SlideShare a Scribd company logo

PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

Puppet
Puppet

Here are the slides from Beth Cornils & Verne Lindner's PuppetConf 2016 presentation called How We Are Helping You When Everything is Burning. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa

Technology
1 of 43
Download to read offline
Security Roadmap: How we are helping you when everything is burning Verne Lindner and Beth Cornils, PuppetConf 2016
Who are we? ● @vernelindner @bethpdx ● Sr. UX Architect at Puppet ● Sr. Product Manager at Puppet 2
3
Why are we here? (This room specifically, listening to this talk…)
We want you to have fewer of these 5
Why is Puppet good for security? Infrastructure as code RBAC Auditing Enforcement 6
How is PE helping DevOps and Security teams? Is it a tire fire or a campfire?
Multi-pronged approach to Security 8
Audience participation Let’s take the temperature of security here 9
Why do things burn: key terms ● White Hat - Security and compliance vendors ● Black Hat - Nation states, mafia, ransomware, DDoS 10
Existing terminology ● Vulnerability - Common Vulnerabilities and Exposures (CVEs) ● Unmanaged - Nodes that have an agent but the resource does not have a manifest ● Events - The Events tab, aka Event Inspector, in the PE console
New terms ● Intentional Change - Change driven by an update to Puppet code ● Corrective Change - Change made by Puppet to return a system to the desired state, as defined by Puppet code
White Hat stuff ● Secret management (Conjur) ● Visibility into intentional vs. corrective change ● Whole infrastructure view (long-term) ● Security company integration (CloudPassage)
Let's start with secrets... 14
How do we avoid exposing secrets in Puppet? Easiest to hardest ● Avoid exposing secrets in Logs PDB Console 15 https://flic.kr/p/aCJZrf
Conjur and Puppet 16 $planet = conjur_variable('planet') file { '/etc/hello.txt': content => "Hello ${planet}!n" } conjurize_file { '/etc/hello.txt': variable_map => { planet => ‘!var puppetdemo/planet’ } }
Conjur, Vault, Keywhiz, Amazon KMS, Confidant 17
Visibility into Intentional vs. Corrective Change How to narrow down what might be burning 18
When your infrastructure is burning, how can PE help? ● Intentional change reporting ● Corrective change reporting 19
Corrective change: v1 20
Corrective change workflow 1: by node 21
23 Select report
24 view details
Corrective change workflow 2: across time 25
Event Inspector, Node Graph, resource reporting, and reporting on nodes not under active Puppet management Corrective change: Future 27
Full view of your infrastructure Reducing the clutter in your head via a single view 28
Managed & unmanaged change
Tying in vulnerability scanning How many fucks do I need to give about a given corrective change? 30
Security vendor integration
What vendor integration gets you ● Security company integration (CloudPassage) ● Vulnerability comparison to your PE infrastructure. ● Easier compliance tracking
Summary 33 What have we learned?
Random cat slide 34
Q&A
Other Security talks ● Bill Weiss from Puppet http://sched.co/6fkD ● Peter Souter from Puppet http://sched.co/6fjZ ● Seth Vargo from Hashicorp http://sched.co/6fjv ● Ben Hughes from Etsy http://sched.co/6fkM
Where to find out more More on Conjur https://www.conjur.net/puppet-secret-server Module on Forge https://forge.puppet.com/conjur/conjur
Agile Security and Compliance with CloudPassage and Puppet Application Lifecycle Management with Security using Halo and Puppet
Continuous Security Assessment and Compliance Role based server group for your environments Current security and compliance posture of your environments Critical, Non-Critical Security Incident
Automated Security & Compliance Assessment Monitor and protect workloads using, ● Firewall Automation ● Workload Vulnerability Assessment ● File Integrity Monitoring ● Log-based IDS ● Multi-factor Authentication ● Install & manage Halo agent on workloads ● Change workload configuration and provide remediation based on security & compliance report provided by Halo
Workload Security Assessment Report Workload Security Assessment Report ● Easy to deploy Halo using Puppet ● Agent is in “Read-only” mode and does not change state of workload ● Collect security & compliance issues ● Provide full report in few minutes ● The report provides visibility on: ○ Servers with Critical / Non-critical issues ○ User accounts ○ SW Vulnerability with CVE information ○ Compliance against CIS Benchmark ○ Running processes ● Easily integrate these findings with Puppet to start the remediation process.
App. Lifecycle Mgmt with Security using Halo and Puppet
PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

Recommended

Git session 1
Git session 1Git session 1
Git session 1
Hassan Khan
 
How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)
Ebru Cucen Çüçen
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
Weaveworks
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update
Shawn Wells
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Server
conjur_inc
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
Schneider Electric
 
Startup Roadmap Workshop
Startup Roadmap WorkshopStartup Roadmap Workshop
Startup Roadmap Workshop
Michael Skok
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 

Recommended

Git session 1
Git session 1Git session 1
Git session 1
Hassan Khan
 
How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)
Ebru Cucen Çüçen
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
Weaveworks
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update
Shawn Wells
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Server
conjur_inc
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
Schneider Electric
 
Startup Roadmap Workshop
Startup Roadmap WorkshopStartup Roadmap Workshop
Startup Roadmap Workshop
Michael Skok
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018
Puppet
 
PuppetConf track overview: Security
PuppetConf track overview: SecurityPuppetConf track overview: Security
PuppetConf track overview: Security
Puppet
 
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Marcin Grzejszczak
 
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
Puppet
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
Puppet
 
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Jen Wong
 
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
SonjaChevre
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product Security
Marcus Meissner
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperations
Luca Mazzaferro
 
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
Erez PEDRO
 
Observability für alle
Observability für alleObservability für alle
Observability für alle
QAware GmbH
 
Microservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyondMicroservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyond
Donnie Berkholz
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
Puppet
 
Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017
Puppet
 
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Claire Priester Papas
 
DevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the realityDevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the reality
Donnie Berkholz
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17
Shane Coughlan
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
Puppet
 
Introduction to Puppet Enterprise
Introduction to Puppet Enterprise Introduction to Puppet Enterprise
Introduction to Puppet Enterprise
Puppet
 
Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
Puppet
 

More Related Content

Similar to PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Marcin Grzejszczak
 
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
Puppet
 
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Jen Wong
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product Security
Marcus Meissner
 
Observability für alle
Observability für alleObservability für alle
Observability für alle
QAware GmbH
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
Weaveworks
 
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
Puppet
 
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Claire Priester Papas
 

Similar to PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet (20)

Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018
 
PuppetConf track overview: Security
PuppetConf track overview: SecurityPuppetConf track overview: Security
PuppetConf track overview: Security
 
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
 
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
 
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
 
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product Security
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperations
 
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
 
Observability für alle
Observability für alleObservability für alle
Observability für alle
 
Microservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyondMicroservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyond
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
 
Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017
 
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
 
DevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the realityDevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the reality
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
 
Introduction to Puppet Enterprise
Introduction to Puppet Enterprise Introduction to Puppet Enterprise
Introduction to Puppet Enterprise
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

  • 1. Security Roadmap: How we are helping you when everything is burning Verne Lindner and Beth Cornils, PuppetConf 2016
  • 2. Who are we? ● @vernelindner @bethpdx ● Sr. UX Architect at Puppet ● Sr. Product Manager at Puppet 2
  • 3. 3
  • 4. Why are we here? (This room specifically, listening to this talk…)
  • 5. We want you to have fewer of these 5
  • 6. Why is Puppet good for security? Infrastructure as code RBAC Auditing Enforcement 6
  • 7. How is PE helping DevOps and Security teams? Is it a tire fire or a campfire?
  • 9. Audience participation Let’s take the temperature of security here 9
  • 10. Why do things burn: key terms ● White Hat - Security and compliance vendors ● Black Hat - Nation states, mafia, ransomware, DDoS 10
  • 11. Existing terminology ● Vulnerability - Common Vulnerabilities and Exposures (CVEs) ● Unmanaged - Nodes that have an agent but the resource does not have a manifest ● Events - The Events tab, aka Event Inspector, in the PE console
  • 12. New terms ● Intentional Change - Change driven by an update to Puppet code ● Corrective Change - Change made by Puppet to return a system to the desired state, as defined by Puppet code
  • 13. White Hat stuff ● Secret management (Conjur) ● Visibility into intentional vs. corrective change ● Whole infrastructure view (long-term) ● Security company integration (CloudPassage)
  • 14. Let's start with secrets... 14
  • 15. How do we avoid exposing secrets in Puppet? Easiest to hardest ● Avoid exposing secrets in Logs PDB Console 15 https://flic.kr/p/aCJZrf
  • 16. Conjur and Puppet 16 $planet = conjur_variable('planet') file { '/etc/hello.txt': content => "Hello ${planet}!n" } conjurize_file { '/etc/hello.txt': variable_map => { planet => ‘!var puppetdemo/planet’ } }
  • 17. Conjur, Vault, Keywhiz, Amazon KMS, Confidant 17
  • 18. Visibility into Intentional vs. Corrective Change How to narrow down what might be burning 18
  • 19. When your infrastructure is burning, how can PE help? ● Intentional change reporting ● Corrective change reporting 19
  • 21. Corrective change workflow 1: by node 21
  • 22.
  • 25. Corrective change workflow 2: across time 25
  • 26.
  • 27. Event Inspector, Node Graph, resource reporting, and reporting on nodes not under active Puppet management Corrective change: Future 27
  • 28. Full view of your infrastructure Reducing the clutter in your head via a single view 28
  • 30. Tying in vulnerability scanning How many fucks do I need to give about a given corrective change? 30
  • 32. What vendor integration gets you ● Security company integration (CloudPassage) ● Vulnerability comparison to your PE infrastructure. ● Easier compliance tracking
  • 35. Q&A
  • 36. Other Security talks ● Bill Weiss from Puppet http://sched.co/6fkD ● Peter Souter from Puppet http://sched.co/6fjZ ● Seth Vargo from Hashicorp http://sched.co/6fjv ● Ben Hughes from Etsy http://sched.co/6fkM
  • 37. Where to find out more More on Conjur https://www.conjur.net/puppet-secret-server Module on Forge https://forge.puppet.com/conjur/conjur
  • 38. Agile Security and Compliance with CloudPassage and Puppet Application Lifecycle Management with Security using Halo and Puppet
  • 39. Continuous Security Assessment and Compliance Role based server group for your environments Current security and compliance posture of your environments Critical, Non-Critical Security Incident
  • 40. Automated Security & Compliance Assessment Monitor and protect workloads using, ● Firewall Automation ● Workload Vulnerability Assessment ● File Integrity Monitoring ● Log-based IDS ● Multi-factor Authentication ● Install & manage Halo agent on workloads ● Change workload configuration and provide remediation based on security & compliance report provided by Halo
  • 41. Workload Security Assessment Report Workload Security Assessment Report ● Easy to deploy Halo using Puppet ● Agent is in “Read-only” mode and does not change state of workload ● Collect security & compliance issues ● Provide full report in few minutes ● The report provides visibility on: ○ Servers with Critical / Non-critical issues ○ User accounts ○ SW Vulnerability with CVE information ○ Compliance against CIS Benchmark ○ Running processes ● Easily integrate these findings with Puppet to start the remediation process.
  • 42. App. Lifecycle Mgmt with Security using Halo and Puppet