Speaker

Ramakant Sharma

Ramakant Sharma

Software Engineer, AccuKnox Inc.

Actions

Working as a software engineer at AccuKnox Inc., actively contributing to open source and maintainer KubeArmor, CNCF Sandbox project.

Area of Expertise

  • Information & Communications Technology

Topics

  • Cloud Native
  • Kubernetes
  • ebpf
  • Container and Kubernetes security
  • Cloud Security
  • Linux

Enhancing Runtime Protection leveraging Compliance Frameworks

Runtime security for cloud workloads involves continuously monitoring workload behavior and preventing deviations from normal activity.

The ideal approach is to enforce application-specific zero-trust policies that establish a baseline and prevent unexpected behavior. While, implementing zero trust requires ongoing tuning and is more of a Day 2 operation. In addition, Hardening policies can be established by translating compliance frameworks' prescriptive guidance into enforceable runtime security policies. By adopting a layered runtime security approach, the attack surface can be significantly reduced.

In this talk, we’ll demonstrate how to enhance runtime security using policies influenced by compliance frameworks like CIS and MITRE, etc. We’ll showcase real-world examples and enforce these policies using KubeArmor.

Choose Your Shield: Evaluating Linux Security Modules for Cloud Native Ecosystems

LSMs provide kernel-level security mechanisms that can be used to address the dynamic challenges of cloud native security. KubeArmor, a runtime security engine and CNCF sandbox project uses LSMs to protect cloud workloads at runtime.

As a maintainer of KubeArmor, I will share my understanding working with LSMs to implement a robust runtime security engine to protect cloud workloads through the lens of KubeArmor.

While all LSMs provide crucial security benefits, their effectiveness varies significantly based on use-case, deployment context and operational requirements.

In this session, I'll be evaluating LSMs including SELinux, Apparmor and BPF-LSM across three critical dimensions:
Performance impact: The overhead each LSMs introduce.
Security capabilities: Each LSM's effectiveness against common attack vectors through live demonstrations.
Operational complexity: Highlighting the learning curve, complexities in implementation and maintenance.

Patch It Up: Real-Time Vulnerability Management with Kyverno and KubeArmor

Organizations rely on Admission Controllers like Kyverno and Static Analysis tools to enforce a wide range of security best practices, but these measures alone may not protect against future vulnerabilities. When new vulnerabilities are discovered, application upgrades often take time, and it can be more effective to sandbox these vulnerabilities than to wait for upstream fixes.

Preventing application downtime due to vulnerabilities is crucial, and virtual patching helps by containing and preventing the exploitation of vulnerabilities at runtime without impacting application behavior or deployment processes.

In this talk, we will explore live examples using well-known vulnerabilities such as Log4j, PwnKit, xz, and Leaky Vessels. We will demonstrate how to use Kyverno to identify vulnerable workloads, leverage results from image vulnerability scanners, and generate KubeArmor policies to apply virtual patches to specific deployments, ensuring security without disrupting operations.

Ramakant Sharma

Software Engineer, AccuKnox Inc.

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top