIlene Seelemann

  Ilene uses an example of a simple cloud native web application to discuss how, where and when to apply a security-centric approach to build a secure solution. She will touch on topics like secure handling of credentials, secure coding practices and DevSecOps. She will discuss development-time considerations, as well as runtime considerations.

• Replay

  IBM Cloud Hyper Protect Virtual Servers and deploying secure applications on container-ready IBM Storage for Kubernetes with CSI specification
  

  Speakers: Chris PooleMatt Levan

  This talk will begin with a technical overview of IBM Cloud Hyper Protect Virtual Servers, providing a Linux-based environment on IBM Z to develop secure applications. Then from the IBM Storage team, we learn how they've developed open source plug-ins based on CSI specification to connect high performance file and block storage arrays to container frameworks so that applications can be securely deployed on persistent storage.

• Replay

  Keynote - Policy Based Governance for Open Hybrid Cloud
  

  Speakers: Jayashree Ramanathan

  Enterprises must meet internal standards for software engineering, secure engineering, resiliency, security, and regulatory compliance for workloads hosted on hybrid clouds. Doing so using manual processes is error prone and expensive, and also makes it hard to easily determine overall security and compliance posture. A policy based governance approach addresses these concerns, allows enterprises to gain visibility and drive remediation for various security and configuration aspects to meet enterprise standards and making it easier for enterprises to adopt secure hybrid cloud. Further, applying this governance approach using "open source" principles results in collaboration across multiple vendors and standards organizations. Jaya will illustrate this approach using the Open Cluster Management community project and Red Hat Advanced Cluster Management product offering that utilizes this project.

• Replay

  Think Like a Hacker! Securing Containers: They're just like VMs, except when they are not
  

  Speakers: Troy Fisher

  Secure containers are the fundamental building blocks of secure Kubernetes pods. Troy will talk about building and maintaining a secure container environment and cover the entire container stack from host, daemon, image to container.

• Replay

  Best Practices in API security and securing enterprises using APIConnect and DataPower Gateways
  

  Speakers: Krithika Prakash

  Krithika will focus on key security strategies and best practices to design and implement a highly secure API system in a hybrid cloud environment. She will outline the architecture and features of APIConnect and DataPower Gateway and how they can be used in a truly seamless manner.  Understanding the various layers of security and the key concepts in applying the right security standard will tremendously help in securing enterprises. IBM APIConnect and DataPower Gateway can manage and secure APIs without compromising on the performance.  As you build your applications and services for the cloud, application security cannot be an an after thought and should be built from the ground up.

• Replay

  Keys under doormats: Problems and Solutions for Securely Storing Credentials in Web Apps using Key Encrypting Key (KEK)
  

  Speakers: Ron Craig

  Encryption keys and passwords are "keys to the kingdom." Acquiring them allows attackers to open all kinds of doors, and yet developers are often careless. As a result, keys fall victim to reverse engineering and software vulnerabilities such as Path Traversal, XML External Entities (XXE), Local File Inclusion, and others. Ron will review the most common methods of storing credentials and best practices for storing them, such as using key stores. However, an important issue remains -- how do you secure the Master Key? The security of this "key that secures other keys" or the Key Encrypting Key (KEK) is critical. Ron will discuss several low cost, preferred ways for securely storing KEKs, from hardware to software, and their relative costs, including a novel approach that is resistant to remote attacks up to and including path traversal vulnerabilities.

• Replay

  Closing Keynote - The Three Top Trends in Cybersecurity Today
  

  Speakers: Bob Kalka

  The closing keynote will detail the three trends having the most dramatic influence on cybersecurity programs and investments today.

• Replay

  Hands-on Lab - Kubernetes Networking - Control Cluster Access with Service Types, Ingress and Network Policies
  

  Speakers: Aya Tokura

  During the Kubernetes Networking hands-on lab you will learn Kubernetes Networking essentials and gain hands-on skills to implement access control to your cluster using service types from ClusterIP, NodePort, LoadBalancer to Ingress and Network Policies with Calico.

Data Security

Protect your data and add highest level of encryption to data in-place and in-motion, comply to industry requirements, secure your AI and add hardware to data protection.

Day 1: July 1, 2020

• Replay

  Opening Keynote - Container Security, How do you make security easier to consume
  

  Speakers: Dan Walsh

  The Opening Keynote will cover ideas on container security. Dan will explain the three entities involved in running a container, and explain how each entity has influence on the security of the container. Dan will explain ideas on how we can do this in as user friendly manner as possible.

• Replay

  Keeping your Data-in-Place Protected in the Cloud using IBM Hyper Protect
  

  Speakers: Stefan Schmitt

  Cloud platforms provide a large number of options to build your applications in a fast and reliable way.

• Replay

  Automatic mTLS and More: How Istio Secures your Application Data-in-Motion
  

  Speakers: Gregory I Hanson

  You have successfully broken your monolithic application down in to individual microservices - now you need to lock it all down. Microservice applications communicate with each other over a network.

• Replay

  Adversarial Robustness Toolbox (ART) - Evasion, Poisoning, Extraction and Inference
  

  Speakers: Beat Buesser

  Adversarial Robustness Toolbox (ART) is a Python library for machine learning (ML) security for defending, certifying and verifying ML models against the adversarial threats of evasion, poisoning, extraction and inference.

• Replay

  Keynote - NIST Controls and IBM Financial Services Cloud
  

  Speakers: Charles Brown

  The IBM Financial Services Cloud runs in the standard IBM Public Cloud Multi Zone Region (MZR) environment with best practices and usage patterns appropriate for running regulated financial workloads, whether direct financial institution workloads or third-party applications used by financial institutions.

• Replay

  Protecting data using secret management with Trusted Service Identity (TSI)
  

  Speakers: Mariusz Sabath

  Mariusz will explore the problems that exist with current methods of storing and using secrets in a Kubernetes cluster and introduces a project recently open-sourced by IBM Research called Trusted Service Identity (TSI) that addresses these problems by tying secret management technologies with workload identity via host provenance and integrity.

• Replay

  Closing Keynote - The Three Top Trends in Cybersecurity Today
  

  Speakers: Bob Kalka

  The closing keynote will detail the three trends having the most dramatic influence on cybersecurity programs and investments today.

• Replay

  Hands On Lab - Adding Secure Encrypted Object Storage using a Persistent Volume for MongoDB with S3FS-Fuse
  Speakers: Nigel Brown

  During the Secure Cloud Storage hands-on lab, you will learn Data Security Essentials and gain hands-on skills to secure data storage on a secure encrypted Object Storage using S3FS-Fuse, add a Persistent Volume (PV) and Persistent Volume Claim (PVC) to a MongoDB and Java Spring application on Kubernetes.

DevSecOps

Add security to your automated DevOps pipeline by automation, governance and compliance, secure hardware, containers, and container runtime, and scan for vulnerabilities.

Day 1: July 1, 2020

• Replay

  Opening Keynote - Container Security, How do you make security easier to consume
  

  Speakers: Dan Walsh

  The Opening Keynote will cover ideas on container security. Dan will explain the three entities involved in running a container, and explain how each entity has influence on the security of the container. Dan will explain ideas on how we can do this in as user friendly manner as possible.

• Replay

  How to secure a Tekton-based Build of Container Images on Kubernetes
  

  Speakers: Enrique EncaladaJordan Zhang

  The Build Kubernetes API project is an API to build container-images on Kubernetes using popular strategies and tools buildpack-v3, kaniko and buildah. The Build Kubernetes API has two CRDs (the Build and BuildRun) to register a strategy and then start the actual application builds using a registered strategy. RedHat and IBM work together to create a production ready Build service API for end users, which leverages the security of building inside a cluster and aims to improve the developer user experience. Security Compliance is an important feature in the project. The solution is based on Kubernetes RBAC and Pod Security Policy to make sure the container-images build process is executed smoothly and without any catastrophic destruction on the Kubernetes cluster. The build applies to source code that is Docker or Docker-less build based, and uses popular strategies like Buildpack-v3, Kaniko and Buildah to achieve this.

• Replay

  Falco with Kubernetes on IBM Cloud
  Speakers: Kris Nova

  Join Kris Nóva, Chief Open Source Advocate at Sysdig and Falco maintainer for a discussion about securing a Kubernetes cluster running in IBM cloud. In this talk you will learn about the importance of both prevention and detection tooling, and see first hand how to secure a cluster by using well known white-hat hacking techniques to exploit the cluster. We will use Falco to see what was happening during the exploit and evaluate how we can respond to these types of events.

• Replay

  Automating Cloud Security & Compliance
  Speakers: Jan CernySimon Lukasik

  Cloud environments grow increasingly. Heterogeneous and hybrid clouds are creating distinct sets of challenges for compliance officers and compliance engineers. The OpenSCAP ecosystem provides a holistic response to contemporary needs given its wide spectrum of tools for automated policy management and continuous assessment of security controls and vulnerabilities. During the session you will learn how to leverage this fully open source toolbox for your particular needs. We will show how security compliance is integrated across Red Hat’s portfolio.

• Replay

  Keynote - DevSecOps for Cloud Native development on IBM Z 
  

  Speakers: Rosalind Radcliffe

  As organizations are moving to multiple hybrid cloud infrastructures to innovate and respond to client demands, DevSecOps processes and tools are at the heart of that cultural change. Join Rosalind Radcliffe, Distinguished Engineer and Chief Architect DevOps to learn about the cloud native development experience on the most secure, resilient and reliable platform - IBM Z. Cool new technologies like IBM Wazi for Red Hat CodeReady Workspaces and Wazi Virtual Test Platform, empower developers to create hybrid applications across multiple clouds and environments using a standard DevOps pipeline.

• Replay

  From Hardware Root of Trust (RoT) to Containers: Running Trusted Containers on a High Assurance OpenShift Platform
  

  Speakers: Brandon LumHarmeet Singh

  Regulated or sensitive workloads and data present additional security challenges for multi-tenant clouds. While virtualization and containers significantly benefit efficiency, adaptability, and scalability, these technologies consolidate workloads onto fewer physical platforms and introduce the dynamic migration of workloads and data across platforms.

• Replay

  Source-to-Image (S2I) Deployment with UBI, Custom Builder and Runtime Images and Templates
  

  Speakers: Oliver Rodriguez

  During the DevSecOps hands-on lab, you will learn DevSecOps essentials and gain hands-on skills to deploy a Java Open Liberty application securely to OpenShift using Source-to-Image (S2I) for OpenShift with a Universal Base Image (UBI), a custom builder and runtime image, OpenShift Templates, BuildConfig and DeploymentConfig.