SlideShare ist ein Scribd-Unternehmen logo

Overcoming Security Challenges in DevOps

Als PPTX, PDF herunterladen
Alert Logic
Alert Logic

DevOps presentation with Alert Logic and Chef

Technologie
1 von 32
Taking a DevOps Approach to Security Alert Logic & Chef discuss overcoming security challenges in DevOps Yvo Van Doorn Manager, Solutions Architects Chef Software Justin Criswell Cloud Solutions Architect Alert Logic
Speaker Introduction • Yvo Van Doorn • Manager, Solutions Architects • Chef Software, Inc. • @yvov • www.linkedin.com/in/yvovandoorn • Justin Criswell • Cloud Solutions Architect • Alert Logic, Inc. • @JustinCriswell5 • www.linkedin.com/in/justincriswell
Session Overview More organizations are embracing DevOps to realize compelling business benefits such as faster yet safer feature release cadence, increased application stability, and rapid response to shifting market conditions. However, security and compliance monitoring tools have not kept up and often represent the single largest remaining hurdle to Continuous Delivery. Topics covered in this session: •How DevOps Improves your Security Posture •Overcoming Challenges in DevOps Environments
DevOps Improves Security Posture
Mark Burgess, Father of Configuration Management Author of “In Search of Certainty” Configuration Management “We suffer sometimes from the hubris of believing that control is a matter of applying sufficient force, or a sufficiently detailed set of instructions.”
Automation and Convergent Infrastructure “A system's desired configuration state can be said to be defined by fixed points. Most configuration management systems (e.g.: CFEngine, Chef, Puppet, PowerShell DSC) are based on this idea: they provide means to declare what must happen instead of requiring imperative workflows that prescribe what to do.” Mark Burgess, Father of Configuration Management Author of “In Search of Certainty”
The Birth of DevOps
Driving toward Immutable Infrastructure "This is what I call disposable computing. Throw away a broken process rather than trying to fix it. Machines can be made expendable as long as the total software is designed for it. Not much of it is today, but we´re getting there. Nature shows that this is a good way of scaling services." Mark Burgess, Father of Configuration Management Author of “In Search of Certainty”
Infrastructure as Code • Converge on a regular interval • Configuration Management is idempotent • All persistent changes must be in source control • Manual intervention discouraged • Out-of-band changes will be lost
Security & Compliance Implications
Continuous Delivery Patterns
Test Driven Infrastructure Costs Of Finding Bugs in Production
Continuous Security Auditing & Compliance End-to-End Visibility Disaster Recovery & Business Continuity Remediation & Fast Resolution Continuous Detection/ Protection Automated Configuration & Scaling Security Posture
OVERCOMING SECURITY CHALLENGES
Overcoming Security Challenges • Challenges for Security Technology & Practice Today - AWS Shared Responsibility Model - Challenges remain for Customers • Leveraging DevOps for Security - Best-Practices for blending DevOps with Security • Toward Software-Defined Security - Embracing new reality of AWS Cloud Infrastructure
AWS Shared Responsibility Model Customer Responsibility Foundation Services Hosts • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis Apps • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Network threat detection • Security monitoring Networks Cloud Service Provider Responsibility Compute Storage DB Network
2014: Security Top Cloud Pain Point Security Pricing/Budget/Cost Human Change Management Security of Data, Control of Data Locality, Sovereignty Compliance Migration/Integration Internal Resources/Expertise Management Lack of Internal Process Vendor/Provider Issues Organizational Challenges Contractual/Legal Issues Service Reliability/Availability Network Lack of Standards 4% 31% 17% 12% 11% 11% 10% 9% 8% 7.4% 7% 7% 7% 5% 5%
Application Security Technology Challenges Network Changes Host Identity Auto-Scaling Application Security Technology Challenges
Traditional Security/Compliance is Slow Mature DevOps Velocity is Fast Security Practice does not Keep Up Security at Odds with DevOps Velocity
InfoSec Ends Up Being Marginalized “The problem for the security person who is used to turning around security reviews in a month or two weeks is they're just being shoved out of the game. There's no way with how Infosec is currently configured that they can keep up with that. So, Infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done.” Gene Kim, former CTO of Tripwire Author of “The Phoenix Project: A Novel About IT, DevOps” & “Helping Your Business Win”
Integrating Security with DevOps • Leveraging DevOps practice for better Security - Prevent attack vectors with Immutable Systems - Manage vulnerabilities with Base Images and Configuration Management - Robust Auditing and Centralized Log Collection - Adopt strategy of Phoenix Upgrades - Embrace end-to-end Continuous Deployment
Manage Vulnerabilities with Base Images Manage Vulnerabilities • Conduct normal vulnerability scanning • Identify Vulnerabilities that exist in Base Images versus Application specific packages • Remediate at appropriate level as part of Continuous Delivery process • Start with Hardened “secure by default” base Results • Less work, done more reliably • Patching fits naturally into Phoenix Upgrades • Continuous Delivery allow frequent scanning in test environments to have real value • Fixes potential vulnerabilities systematically
Prevent Attacks with Immutable Systems Build secure base images that are representative of your infrastructure system base Design file system layout to separate code from data, and lock down to minimum required permissions. Should expand to network as well Leverage SANS Checklist and CIS Benchmark resources for system level security best practices and guidance Leverage configuration management tools to standardized all software versions and configurations Design Secure Immutable Infrastructure
Centralize Robust Auditing & Logging # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 1024 -a exit,always -S unlink -S rmdir -a exit,always -S stime.* …… Implement Local Auditing #Sample syslog-ng configuration #Lots of configuration required ........ # Send *ALL* System Logs to Log Appliance destination df_log_appliance_forward { tcp("my-log-appliance" port(514)); }; log { source(s_all); destination(df_log_appliance_forward); }; Collect Important Logs Centralize Log Collection for Search and Filtering
Adopt Strategy of Phoenix Upgrades Embrace Phoenix Upgrades • Stand up new instances, don’t upgrade • Route traffic between old and new instances • Rich service metrics and automate rollback • Advanced routing can enable selective rollout Results • Creates evergreen systems, avoiding configuration drift and technical debt • Enforces refresh of all system components as complete artifact, tested as a holistic system • Greatly reduces security risks when combine with immutable instances and configuration management
Embrace Complete Continuous Deployment End-to-End Continuous Deployment • Configuration Management (Chef), • Standardized Environment Images (Packer) • Environment/Subsystem Orchestration Layer • Production-like environments in Dev & Test must include all components Results • Hardened base images become part of the standard development process • Continuous validation of secure configuration • Holistic system validation & testing #Sample Alert Logic Chef NodeDef { "name": "cloud-api-node", "versions": { "1.6.0": { "vm_type": "squeeze64", ], "install_phase": { "run_list": [ "app-version-install@4.1.0", ] }, …. Leverage Configuration Management Leverage Standardized Environment Images Build an Orchestration Layer #Sample Packer Configuration { "builders": [{ "type": "amazon-ebs", "access_key": "{{user `aws_access`}}" , "secret_key": "{{user `aws_secret`}}" , "region": "us-east-1", "source_ami": "ami-de0d9eb7", "instance_type": "t1.micro", "ssh_username": "ubuntu", "ami_name": "packer-ex {{timestamp}}" }]
Moving to Software Defined Security • Significant Opportunity remains in front of us - Security remains a lot of work - Does not fit naturally into DevOps Roles • AWS ready to Accelerate Security Technology - Leverage end-to-end visibility available - Protect automatically with real-time configuration - Transform periodic assessment into real-time automated responses
Leverage End-to-End Visibility Leverage Detailed Visibility of AWS • AWS describe endpoints reveals environment • Cloud Trail shows incremental changes • Long-term AWS Config unifies this Information Results • Enables visualization of entire environment • Can reason directly about exploitability • View of environment always up-to-date • No need to coordinate application changes with security infrastructure
Protect with Automatic Configuration Automated Protection • Add security infrastructure on-demand to cover changes to environment • Autoscale that infrastructure based on traffic seen in that environment environment Results • Focus on application deployments and not configuration of security infrastructure • Implements least-privilege configurations • Seamless experience that “just works” with Security fitting naturally into DevOps practice
Transform Assessment to be Real-Time Real-Time Protection • Assessment activities should become continuous • Continuous Assessment “just happens” as deployments occur • Zero-day coverage delivered automatically Results • No more periodic assessment cycle • Security posture of environment available immediately and automatically after deployments • Security matches DevOps Velocity!
Contact Us Justin Criswell Cloud Solutions Architect Alert Logic jcriswell@alertlogic.com @JustinCriswell5 Yvo Van Doorn Manager, Solutions Architects Chef Software, Inc. yvo@chef.io @yvov Thank you!

Empfohlen

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 

Empfohlen

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
Jason Chan
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
Andy Hoernecke
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
Amazon Web Services
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
Amazon Web Services
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
Shannon Lietz
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
Jason Chan
 

Was ist angesagt? (20)

Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 

Ähnlich wie Overcoming Security Challenges in DevOps

Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Amazon Web Services
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 

Ähnlich wie Overcoming Security Challenges in DevOps (20)

Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
Enabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsEnabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOps
 
Ibm innovate ci for system z
Ibm innovate ci for system zIbm innovate ci for system z
Ibm innovate ci for system z
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Chef Workflow Demo
Chef Workflow DemoChef Workflow Demo
Chef Workflow Demo
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 

Mehr von Alert Logic

Mehr von Alert Logic (20)

Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Overcoming Security Challenges in DevOps

  • 1. Taking a DevOps Approach to Security Alert Logic & Chef discuss overcoming security challenges in DevOps Yvo Van Doorn Manager, Solutions Architects Chef Software Justin Criswell Cloud Solutions Architect Alert Logic
  • 2. Speaker Introduction • Yvo Van Doorn • Manager, Solutions Architects • Chef Software, Inc. • @yvov • www.linkedin.com/in/yvovandoorn • Justin Criswell • Cloud Solutions Architect • Alert Logic, Inc. • @JustinCriswell5 • www.linkedin.com/in/justincriswell
  • 3. Session Overview More organizations are embracing DevOps to realize compelling business benefits such as faster yet safer feature release cadence, increased application stability, and rapid response to shifting market conditions. However, security and compliance monitoring tools have not kept up and often represent the single largest remaining hurdle to Continuous Delivery. Topics covered in this session: •How DevOps Improves your Security Posture •Overcoming Challenges in DevOps Environments
  • 5. Mark Burgess, Father of Configuration Management Author of “In Search of Certainty” Configuration Management “We suffer sometimes from the hubris of believing that control is a matter of applying sufficient force, or a sufficiently detailed set of instructions.”
  • 6. Automation and Convergent Infrastructure “A system's desired configuration state can be said to be defined by fixed points. Most configuration management systems (e.g.: CFEngine, Chef, Puppet, PowerShell DSC) are based on this idea: they provide means to declare what must happen instead of requiring imperative workflows that prescribe what to do.” Mark Burgess, Father of Configuration Management Author of “In Search of Certainty”
  • 7. The Birth of DevOps
  • 8. Driving toward Immutable Infrastructure "This is what I call disposable computing. Throw away a broken process rather than trying to fix it. Machines can be made expendable as long as the total software is designed for it. Not much of it is today, but we´re getting there. Nature shows that this is a good way of scaling services." Mark Burgess, Father of Configuration Management Author of “In Search of Certainty”
  • 9. Infrastructure as Code • Converge on a regular interval • Configuration Management is idempotent • All persistent changes must be in source control • Manual intervention discouraged • Out-of-band changes will be lost
  • 10. Security & Compliance Implications
  • 12. Test Driven Infrastructure Costs Of Finding Bugs in Production
  • 13. Continuous Security Auditing & Compliance End-to-End Visibility Disaster Recovery & Business Continuity Remediation & Fast Resolution Continuous Detection/ Protection Automated Configuration & Scaling Security Posture
  • 14.
  • 16. Overcoming Security Challenges • Challenges for Security Technology & Practice Today - AWS Shared Responsibility Model - Challenges remain for Customers • Leveraging DevOps for Security - Best-Practices for blending DevOps with Security • Toward Software-Defined Security - Embracing new reality of AWS Cloud Infrastructure
  • 17. AWS Shared Responsibility Model Customer Responsibility Foundation Services Hosts • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis Apps • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Network threat detection • Security monitoring Networks Cloud Service Provider Responsibility Compute Storage DB Network
  • 18. 2014: Security Top Cloud Pain Point Security Pricing/Budget/Cost Human Change Management Security of Data, Control of Data Locality, Sovereignty Compliance Migration/Integration Internal Resources/Expertise Management Lack of Internal Process Vendor/Provider Issues Organizational Challenges Contractual/Legal Issues Service Reliability/Availability Network Lack of Standards 4% 31% 17% 12% 11% 11% 10% 9% 8% 7.4% 7% 7% 7% 5% 5%
  • 19. Application Security Technology Challenges Network Changes Host Identity Auto-Scaling Application Security Technology Challenges
  • 20. Traditional Security/Compliance is Slow Mature DevOps Velocity is Fast Security Practice does not Keep Up Security at Odds with DevOps Velocity
  • 21. InfoSec Ends Up Being Marginalized “The problem for the security person who is used to turning around security reviews in a month or two weeks is they're just being shoved out of the game. There's no way with how Infosec is currently configured that they can keep up with that. So, Infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done.” Gene Kim, former CTO of Tripwire Author of “The Phoenix Project: A Novel About IT, DevOps” & “Helping Your Business Win”
  • 22. Integrating Security with DevOps • Leveraging DevOps practice for better Security - Prevent attack vectors with Immutable Systems - Manage vulnerabilities with Base Images and Configuration Management - Robust Auditing and Centralized Log Collection - Adopt strategy of Phoenix Upgrades - Embrace end-to-end Continuous Deployment
  • 23. Manage Vulnerabilities with Base Images Manage Vulnerabilities • Conduct normal vulnerability scanning • Identify Vulnerabilities that exist in Base Images versus Application specific packages • Remediate at appropriate level as part of Continuous Delivery process • Start with Hardened “secure by default” base Results • Less work, done more reliably • Patching fits naturally into Phoenix Upgrades • Continuous Delivery allow frequent scanning in test environments to have real value • Fixes potential vulnerabilities systematically
  • 24. Prevent Attacks with Immutable Systems Build secure base images that are representative of your infrastructure system base Design file system layout to separate code from data, and lock down to minimum required permissions. Should expand to network as well Leverage SANS Checklist and CIS Benchmark resources for system level security best practices and guidance Leverage configuration management tools to standardized all software versions and configurations Design Secure Immutable Infrastructure
  • 25. Centralize Robust Auditing & Logging # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 1024 -a exit,always -S unlink -S rmdir -a exit,always -S stime.* …… Implement Local Auditing #Sample syslog-ng configuration #Lots of configuration required ........ # Send *ALL* System Logs to Log Appliance destination df_log_appliance_forward { tcp("my-log-appliance" port(514)); }; log { source(s_all); destination(df_log_appliance_forward); }; Collect Important Logs Centralize Log Collection for Search and Filtering
  • 26. Adopt Strategy of Phoenix Upgrades Embrace Phoenix Upgrades • Stand up new instances, don’t upgrade • Route traffic between old and new instances • Rich service metrics and automate rollback • Advanced routing can enable selective rollout Results • Creates evergreen systems, avoiding configuration drift and technical debt • Enforces refresh of all system components as complete artifact, tested as a holistic system • Greatly reduces security risks when combine with immutable instances and configuration management
  • 27. Embrace Complete Continuous Deployment End-to-End Continuous Deployment • Configuration Management (Chef), • Standardized Environment Images (Packer) • Environment/Subsystem Orchestration Layer • Production-like environments in Dev & Test must include all components Results • Hardened base images become part of the standard development process • Continuous validation of secure configuration • Holistic system validation & testing #Sample Alert Logic Chef NodeDef { "name": "cloud-api-node", "versions": { "1.6.0": { "vm_type": "squeeze64", ], "install_phase": { "run_list": [ "app-version-install@4.1.0", ] }, …. Leverage Configuration Management Leverage Standardized Environment Images Build an Orchestration Layer #Sample Packer Configuration { "builders": [{ "type": "amazon-ebs", "access_key": "{{user `aws_access`}}" , "secret_key": "{{user `aws_secret`}}" , "region": "us-east-1", "source_ami": "ami-de0d9eb7", "instance_type": "t1.micro", "ssh_username": "ubuntu", "ami_name": "packer-ex {{timestamp}}" }]
  • 28. Moving to Software Defined Security • Significant Opportunity remains in front of us - Security remains a lot of work - Does not fit naturally into DevOps Roles • AWS ready to Accelerate Security Technology - Leverage end-to-end visibility available - Protect automatically with real-time configuration - Transform periodic assessment into real-time automated responses
  • 29. Leverage End-to-End Visibility Leverage Detailed Visibility of AWS • AWS describe endpoints reveals environment • Cloud Trail shows incremental changes • Long-term AWS Config unifies this Information Results • Enables visualization of entire environment • Can reason directly about exploitability • View of environment always up-to-date • No need to coordinate application changes with security infrastructure
  • 30. Protect with Automatic Configuration Automated Protection • Add security infrastructure on-demand to cover changes to environment • Autoscale that infrastructure based on traffic seen in that environment environment Results • Focus on application deployments and not configuration of security infrastructure • Implements least-privilege configurations • Seamless experience that “just works” with Security fitting naturally into DevOps practice
  • 31. Transform Assessment to be Real-Time Real-Time Protection • Assessment activities should become continuous • Continuous Assessment “just happens” as deployments occur • Zero-day coverage delivered automatically Results • No more periodic assessment cycle • Security posture of environment available immediately and automatically after deployments • Security matches DevOps Velocity!
  • 32. Contact Us Justin Criswell Cloud Solutions Architect Alert Logic jcriswell@alertlogic.com @JustinCriswell5 Yvo Van Doorn Manager, Solutions Architects Chef Software, Inc. yvo@chef.io @yvov Thank you!

Hinweis der Redaktion

  1. As recommended by AWS, this slide will contain a visual of the AWS shared security model, and define the scope of the security practices and technology that the rest of the presentation will address.
  2. Customer see security as the top pain point for Cloud deployments. This is because as challenging as security is in traditional environments, the adoption of Public Cloud infrastructure and DevOps practices have moved faster than security technology and practice, even farther away from meaningful effectiveness.
  3. Traditionally security technology have always been challenged by the divergent activities of network, systems and application changes, where the majority of customers continue to operate with manually maintained network diagrams. Even when changes are known, the impacts to visibility between systems is not clear because the information is never available in a single place Modern cloud environments present new unique challenges to understanding host identity and network visibility. No longer do hosts maintain the same IP address originally assigned when restarted, and with auto-scaling the identity of the individual host is no longer meaningful. All of this makes security technology unable to have a complete understanding of deployment environments and the exposure these new environments present to applications that are running therein
  4. - Current security people, process and tools are oriented to provide value on the order of years, quarters and even months. Even the best compliance practices in PCI proceeds on this cadence because they are simply difficult to keep up on in the mix of tools and practice that exist today. - DevOps tools and techniques are moving faster and faster, providing mature DevOps organizations with the ability to deliver business value into production at an amazing rate. - The result is that security is effective on one in every 10 or even 100 of system configurations
  5. So let’s turn our attention away from the challenges that face security technology and practice to concrete things that can be done to help bring effective security to your environment by leveraging DevOps tools and practices. By fully embracing end-to-end configuration management and automated continuous deployment you can gain a greater control of the security posture of your environment. I’m going to cover three key techniques that should be built into all systems: First key choice is to build systems in which most file systems are read-only, and writeable file systems are noexec/nosuid. This will severely limit the non-privileged attack surface of systems Second is the corollary of immutable systems – that applying changes to should be done by replacing nodes in load balanced groups, rather than performing upgrades in-place. This enables the use of immutable systems. Third is to configure strong auditing and centralize all logging in order to detect out-of-band changes that are made outside of the the continuous deployment systems Finally ensure that you use common base images and system configurations, in order to allow vulnerabilities to be addressed on-mass, rather than a set of one-off systems
  6. This slide is meant to be a pre-cursor to the Outcomes effort. Currently in today’s “Software Defined Infrastructure” nothing exists that allows organizations to conduct vulnerability scans in a real meaningful way that is in “lock step” with continuous deployment of systems. Scanning today is infrequent at best and usually identifies numerous vulnerabilities that must be addressed Addressing vulnerabilities in-mass introduces considerable risk to existing stability and performance of the infrastructure A way needs to exist that will allow an environment to scan frequently and identify problems as they arise. Vulnerabilities (or configuration problems) can be quickly addressed before they “stack up” and introduce added risk
  7. This slide will provide an example of constructing immutable system using config management and deployment tools Apply those standards to systems that can then be imaged and used as “golden images” during automated deployments. Use tools that enable creating machine images (Packer) which allow standardizing system deployment across different infrastructures (VMWare, EC2, etc.) Design systems so that executable code is cleanly separated from data at the file system level, and implement a permissions strategy for these file systems based on Least Permissions, including read-only and noexec/nosuid mount options. Use resources like the SANS Linux Security Checklist or CIS Benchmark as you build golden base images that form the foundation of your deployments. These provide a clear definitive answer to how you can easily ensure security of the systems within your infrastructure, and CIS even offers hardened AMIs for EC2. Leverage configuration management (Chef) to ensure that all software and configuration changes are standardized and repeatable. Following these guidelines will ensure that your infrastructures are built to be as immutable fashion, and will enable maximum leverage out of your security and compliance hardening efforts. All of this makes separation of duties easier to achieve when there are no longer environment specific configurations that are outside of configuration management tools being used by developers.
  8. This slide will show how to integrate strong auditing (via linux auditd) and centralized logging as a basic attribute of all systems built using the configuration management tools. Enable auditing (auditd) on local systems and ensure configuration is controlled through configuration management (Chef). This example shows a snippet of the CIS benchmark recommendations for auditd configuration for CentOS/Redhat systems. Ensure syslog is offloaded Alert Logic has a nice tool…
  9. This slide will demonstrate how to affect change by replacing nodes in a load balancing group instead of performing in-place upgrades. Embrace the concept of Phoenix Upgrades, systems should not be pulled along but reborn when new versions are available Technical debt begins to accumulate and replacing over upgrading resets the clock When combined with deployment of immutable systems and configuration management, it provides a path for releasing new technology (kernel upgrades, etc.) in complete package that can be fully tested prior to deployment
  10. This slide will focus on how important it is to develop, test and deploy the same way in order to greatly reduce overall risk and introduced vulnerabilities Configuration management ensures that “Infrastructure” becomes defined as code and introduces the capability to deploy in many different environments (Laptop, Test Data Centers, Production, etc). Tools like CHEF provide us the ability to define infrastructure as code Standardizing Environment Images ensures that we are not overburdened with creating many different images that “might” work in all different environments. Tools like Packer allow us to create an image that can be build and deployed into many different environments (LXC, EC2, VMWare, etc..) Orchestration (We use an internally developed tool called Environment Manager) allows us to ensure we can deploy our systems and ensure they are configured in a repeatable fashion. This ensures that systems are deployed, installed and configured in the proper order to maximize repeatable experience for development, testing and production Combining all three with the ability to execute Phoenix Upgrades ensures that we can deploy infrastructure in a repeatable fashion AND we do so without incurring technical debt. This greatly reduces risk and overall introduction of new vulnerabilities due to misconfigurations
  11. Starting from that foundation, we have the opportunity to go further to achieve end-to-end security in the AWS cloud infrastructure. DevOps tools and techniques are a start… and software defined infrastructure provides access to end-to-end visibility… but security tools really need to catch up. Security technologies need to advance in three very important ways: AWS provides significant visibility into network and system deployments, which should be leveraged directly to identify the configuration of whole environments Transform traditionally period assessment tasks normally performed on a weekly or monthly basis, into more focused change-driven responses that operate continuously Automatically reconfigure security protection services based on the real-time change to the environment Each of these represent important advances that Security Technologies need to adopt to truly begin providing security coverage for Cloud environments
  12. The first challenge is for our security technologies to gain visibility to the complete end-to-end picture of deployed environments.  What we need is for this level of visibility to be automatic and immediately react to changes. This video segment shows the automated discovery of an entire complex environment, including EC2 instances, subnets, VPCs, and internet gateways.      <video segment starts, showing auto-discovery of an environment deployed in AWS> This type of automatic discover and complete end-to-end visibility is necessary for security technologies to have up-to-date information about the environment in which it operates     <video stabilizes the view, and then begins reconfiguring additional VPC, subnets and some hosts> Now when changes are made to the environment, via a deployment of additional instances in this case, the view updates to show the new adjusted environment     <video stabilizes after the addition of new instances>
  13. The last challenge is to respond to these changes in the as-deployed environment to automatically reconfigure the security protection to match the environment.  This is particularly important in dynamic auto-scaling environments where the size of the environment could grow 10 times or more in a matter of minutes. This video segment picks up with a simpler web stack environment running just a few instances, plus the security infrastructure instances that are currently protecting the web stack.     <video segment starts, showing the web stack and security appliances protecting it> Now as traffic grows to the web stack, the ELB will start new instances to handle the traffic.     <video continues to showing the increased traffic and auto-scaled application stack instances> As the web stack grows, the security infrastructure protecting it expands to handle the additional traffic.     <video continues to show auto-scaled appliance deployments to handle the application traffic>
  14. The last challenge is to respond to these changes in the as-deployed environment to automatically reconfigure the security protection to match the environment.  This is particularly important in dynamic auto-scaling environments where the size of the environment could grow 10 times or more in a matter of minutes. This video segment picks up with a simpler web stack environment running just a few instances, plus the security infrastructure instances that are currently protecting the web stack.     <video segment starts, showing the web stack and security appliances protecting it> Now as traffic grows to the web stack, the ELB will start new instances to handle the traffic.     <video continues to showing the increased traffic and auto-scaled application stack instances> As the web stack grows, the security infrastructure protecting it expands to handle the additional traffic.     <video continues to show auto-scaled appliance deployments to handle the application traffic>