Security on the cloud

Hackzone VI, 14 Avril 2018
Tunis, Tunisie

Amine Ben Asker

Cloud Architect
Automation enthusiast

Night shift

Rainbow hacker

Infrastructure guy

Internet hacktivist

Torrent seeder

Blockchain Fun


Java ?
Python ?

Golang ?

Docker ?

Microkernel ?

The cloud refers to software and services that run on the Internet, instead of locally on your computer


What is the Cloud ?

Stop saying the cloud is just someone else's computer - because it's not

My home Lab, Dec 2017 Paris

Cloud is about how you do computing, not where you do computing.

Spoon & trash

VM => Container

How it works ?

Same as 1979 ?

mkdir jail

chroot jail


mkdir jail/bin

cp /bin/sh jail/bin

chroot jail


mkdir jail/bin

cp all/ to jail/bin

chroot jail


Same as 1979 ?


Unchroot using recursive chroot('.')


Docker runs as root

Kernel Namespaces

Control Groups

Linux Kernel Capabilities

Attack Surface of the Docker Daemon

How to Secure ?

Just follow the best practices

Install Secure packages/bin

RUN apt-key adv --keyserver hkp://cloud-pizza:80 --recv-keys B97B0A....8
RUN apt-get update && apt-get install ...

Install Secure packages/bin

RUN apt-key adv --keyserver hkp://cloud-pizza.local:80 \ --recv-keys B97B0A....8
RUN apt-get update && apt-get install ...

Use trusted image followed by tag

FROM base-image:tag

Never install ssh server in docker images

Docker exec ...

Secure your version control system

Sign commits

2 factors authentication

hardware tokens

Never hard code secrets

Be minimal, less vulns

Use only required packages

Use Alpine linux (5 Mb)

instead of Ubuntu(190Mb)


Least priveleges microservices

FROM base-image:tag
adduser -u 1000 -G root default
USER default

&Never use --privileged

Immutable Infrastructure


Follow me @asker_amine


Security on the cloud

By Yuri Laaziz

Security on the cloud

  • 978