Nikita Jha is a student attending Northview High School in Georgia, USA.
Nikita joined the HPCC Systems Intern Program to work on a project that supports our Cloud Native platform, which was released early in 2021. Security is a vital part of any system and Nikita worked with the team, focusing on Docker security components, including providing an option for enabling/disabling the cache as well as running a number of different vulnerability scanners and analysing the results. Her project also include looking at security practices for Kubernetes. She has produced a tutorial style blog demonstrating how to setup HashiCorp Vault as a Certification Manager on the HPCC Systems Cloud Native platform and another blog on using caching with Docker is planned to be released in the Fall.
As well as the resources included here, read Nikita's intern blog journal which includes a more in depth look of her work.
Best Poster - Platform Enhancement
With cybersecurity attacks becoming more prevalent in the United States every year,organizations are constantly looking for ways to improve the security outlook of their platforms. HPCC Systems is an open-sourced, big data analytics platform that provides high-performance data processing for other companies in the form of parallel batch data processing and online query applications. Recently, the company has begun transitioning to a cloud-native platform in which they use Docker containers managed by Kubernetes to store and manage data. With this new change, it is of utmost importance that HPCC Systems has a secure cloud environment since they are using it to manage secure data from other companies. The two fundamental components of their cloud-native platform that need to be secured are Docker and Kubernetes.
The first component of the implementable Docker security features is an option for developers to enable or disable image build caching during runtime based on the specifications of their application. For example, if their container has applications that were recently updated, they can choose to disable caching for those builds while keeping it enabled for the rest to make sure the Docker build catches all changes including any security updates. In order to test whether this update actually improves the security of the platform, vulnerability scanners like Trivy, Grype, and Docker Scan were used to detect differences between the “before” and “after” security threats. Results showed the disabled image build caching had two fewer vulnerabilities than enabled caching. While it is not always ideal to have the build cache turned off, the results proved that disabled caching definitely has a better security outlook for the company.
Another critical aspect of Docker components that should be accounted for is the misunderstanding of the "Latest" tag. The ‘Latest Tag’ refers to the last build that ran without a specific tag verified. That being said, due to caching issues, the Latest tag often fails, meaning it does not actually store the newest code with the latest tag. Therefore, it is safer to version the tags every time so developers know exactly which update they are working with.
For the Kubernetes section of the project, the first component that was implemented in the HPCC Systems Platform was pod security policies. These configurations that define, which security-related conditions a Kubernetes pod has to meet in order to be accepted into a cluster, have numerous best practices like disabling privileged containers, requiring read-only file systems, and preventing privileged escalation. The last implementable best practice for Kubernetes is certificate management with HashiCorp Vault. Certificate management is important because it enables the setup of Transport Layer Security, also known as TLS. This technology encrypts HPCC data sent over the internet so hackers cannot get access to it. In order to use TLS, certificates must be generated that tell us important information about the server and public keys. While certificates can be generated manually, this process is not scalable, especially for cloud applications. Therefore, HashiCorp Vault can be used to generate the certificates instead.
In this Video Recording, Nikita provides a tour and explanation of her poster content.
Apply Docker Image Build and Kubernetes Security Principles
Click on the poster for a larger image.