SlideShare ist ein Scribd-Unternehmen logo

Addressing Cloud Security with OPA

D
DiemShin

Overview of misconfiguration risks in the cloud ear and why policy-as-code is mandatory for security and policy.

Software
1 von 16
Downloaden Sie, um offline zu lesen
Josh Stella, Co-Founder & CTO, Fugue Addressing Cloud Security with OPA
1. Overview of misconfiguration risk in the cloud era 2. Why policy-as-code is mandatory for security and compliance 3. Introduction of Open Policy Agent for policy as code …and the growing OPA ecosystem of tools 4. Technical deep dives into the OPA toolbox for cloud security 5. Getting started with policy as code using OPA 6. Q&A Agenda
Cloud misconfiguration is a major security risk 93% CONCERNED FOR MAJOR SECURITY BREACH DUE TO MISCONFIGURATION “ Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. ⎯ Neil MacDonald, Gartner “
Cloud misconfiguration is a major security risk IAM 66% OBJECT STORAGE ACCESS POLICIES 51%SECURITY GROUP RULES 59% ENCRYPTION IN TRANSIT DISABLED 42%
Many dangerous cloud misconfigurations are: • not recognized as misconfigurations by security teams • not considered policy violations by compliance frameworks • exceedingly common in enterprise cloud environments …like needles continuously appearing in a haystack Cloud misconfiguration is often overlooked
Before Cloud 1. Identify your target organization 2. Search for vulnerabilities to exploit Hacker strategy has evolved Cloud 1. Identify misconfiguration vulnerabilities 2. Prioritize your target organizations Bad actors use automation to find and exploit cloud misconfiguration
Datacenter • Physical infrastructure • Generally static • Manually deployed, configured, and maintained The cloud attack surface is complex and ever-expanding Cloud • Software-defined infrastructure • Highly dynamic • Deployed, configured, and maintained via APIs • Manually, or… • Automated with Infrastructure as code (Terraform; Cloudformation) Developers now build and modify their own infrastructure environments
Datacenter • Infrastructure teams deliver infrastructure to app teams • Validations and audits are generally performed manually • Partial and inconsistent API coverage Cloud complexity requires policy-as-code for security at scale Cloud • Developers create and modify their own infrastructure via complete and consistent APIs • Validations + audits are either: • Manual (error-prone, slow, not scalable) • Automated with policy as code (accurate, fast, scalable) Policy as code empowers engineers own the security of their cloud-based systems. Repeatable, testable, sharable, scalable, peer-reviewed
Programming languages Logical functions can be expressed as code. Compilers and interpreters provide feedback to developers on whether their code is functionally correct. Policy-as-code provides developers with security feedback Policy-as-Code Your security posture can be expressed as code. Policy-as-code evaluation provides feedback to developers on whether their code and systems are correct regarding security.
Open Policy Agent: an open standard for policy-as-code • Sponsored by the Cloud Native Computing Foundation (CNCF) • Declarative policy using easy-to-learn Rego language • Can validate any JSON data structure • Can be adopted for a wide variety of cloud use cases • Cloud infrastructure (e.g. AWS; Azure; GCP) • Kubernetes transactions • API governance ...and many more • Robust tooling ecosystem • Regula for validating Terraform • Fregot for working with the Rego (OPA’s policy language) …and many more
Proprietary • Single use case • Lock-in and vendor risk • No version control • Often inflexible for sophisticated requirements • No ecosystem or community • No portability of rules • Engineers gain limited skills • Employers are challenged to find skilled engineers Proprietary offerings vs. Open Policy Agent Open Policy Agent • Multiple use cases • No lock-in or vendor risk • Version control (in your repo) • Extremely flexible for sophisticated requirements • Robust ecosystem and community • Rules portability • Engineers gain valuable skills • Employers can find skilled engineers
Myth: infrastructure-as-code is a prerequisite for policy-as-code “We’re not ready for policy-as-code because we haven’t yet adopted infrastructure-as-code.”
Reality: policy-as-code takes priority over infrastructure-as-code “You need policy-as-code because the disparate methods used to create and modify cloud-based systems impact your security posture.” manual (consoles; GUIs) CI/CD infrastructure-as-code multiple services configurating and automating via APIs
Automating cloud security with policy as code across the SDLC Design Validate infrastructure as code with policy as code to correct violations early Deploy Prevent deploying misconfiguration with CI/CD integration Enforce Continuously scan cloud infrastructure and validate running state
Digging into OPA and OPA-based tools
Questions? Open Policy Agent: https://www.openpolicyagent.org/ Fugue Developer for cloud environments (free): www.fugue.co/go Validate Terraform with Regula: https://github.com/fugue/regula Fregot (for working with Rego): https://github.com/fugue/fregot Automated Infrastructure Compliance Framework: aicf.nltgis.com Getting Started Resources

Empfohlen

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A
Black Duck by Synopsys
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
Cisco DevNet
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 

Empfohlen

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A
Black Duck by Synopsys
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
Cisco DevNet
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Black Duck by Synopsys
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
Black Duck by Synopsys
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
CloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
CloudPassage
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsWebinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
APPSeCONNECT
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
CloudPassage
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on Giving
Black Duck by Synopsys
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
CloudPassage
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
CloudPassage
 

Was ist angesagt? (20)

Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network Communication
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsWebinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on Giving
 

Ähnlich wie Addressing Cloud Security with OPA

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
AlgoSec
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
CloudPassage
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
SBWebinars
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale
 
Challenges Scaling DevOps
Challenges Scaling DevOpsChallenges Scaling DevOps
Challenges Scaling DevOps
Rachel Maxwell
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
James Wickett
 

Ähnlich wie Addressing Cloud Security with OPA (20)

Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
Cloud application security (CCSP Domain 4)
Cloud application security (CCSP Domain 4)Cloud application security (CCSP Domain 4)
Cloud application security (CCSP Domain 4)
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the CloudApplication Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Challenges Scaling DevOps
Challenges Scaling DevOpsChallenges Scaling DevOps
Challenges Scaling DevOps
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 

Kürzlich hochgeladen

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

Kürzlich hochgeladen (20)

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

Addressing Cloud Security with OPA

  • 1. Josh Stella, Co-Founder & CTO, Fugue Addressing Cloud Security with OPA
  • 2. 1. Overview of misconfiguration risk in the cloud era 2. Why policy-as-code is mandatory for security and compliance 3. Introduction of Open Policy Agent for policy as code …and the growing OPA ecosystem of tools 4. Technical deep dives into the OPA toolbox for cloud security 5. Getting started with policy as code using OPA 6. Q&A Agenda
  • 3. Cloud misconfiguration is a major security risk 93% CONCERNED FOR MAJOR SECURITY BREACH DUE TO MISCONFIGURATION “ Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. ⎯ Neil MacDonald, Gartner “
  • 4. Cloud misconfiguration is a major security risk IAM 66% OBJECT STORAGE ACCESS POLICIES 51%SECURITY GROUP RULES 59% ENCRYPTION IN TRANSIT DISABLED 42%
  • 5. Many dangerous cloud misconfigurations are: • not recognized as misconfigurations by security teams • not considered policy violations by compliance frameworks • exceedingly common in enterprise cloud environments …like needles continuously appearing in a haystack Cloud misconfiguration is often overlooked
  • 6. Before Cloud 1. Identify your target organization 2. Search for vulnerabilities to exploit Hacker strategy has evolved Cloud 1. Identify misconfiguration vulnerabilities 2. Prioritize your target organizations Bad actors use automation to find and exploit cloud misconfiguration
  • 7. Datacenter • Physical infrastructure • Generally static • Manually deployed, configured, and maintained The cloud attack surface is complex and ever-expanding Cloud • Software-defined infrastructure • Highly dynamic • Deployed, configured, and maintained via APIs • Manually, or… • Automated with Infrastructure as code (Terraform; Cloudformation) Developers now build and modify their own infrastructure environments
  • 8. Datacenter • Infrastructure teams deliver infrastructure to app teams • Validations and audits are generally performed manually • Partial and inconsistent API coverage Cloud complexity requires policy-as-code for security at scale Cloud • Developers create and modify their own infrastructure via complete and consistent APIs • Validations + audits are either: • Manual (error-prone, slow, not scalable) • Automated with policy as code (accurate, fast, scalable) Policy as code empowers engineers own the security of their cloud-based systems. Repeatable, testable, sharable, scalable, peer-reviewed
  • 9. Programming languages Logical functions can be expressed as code. Compilers and interpreters provide feedback to developers on whether their code is functionally correct. Policy-as-code provides developers with security feedback Policy-as-Code Your security posture can be expressed as code. Policy-as-code evaluation provides feedback to developers on whether their code and systems are correct regarding security.
  • 10. Open Policy Agent: an open standard for policy-as-code • Sponsored by the Cloud Native Computing Foundation (CNCF) • Declarative policy using easy-to-learn Rego language • Can validate any JSON data structure • Can be adopted for a wide variety of cloud use cases • Cloud infrastructure (e.g. AWS; Azure; GCP) • Kubernetes transactions • API governance ...and many more • Robust tooling ecosystem • Regula for validating Terraform • Fregot for working with the Rego (OPA’s policy language) …and many more
  • 11. Proprietary • Single use case • Lock-in and vendor risk • No version control • Often inflexible for sophisticated requirements • No ecosystem or community • No portability of rules • Engineers gain limited skills • Employers are challenged to find skilled engineers Proprietary offerings vs. Open Policy Agent Open Policy Agent • Multiple use cases • No lock-in or vendor risk • Version control (in your repo) • Extremely flexible for sophisticated requirements • Robust ecosystem and community • Rules portability • Engineers gain valuable skills • Employers can find skilled engineers
  • 12. Myth: infrastructure-as-code is a prerequisite for policy-as-code “We’re not ready for policy-as-code because we haven’t yet adopted infrastructure-as-code.”
  • 13. Reality: policy-as-code takes priority over infrastructure-as-code “You need policy-as-code because the disparate methods used to create and modify cloud-based systems impact your security posture.” manual (consoles; GUIs) CI/CD infrastructure-as-code multiple services configurating and automating via APIs
  • 14. Automating cloud security with policy as code across the SDLC Design Validate infrastructure as code with policy as code to correct violations early Deploy Prevent deploying misconfiguration with CI/CD integration Enforce Continuously scan cloud infrastructure and validate running state
  • 15. Digging into OPA and OPA-based tools
  • 16. Questions? Open Policy Agent: https://www.openpolicyagent.org/ Fugue Developer for cloud environments (free): www.fugue.co/go Validate Terraform with Regula: https://github.com/fugue/regula Fregot (for working with Rego): https://github.com/fugue/fregot Automated Infrastructure Compliance Framework: aicf.nltgis.com Getting Started Resources