Upload
amazon-web-services
View
895
Download
0
Embed Size (px)
DESCRIPTION
More organizations are embracing DevOps to realize compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource utilization. However, security and compliance monitoring tools have not kept up. In fact, they often represent the largest single remaining barrier to continuous delivery. Learn how to integrate security controls in your DevOps program from experts at Alert Logic and George Miranda, engineer and evangelist at Chef. Sponsored by Alert Logic.
Citation preview
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
SEC312 | November 13, 2014 | Las Vegas, NV
SEC312
Taking a DevOps Approach to Security
Paul Fisher – Alert Logic
Guest Speaker: George Miranda – Chef Software
Speaker Introduction
George MirandaEngineer & Evangelist
Chef Software, Inc.
@gmiranda23
www.linkedin.com/in/gmiranda23
Paul FisherVP Technology Operations
Alert Logic, Inc.
@fisherpk
www.linkedin.com/in/fisherpk/
Session Overview
More organizations are embracing DevOps to realize compelling
business benefits such as faster yet safer feature release cadence,
increased application stability, and rapid response to shifting market
conditions. However, security and compliance monitoring tools have not
kept up and often represent the single largest remaining hurdle to
Continuous Delivery.
Topics covered in this session:
•How DevOps Improves your Security Posture
•Overcoming Challenges in DevOps Environments
DevOps Improves Security Posture
Configuration Management
“We suffer sometimes from the hubris of
believing that control is a matter of applying
sufficient force, or a sufficiently detailed set of
instructions.”
Mark Burgess, Father of Configuration Management
Author of “In Search of Certainty”
Automation and Convergent Infrastructure
“A system’s desired configuration state can be said to be
defined by fixed points. Most configuration management
systems (e.g.: CFEngine, Chef, Puppet, PowerShell DSC) are
based on this idea: they provide means to declare what must
happen instead of requiring imperative workflows that
prescribe what to do.”
Mark Burgess, Father of Configuration Management
Author of “In Search of Certainty”
Emergence of DevOps
“You got your Dev in my Ops!”
“You got your Ops in my Dev!”
Driving Toward Immutable Infrastructure
“This is what I call disposable computing. Throw away a
broken process rather than trying to fix it. Machines can be
made expendable as long as the total software is designed for
it. Not much of it is today, but we’re getting there. Nature
shows that this is a good way of scaling services.”
Mark Burgess, Father of Configuration Management
Author of “In Search of Certainty”
Infrastructure as Code
• Converge on a regular interval
• Configuration management is idempotent
• All persistent changes must be in source control
• Manual intervention discouraged
• Out-of-band changes will be lost
Security & Compliance Implications
Continuous Delivery Patterns
Test Driven Infrastructure
Continuous Security
Security
Posture
Auditing &
Compliance
End-to-End
Visibility
Disaster
Recovery &
Business
Continuity
Remediation
& Fast
Resolution
Continuous
Detection/
Protection
Automated
Configuration
& Scaling
Overcoming Security Challenges
Overcoming Security Challenges
• Challenges for security technology and practice today
– AWS Shared Responsibility Model
– Challenges remain for customers
• Leveraging DevOps for security
– Best practices for blending DevOps with security
• Toward software-defined security
– Embracing new reality of AWS cloud infrastructure
AWS Shared Responsibility Model
Customer
Responsibility
Foundation
Services
Hosts
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
Apps
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Network threat
detection
• Security monitoring
Networks
Cloud
Service
Provider
Responsibility
Compute Storage DB Network
2014: Security Top Cloud Pain Point
31%
17%
12%
11%
11%
10%
9%
8%
7.4%
7%
7%
7%
5%
5%
4%
Security
Pricing/Budget/Cost
Human Change Management
Security of Data, Control of Data Locality, Sovereignty
Compliance
Migration/Integration
Internal Resources/Expertise
Management
Lack of Internal Process
Vendor/Provider Issues
Organizational Challenges
Contractual/Legal Issues
Service Reliability/Availability
Network
Lack of Standards
Application Security Technology Challenges
Network Changes Host Identity Auto Scaling
Security at Odds with DevOps Velocity
Traditional security/compliance is slow
Mature DevOps velocity is fast
Security practice does not keep up
InfoSec Ends Up Being Marginalized
“The problem for the security person who is used to
turning around security reviews in a month or two
weeks is they're just being shoved out of the game.
There's no way with how Infosec is currently configured
that they can keep up with that. So, Infosec gets all the
complaints about being marginalized and getting in the
way of doing what needs getting done.”
Gene Kim, former CTO of Tripwire
Author of “The Phoenix Project: A Novel About IT, DevOps”
& “Helping Your Business Win”
Integrating Security with DevOps
• Leveraging DevOps practice for better security
– Prevent attack vectors with immutable systems
– Adopt strategy of phoenix upgrades
– Robust auditing and centralized log collection
– Embrace end-to-end continuous deployment
– Manage vulnerabilities with base images and
configuration management
Prevent Attacks with Immutable Systems
Build secure base images that are representative of your infrastructure
system base.
Design file system layout to separate code from data, and lock down to minimum required permissions. Should expand to network as well.
Leverage SANS Checklist and CIS Benchmark resources for system level security best practices and
guidance.
Leverage configuration management tools to standardize all software
versions and configurations.
Design Secure
Immutable Infrastructure
Adopt Strategy of Phoenix Upgrades
Embrace phoenix upgrades
• Stand up new instances, don’t upgrade
• Route traffic between old and new instances
• Rich service metrics and automate rollback
• Advanced routing can enable selective rollout
Results
• Creates evergreen systems, avoiding
configuration drift and technical debt
• Enforces refresh of all system components as
complete artifact, tested as a holistic system
• Greatly reduces security risks when combine
with immutable instances and configuration
management
Centralize Robust Auditing & Logging
# This file contains the auditctl rules that are loaded# whenever the audit daemon is started via the initscripts.# The rules are simply the parameters that would be passed# to auditctl.
# First rule - delete all-D
# Increase the buffers to survive stress events.# Make this bigger for busy systems-b 1024
-a exit,always -S unlink -S rmdir-a exit,always -S stime.*……
Implement Local Auditing
#Sample syslog-ng configuration#Lots of configuration required
........
# Send *ALL* System Logs to Log Appliancedestination df_log_appliance_forward {
tcp("my-log-appliance" port(514));};
log {source(s_all);destination(df_log_appliance_forward);
};
Collect Important Logs
Centralize Log Collection for Search and Filtering
Embrace Complete Continuous Deployment
End-to-end continuous deployment
• Configuration management (Chef)
• Standardized environment images (Packer)
• Environment/subsystem orchestration layer
• Production-like environments in Dev & Test
must include
–Secure immutable systems
–Phoenix upgrades
–Complete logging, metrics, & monitoring
Results
• Holistic system validation & testing
• Continuous validation of secure configuration
#Sample Alert Logic Chef NodeDef{
"name": "cloud-api-node","versions": {
"1.6.0": {"vm_type": "squeeze64",],"install_phase": {
"run_list": ["[email protected]",
]},
….
Leverage Configuration
Management
Leverage Standardized
Environment Images
Build an Orchestration Layer
#Sample Packer Configuration{"builders": [{
"type": "amazon-ebs","access_key": "{{user `aws_access`}}"
,"secret_key": "{{user `aws_secret`}}"
,"region": "us-east-1","source_ami": "ami-de0d9eb7","instance_type": "t1.micro","ssh_username": "ubuntu","ami_name": "packer-ex {{timestamp}}"
}]
Manage Vulnerabilities with Base Images
Manage Vulnerabilities
• Conduct normal vulnerability scanning
• Identify vulnerabilities that exist in base
images versus application-specific packages
• Remediate at appropriate level as part of
continuous delivery process
Results
• Less work, done more reliably
• Patching fits naturally into phoenix upgrades
• Continuous delivery allows frequent scanning
in test environments to have real value
• Fixes potential vulnerabilities systematically
Moving to Software Defined Security
• Significant opportunity remains in front of us
• AWS ready to accelerate security technology
– Leverage end-to-end visibility available
– Transform periodic assessment into real-time
automated responses
– Protect automatically with real-time reconfiguration
Leverage End-to-End Visibility
• Use APIs and AWS CloudTrail logs to see everything
• Automatically track and react to every deploy
Transform Assessment to be Real-Time
• Shrink assessment-remediation cycle from weeks to
minutes
Protect with Automatic Reconfiguration
• React in Real-Time to As-Deployed systems
• Automatic reconfigure security infrastructure
Contact Us
Paul Fisher
VP Technology Operations
Alert Logic
@fisherpk
George Miranda
Engineer & Evangelist
Chef Software, Inc.
@gmiranda23
http://bit.ly/awsevals