Barun Acharya
Software Engineer @ Accuknox
Ghāziābād, India
Actions
Barun likes hacking on low level stuff and fiddling around developer toolings. He currently is maintainer and leading the development efforts for KubeArmor, CNCF Sandbox project and works as a Software Engineer at Accuknox . He loves to speak at conferences talking about Open Source, Cloud Native and Security. He is a proud CNCF Ambassador. He has been associated and am actively mentoring with programs like Google Summer of Code and LFX Mentorship.
Links
Awards
Area of Expertise
Topics
Finding Imposter Among Us: Container Edition
Much like the game Among Us, Bad faith actors can sneak into our spaceship aka containerized workloads anytime. It now comes to the crew members to eliminate the threat.
Similarly even if we secure our supply chain, there will always be threat actors that can attack at runtime. It is not a matter of if but when. There's a need to enforce security at runtime to contain damages as it happens.
Containers are not black boxes, Just sand-boxing around them isn't enough, we need to profile our entities inside our containers, and enforce zero trust rules.
But achieving zero trust is non trivial especially with the highly dynamic nature of modern containerized workloads.
This session will be about understanding the entities inside our containers, trying to identify assets that are exposed to entities inside containers, explore our crew members eBPF and LSMs who will help us identify and quarantine breaches at runtime minimizing our attack surface in the process.
Armoring Up Cloud Native Workloads with KubeArmor
With the increasing efforts towards securing our supply chain, there have been a lot of measures to help protect our workloads against known vulnerabilities. But there will always be unknown vulnerabilities that may spawn up at any time and threat actors that can attack at runtime. It is not a matter of if but when. There's a need to enforce security at runtime to contain damages when it happens. This session will be about how (and why) KubeArmor abstracts away the complexity and helps "armoring up" your modern cloud native workloads at runtime. We will try to understand what's happening inside our containers and explore our kernel primitives like eBPF and LSMS which help us identify and quarantine breaches at runtime, minimizing our attack surface in the process.
Kueue-ing Up Security for Multi-Tenant Cloud Infra at Scale
Security is not a one-and-done task. It's important to maintain security consistently. There are a lot of open source tools out there to help with the security assessment of our infra but managing and orchestrating these tools at scale is a major pain point. Scheduling regular scans to maintain cloud security posture helps in achieving continous compliance.
Kubernetes is a scheduler and orchestrator at it's core and Kubernetes Jobs are a good way to help scheduling these security scans. However when you try to operate Kubernetes Jobs at scale by yourself, the limitations of this approach like overloading etcd, making api server slower, difficult to track the status of these jobs, random order of execution start popping up. We also realised that we were not able to control the usage and maximize the utilization of our cluster resources.
Enter Kueue – a k8s-native job scheduler specifically designed to address these challenges. Working seamlessly with the default Kubernetes scheduler, the job controller, and the cluster-autoscaler, Kueue provides a comprehensive batch system that helps us manage kubernetes jobs efficiently.
This session is going to dive deep into what are the challenges with native kubernetes jobs and job scheduler, how "kueue" helps with orchestrating jobs while solving these challenges and finally how Accuknox "kueue"s up security for multiple tenants at scale.
Strengthening the Cloud Native Shield: KubeArmor Contribfest
Join the KubeArmor maintainers help fortifying the cloud native ecosystem. KubeArmor is a cloud-native security enforcement system leveraging eBPF and Linux Security Modules to detect and prevent runtime threats.
KubeArmor has an ecosystem of toolings and integration to help with the journey of implementing runtime security. Join the maintainers and help fix bugs, add new features, expand our policy templates to help provide out of the box hardening policy recommendation.
Help us improve our integrations by enhancing developer experience of kArmor (CLI tool), Github Actions integration and observability dashboards based on Kibana and Grafana.
Let's team up to make KubeArmor even better—your contributions will help "armor up" the cloud-native world!
Securing The Secrets Manager With KubeArmor
For managing passwords, credentials, API keys and other sensitive information for applications in Kubernetes, use of secret managers is a very common practice.
However, like other resources in the cluster, there is a chance that the secrets manager itself gets compromised by attacks like ransomware, if proper security practices are not followed.
Thus, in this session we'll be going full hands-on and taking a look at some security best practices for running secret managers in Kubernetes and how KubeArmor can be setup to secure secret managers against some common attacks.
Securing Connections: Defending Telco Workloads in the Cloud Era
The world of telco is changing with 5G networks, using virtualization and the cloud. But, there's a new challenge - security. The way telco networks are set up have widened the attack surface, making the risk of a security breach bigger.
We will explore real life attack vectors based on the MITRE Fight and ENISA Threat Landscape and potential mitigation framework could be deployed implementing hardening and least permissive accesses across the infrastructure, admission and at runtime leveraging various Cloud Native tooling like Admission Controllers, Network Policies, Service Mesh Policies, Kubernetes Security Context, Observability and Runtime Security Engines.
Because telco networks are spread out in different places like data centers and edge devices, making sure they're all secure can be tricky. We'll talk about ways to make security happen on its own, just like the telco systems do. This way, security can stay strong across the whole network, no matter how spread out it is.
Preventing Bank Heists and AI Takeovers in Kubernetes: A Security Tale
Imagine a bank known for its very secure vault. This vault, similar to the secure places we need for our workloads in Kubernetes, doesn't just keep money safe, but also holds important AI data, like model, datasets and output. Our story will explore how the security vectors used for bank vaults can help prepare against attacks on AI workloads in Kubernetes. We'll talk about various best practices in Kubernetes and tools like KubeArmor that help keep these digital vaults safe from new threats.
But, there's a twist!! The thieves who break into the bank aren't there to steal the money or data; they want to destroy and manipulate it. This twist helps us understand the unique challenges of keeping AI workloads safe, where the main risk isn't just someone stealing the data, but also ruining or deleting it. What if someone intentionally manipulates the AI training data to turn it against us, leading to an AI takeover? It is important not only to protect data from theft, but also to ensure its integrity.
We will talk about how to keep our workloads remain secure and intact against attacks, including those that seek to corrupt the very core of AI's decision-making processes.
Minimalism : Key to Cloud Security
Containers and Orchestrators are being rapidly adopted worldwide due to the advantages they provide. But so has risen the cyber attacks on the same. With the rise in recent vulnerabilities like log4j and pwnkit there’s an ever more demanding need to enforce security in containers.
Keeping things simple and minimal is not just beneficial from a resource cost perspective but also reduces the attack surface which is a huge deal for securing your workloads helping protect against both known and unknown attacks.
This talk will be about how can one choose to be a minimalist about their workloads and how it will help you prevent attacks from the future. We will go from choosing the right node images, to reducing dependencies in our containers and finally restricting access at runtime to both entities outside and inside of your containers.
Patch It Up: Real-Time Vulnerability Management with Kyverno and KubeArmor
Organizations rely on Admission Controllers like Kyverno and Static Analysis tools to enforce a wide range of security best practices, but these measures alone may not protect against future vulnerabilities. When new vulnerabilities are discovered, application upgrades often take time, and it can be more effective to sandbox these vulnerabilities than to wait for upstream fixes.
Preventing application downtime due to vulnerabilities is crucial, and virtual patching helps by containing and preventing the exploitation of vulnerabilities at runtime without impacting application behavior or deployment processes.
In this talk, we will explore live examples using well-known vulnerabilities such as Log4j, PwnKit, xz, and Leaky Vessels. We will demonstrate how to use Kyverno to identify vulnerable workloads, leverage results from image vulnerability scanners, and generate KubeArmor policies to apply virtual patches to specific deployments, ensuring security without disrupting operations.
Barun Acharya
Software Engineer @ Accuknox
Ghāziābād, India
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top