 Hi everyone, I think we are back with our last session on the dev track and I have Rahul Krishna with me for this session. So a quick introduction about Rahul. So he's an open source technology evangelist and he has been working with Zeus for 18 plus years and he's a pre sales architect. And he also he's also working with Linux and open source technology for around 22 plus years altogether. And he helps customers transform their landscape to cloud infrastructure by leveraging the power of multi cloud covenators. And also helps them implement full cycle security for the containerized landscape. And yes, what not, I think he's an average cyclist and is working on long distance cycling. I think that's really good to know Rahul and he's targeting 10,000 kilometers this last year. So all the rest we are cycling. Thank you. Today's session. It's all going to be faster secure innovation with this platform and I think we're excited to hear you. What do you. Yeah, thank you for the nice introduction. Good afternoon everyone, and hope you enjoy this session going forward. I'll just get down to the point in this session, you will see how you can force to secure innovation with your communities platform by leveraging open secure comprehensive and interoperable solutions. Right. When we look at the container landscape, there are multiple areas that need to be taken into consideration. So what privileges do the container instances run with is the people it is run time secure enough. One layer abilities in the container images and how you remediate or handle them. How do you set up the right network policies to protect your applications and not to forget the node operating system on which everything is running. So managing the risk across the landscape and while doing so. How do you make it easy for your developers or operators to implement the security in your environment. So Susie offers open comprehensive and secure interoperable solutions designed for any communities environment. The sector is a leader in full lifecycle container security, delivering uncompromising end to end security for modern container infrastructures. Rancher is 100% open source complete container management platform for capabilities can manage any capabilities distribution running anywhere, and it gives you all the tools to do so. Rp2 is a CNC certified free Kubernetes distribution that focuses on security and compliance and all three are completely open source and so the support subscriptions are available for new vector and rancher while Rp2 comes as part of the container subscription, but point to remember everything that I'm going to talk about is open source. Now, there are various ways to implement security and one of the challenges with security is you know the ever changing changing security landscape newer and newer threats coming trying to keep up with it and at the same time, you know, managing all the complexity that comes along. So the whole aim here is to how do you simplify managing the security landscape, how do you make it easy for for your developers and operators and how can we automate as much as possible. So, new vector was acquired by Suza last year in 2021 and at that time it was a proprietary product in last month that is May 2022 we have completely open source step. So let's look at new vector and how it provides full container security. Security in the container world can largely be segregated into two paradigms supply chain security and runtime security. The supply chain security primarily covers vulnerability scanning compliance scanning and admission controls. Many tools are pretty good in this space and new vector is pretty much on par with them, if not better. When new vector really excels is in the runtime security space, runtime security comprises of not just scanning the containers but also scanning the orchestrator as well as the host operating system. It also covers thread based controls and zero trust controls. What exactly do we mean by thread based controls and zero trust controls. Thread based controls always need a signature for matching right so they could be like your CVS pattern matching for data loss prevention prevention pattern matching for network attacks and web application firewalls and your admission control rules. But with thread based controls you're always dealing with what is known right how do you take care of scenarios where you don't even know about the attack say a zero day attack or some new vulnerability that has suddenly come up. You would be able to impose thread based controls only once you know about the vulnerability. So zero trust controls is is is comes to your rescue zero trust controls already have a signature for matching that is your own application behavior. What new vector does is it can automatically learn all network process and file access behaviors of your application. It can automatically generate policies for those behaviors and it can protect against anything that is not your own behavior and that is what we call zero trust control. You can even export this behavior as security as a code and you can incorporate it in your application or you can incorporate it in your other say you can export it from your. QA landscape or test landscape and deploy it to your production. So what's so Susan you have to allows you to do is one have complete network visibility in your environments. To implement zero trust protections protect against any anomalies in network process or file access. Protect you against data loss prevention very useful from a compliance perspective. And yes we do support air gap environments and can be easily be can easily be deployed on any cumulative distribution. How do we implement zero trust controls right and this is the most interesting piece about new vector. So as you are aware inside a community cluster there is an explosion of East West traffic. Because given it is abstracts away the complexities of all of this container to container traffic you lose the visibility of this traffic. Other products will tell you what is represented in a manifest file or in IP tables or use port labels or will even use kernel shims say ABPF to filter out all the send and receive from the current level trying to represent what is happening within the network. But none of these approaches are looking at the live network traffic and they won't see if network connections are being made without their knowledge or permission. And while you may have an excellent perimeter security from your legacy environments that perimeter security cannot inspect or see into traffic within the communities cluster. So new vector offers you full visibility into both North South as well as East West traffic within your cluster. And new vector comes with its patented deep inspection by deep packet inspection technology that allows you to monitor not just layer three and layer four traffic but also understand the labor players seven protocols and processes that are running inside the container. New vector can allow you to block control traffic between continuous even running inside a pod. New vector can understand more than 35 odd layer seven application protocols and more than and can protect you against more than 23 different network based attacks. And because the new vector is the only container security platform using network traffic and traffic has its source of truth. All of the capabilities that you see on the screen are unique to new vector so you don't have to make any changes to your application you don't have to put any agent you don't have to put any sidecar. You just deploy an application and you vector will automatically learn the behavior based on that new vector will automatically generate the policy both for network process as well as fine access. Same can be exported in the form of security as a code. And what this allows you to do is basically protect provide you zero day countermeasures. So if there are any zero day attacks for which there isn't even information available, you're still protected against them because of the new vector is implementing security. And you can also do packet packet capture so if there is any forensic analysis that needs to be done for any sort of traffic, you can capture packet at the container level and analyze them. The new vector also has DLP data loss prevention capability so if you have applications that are using sensitive data like credit card information say social security numbers and other card numbers in our context. You can create a pattern matching rules and then new vector can essentially ensure that none of that data goes out of your cluster, if it is not supposed to. Now the way new vector works is pretty simple, you know it works in three modes. When you define new vector, everything in the cluster is automatically placed in a discover mode. Discover mode is used to learn the process and network behavior. Discover mode is a traditionally state meant for a short duration during setup that means any new services will be learned, even if other services are either in the monitor or protect. When you're ready to establish the zero trust parameter, you can move to the monitor mode. And so here, this is essentially what discover mode is learning identifying how the application is behaving. And when you have done that for a duration, say maybe a few hours or a day or a couple of days, you can establish the zero trust parameter by switching to the monitor mode. Now monitor mode will use the established rules that it learned during the discover phase and it will as well as the process behavior, and then it will start sending out alerts based off any anomalous behavior that it has detected. So any connection that it doesn't know about from the discover mode or any process access or file access, it will allow it to happen, but it will start sending you alerts. So you can use the monitor mode as a means to filter out new from the known. And at this step, you can also start creating manual allow or alert tools. If you find something that wasn't detected in the discover mode. And then the next mode is the product mode. It takes monitor mode to the next level because now it starts applying the blocking rules to those things that are not learned or that have not been manually entered as approved rules for processes. So, now the other beauty is in the latest list what we have done is you can even define the rules for moving applications from discover mode to monitor and then to product you can define durations. And say, okay, any application that comes in or gets required in the cluster runs in the discover mode for a defined duration and after that it automatically is switched into monitor mode. And then again for a defined duration and then you can also define that it automatically gets switched into the product. So that's another neat thing that that is available in in new vector now. Right. So, yeah, that's just representing the all the the deny behavior. Now, New vectors architecture is also interesting because as I said, for implementing new vector, you know, it doesn't use any injection it doesn't use the agent or a sidecar. It runs on your cluster and it runs on your cluster as continuous. So, here I'm just going to talk about the new vector architecture, how it is deployed in a Kubernetes cluster and how this architecture benefits you. So, new vector will deploy four containers. And the first one is called the controller. The controller acts as the central command of new vector. And it is the one that handle handles all the API calls from all the other components of new vector. And it is also the only one that is making API calls to the Kubernetes API. Now this is a huge performance advantage for our users over our competitors because there are not hundreds of thousands of API calls being made to the Kubernetes API hurting performance. The second component that is part of new vector is called scanner, which is responsible for, yeah, you guessed it, scanning for vulnerabilities and compliance with CS security benchmarks. The scanner is appropriately built for speed and accuracy speed in terms of, you know, the CV database is contained within the container. So there is no network overhead while scanning, and the scanners can also scale horizontally to scan a larger number of pods and also to scan large registries. And accuracy basically comes from the fact that the CV database is updated every day from 15 different sources. The third container is the manager container, which essentially provides the user interface for new vector. It's worth noting that you see in new vector, the new vector UI is also being delivered via API calls from the controller. So yes, this means that you can automate and integrate anything into new vector via APIs. The manager also has a CLI tool that can also be used for creating your own automation steps. And then finally, the fourth component and the most important one is what we call as the enforcer. The enforcer container gets deployed as a demo set. So it's running on all nodes in the container. And it is the one that inspects the network traffic and enforces security policies. You will notice that the enforcer is sitting pretty close to the virtual switch box on the cluster node. This is where new vectors patented ability to transparently inspect network traffic comes into play. It can collect processes from every container and it can enforce the policies. So as you can see, four different components that form new vector, all of them running as container on your own Kubernetes cluster. And this is the most efficient position to inspect all network traffic, validate the layer 7 protocol, block any attacks before connections are even made and before any processes can be executed. This efficiency translates into a very high performance and a high scalability, even in clusters approaching thousands of nodes. In fact, one of our vendors have actually done this scalability testing where new vector was able to reach 1000 nodes in the cluster. And most of the computation couldn't scale beyond 200 or 250 nodes in the cluster. New vector is also easy to deploy, can be deployed in multiple ways via Helm or via kubectl. You can also completely automate the installation using config maps. And the entire installation can be done in about 10 to 15 minutes. It's just like deploying an application on a Kubernetes cluster. And for those who are using Rancher, it's even easier because now from within the Rancher interface, you're able to deploy new vectors and you're able to access new vector from within the Rancher interface. So while we have looked at comprehensively securing the container landscape within the cluster, let's look at some of the other ways of securing the Kubernetes infrastructure. So Kubernetes requires a comprehensive PKI in order to coordinate certificate generation and signing for these communications. RKE, which is our Kubernetes distribution, includes all the automation tooling necessary to manage this process. The second aspect in terms of security is the authentication itself. People are the biggest security threat. So do not use shared connection, shared accounts. You can control access to your Kubernetes clusters based on identities in your own central identity management system. This way you can reduce the operational burden of managing additional user databases and you can apply role-based access policies to known identities. Rancher provides a very easy mechanism to integrate one of the many supported authentication providers, as you can see on the screen. The same can be then leveraged by all the Rancher-managed downstream clusters. Another aspect where Rancher excels is in providing a very granular role-based access control mechanism, which can be applied at the global level, which means across all clusters or at individual cluster level or at the project or namespace level. Rancher comes, as you can see from the screenshot, Rancher comes with roles available out of the box and you can also create custom roles. And then Rancher also provides you two different methods of interacting with the Kubernetes API in a downstream cluster. The first one is indirectly that is Rancher has its own inbuilt authentication proxy and this proxy validates the user's identity before connecting the user with the downstream cluster. Now there is another option of accessing the downstream cluster directly. In this case, if the downstream cluster has the authorized cluster endpoint enabled, the client request can be authenticated by calling a webhook setup by Rancher during cluster provisioning. So the second method allows clients to connect to the downstream cluster directly without requiring direct access to Rancher. So even in case the Rancher server becomes unavailable, you can still connect to the downstream cluster. And then lastly, Rancher offers three different Kubernetes distributions each for a specific purpose. So we have RKE, which runs on Docker. We have RKE 2, which runs on container D and a very lightweight Kubernetes distribution called K3S, which again runs on container D. RKE is derived from a distribution called RKE government, which essentially was developed to meet the US federal government requirements. RKE 2 is Rancher's next generation Kubernetes distribution. It combines the benefits of both RKE 1 and K3S. From K3S, it inherits the usability ease of operations and deployment model. From RKE 1, it inherits close alignment with upstream Kubernetes. So and to meet the security goals, RKE provides defaults and configuration options that allow clusters to pass the CIS benchmark version 1.5 or 1.6 with minimal operator intervention. And RKE 2 also enables FIPS 140-2 compliance. So as you have seen, SUSE offers open, comprehensive, secure and interoperable solutions designed for any Kubernetes environment through the full lifecycle, container security capabilities of new vector, the multi cluster management capabilities of Rancher and secure Kubernetes distribution in the form of RKE 2. And just to reiterate, all three are completely open source. And if you want supported deployment, SUSE offers subscription support for both new vector as well as Rancher. And then RKE 2 support gets covered under the Rancher subscription itself. And then before I leave, I would like to invite you all to join the SUSE and Rancher community. It's a place where you can develop your knowledge, you can develop your hands-on skills, you can network with others in the community. Every month you can explore a new theme that's supported by a wide variety of content, including guest speakers, training classes, office hours and more. And you can join, you can invite your peers, you can invite your partners, you can invite your prospects. It's open for everyone. The URL is community.Susah.com. And also remember to join the Slack network that Rancher runs. This is a community network that Rancher runs. You can simply go to Slack.Rancher.io and join the network to get the latest information on both Rancher and new vector. And if you want to participate in new vector or if you want to try out new vector, I would recommend you to visit the documentation site open-docs.newvector.com. And you will find complete instructions on deploying new vector and how you can deploy it on various different Kubernetes distributions. And all the new vector images as well as Rancher images are hosted on Docker Hub. And one thing that I should not forget to mention is that there is no feature difference between the free version and the paid subscription version, right? It's just a difference in the support services that you get, otherwise the software remains the same. And with that I would like to conclude my session.