The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Scaling Security in the Cloud With Open Source
1. Scaling Security in the Cloud
With Open Source
Cloud Village @ DEF CON 27
James Strassburg
Technical Fellow / Chief Software Architect
Direct Supply
2.
3.
4. Our Cloud Vision and Strategy
Immutable Servers
Infrastructure as Code
Automated Deployments
Secure by Default
Platform as a Service
5. No automation A few scripts
DevOps / Continuous
Delivery
EVIL
9. “Secure, store and tightly control access to tokens, passwords,
certificates, encryption keys for protecting secrets and other
sensitive data using a UI, CLI, or HTTP API.”
19. Security Scanning Automation /
Dealing With Cattle
● Eliminate manual effort to update
scan configurations
● Group instances logically by owner
● Support custom scans based on
tags
25. What went not so well...
● Lots of work before Custodian deployed
● Teams started rolling their own sans modules
● Our integration with a cloud consultancy is preventing us
from taking advantage of some newer features
Since 1985, Direct Supply has been committed to enhancing the lives of seniors and those who care for them. We help Senior Living providers create amazing environments, improve care and outcomes, optimize building operations, streamline procurement and more.
-method=AWS for IAM auth
Note the filters and actions, taking a less-heavy handed approach where we can
We’re using Custodian for lots more including deregistering old AMI’s, whitelisting AWS services, and adding a security group for patching to running ec2 instances… which leads me to...
All driven by tags on the scanner and the instances
pyTenable
Tenable agent is baked into our base Linux/Windows cookbooks/images
Automation is, again, driven by tags. The relevant tags are included in a tagging module
When given a new technology, developers will first look for examples to copy. We tried to ensure the first things they found were correct.