Security, Identity, and DevOps, oh my - Print

Post on 21-Jan-2017

32 views 2 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of Security, Identity, and DevOps, oh my - Print

November15,2016

Security,Identity,andDevOps,ohmy…ChrisSanchez,FounderandCTO,ziberneticsTwitter- @CSanchezAustinchris@zibernetics.com

November15,2016

November15,2016

November15,2016Post questions to #security-track

Background• 20+yearsinAustinTechnologyasanEngineer,Manager,Mentor,Executive,andEntrepreneur

• TechVeteran– iChat/Acuity,CALEBTechnologies,Webify,PointSource,21CT,CognitiveScale,SunMicrosystems,IBM

• PassionforIdentityandDevOps

• Foundedziberneticsin2015– ResearchandDevelopmentprojects

• Identity,HIPAASecurity,DevOps,Cloud,Linux

– Consultancyforearlystageandgrowthstartups

November15,2016Post questions to #security-track

PopQuiz:Whyisthisbad?pg_hba.conf

host all pgbot 192.168.5.0/24 trust

host all pgbot 172.20.0.0/16 trust

First2peopletopostthemostinterestingsecurityissuestothe#security-track with#IdentityOpswillwinabumpersticker.è

#IdentityOps

November15,2016Post questions to #security-track

DevOpsishardbecause____

movingfast,lotoftooling,skills,knowledge

November15,2016Post questions to #security-track

Whatmakesitharder?

TheBusinessismovingfaster

November15,2016Post questions to #security-track

Whatmakesitharder?

andchanging…

November15,2016Post questions to #security-track

andharder

Securityishard

November15,2016Post questions to #security-track

…andharder

Securitygetslittletonoplanning

November15,2016Post questions to #security-track

What’sneeded?

SecurityStrategyó DevOpsStrategy

November15,2016Post questions to #security-track

There'snoneedtofear,IdentityOpsishere.

WhatisIdentityOps?

Security– Treatasafirstclasscitizen

Identity– Rightresource,time,reason

DevOps– Securitythatscales

November15,2016Post questions to #security-track

IdentityOpsEssentials

November15,2016Post questions to #security-track

UseCase:SSHAccess– UseCase: Provideuser-levelaccesstoLinuxserversand

supportbusinessandITpolicy– SolutionOptions:SSHPublicKeyAuthentication– Advantages:

• Wellunderstoodandsecuresolution• VerygoodsupportbyallLinuxdistributions

– Challenges:• Onlyprovidesforauthn,notauthz• Moreoperationaloverhead– e.g.usermanagement

November15,2016Post questions to #security-track

UseCase:SSHAccess• Solution:SSHFabric

– ModeltheconceptofUsers,Layers,Groups,andHostsasvirtualobjectsthatareoverlaidontopofanexistingLinuxinfrastructure

– Keepsssh keyscentralizedinanLDAPDirectory(notauthorized_keys file)anddeliverreal-timeforauthn

– AdvancedauthorizationthatintegrateswithPAMforseamless,fine-grainedauthz

– Centralizedpolicyforsudo access

November15,2016Post questions to #security-track

1)ModelConcepts

November15,2016Post questions to #security-track

1)ModelConceptsLayers

Hosts

prod_pub

Groups

Users

November15,2016Post questions to #security-track

2)CentralizeSSHKeysLDAPSchema

November15,2016Post questions to #security-track

2)CentralizeSSHKeysConfigureSSH:/etc/ssh/sshd_config

November15,2016Post questions to #security-track

2)CentralizeSSHKeysCustomScript:sshldap-pubkey.sh

November15,2016Post questions to #security-track

3)ConfigurePAMConfigureLDAP:/etc/ldap.conf

November15,2016Post questions to #security-track

3)ConfigurePAMForceTLStoLDAP

November15,2016Post questions to #security-track

3)ConfigurePAMConfigureAuthz:/etc/pam.d/common-account

November15,2016Post questions to #security-track

3)ConfigurePAMConfigureAuthn:/etc/pam.d/common-auth

November15,2016Post questions to #security-track

3)ConfigurePAMEnableLDAP:/etc/nsswitch.conf

November15,2016Post questions to #security-track

RestrictHostAccess:/etc/security/access.conf

4)Configuresudo

November15,2016Post questions to #security-track

4)ConfiguresudoCreatesudo rule:/etc/sudoers.d/sshldap

November15,2016Post questions to #security-track

LDAPandLinuxareConnected

5)TestSSHFabric

November15,2016Post questions to #security-track

5)TestSSHFabricPolicyAllow:grp_itops,security_admins

November15,2016Post questions to #security-track

5)TestSSHFabric

PolicyDeny:Allother

November15,2016Post questions to #security-track

5)TestSSHFabricUpdatePolicy

November15,2016Post questions to #security-track

5)TestSSHFabricPolicyAllow:ops_prv

November15,2016Post questions to #security-track

5)TestSSHFabricPolicyAllowSudo:ops-prv-sudo

November15,2016Post questions to #security-track

UseCase:DockerAccess

– UseCase: ProvideaccesstoDockerruntimewhilesupportingbusinessandITpolicy

– SolutionOptions:DockergrouporAuthz plug-in

– Advantages:• Usersdon’trequireadminaccess• Plug-inarchitectureisveryflexible(Authz)

– Challenges:• HavetorelyonlocalLinuxgroups• DockergrouporAdminaccessisrequired• Accessiscoarse– youcandoanything

November15,2016Post questions to #security-track

UseCase:DockerAccess

• Solution:DockerFabric– ModeltheconceptofUsers,Layers,Groups,and

HostsasvirtualobjectsthatareoverlaidontopofanexistingLinuxinfrastructure(sameasprevioususecase)

– CentralizedpolicyforUser-levelaccesstoDocker(viaTLSandFlaskapp)

– Keepsrulescentralizedarepositorythatareenforcedatruntime(sameasprevioususecase)

November15,2016Post questions to #security-track

2)CentralizePolicyforUser-levelAccess

SetupDockerGroup:/etc/default/docker

November15,2016Post questions to #security-track

2)CentralizePolicyforUser-levelAccess

UpdateDockersocketaccess:/lib/systemd/system/docker.socket

November15,2016Post questions to #security-track

2)CentralizePolicyforUser-levelAccess

CreateAuthz Plugin:/etc/default/docker_fabric_authz

November15,2016Post questions to #security-track

2)CentralizePolicyforUser-levelAccess

CreateAuthz Plugin:/etc/systemd/system/docker.service.d/docker_fabric_authz.conf

November15,2016Post questions to #security-track

2)CentralizePolicyforUser-levelAccess

CreateAuthz Plugin:/usr/local/bin/docker_fabric_authz.py

November15,2016Post questions to #security-track

export theUser="Branton Davis”

alias dockera="docker -H=$(hostname):2376 \--tlsverify \--tlscacert=/etc/zinet/pki/server/zibernetics-int-cacert.crt \--tlscert=\"/etc/zinet/pki/user/\${theUser}.crt\" \--tlskey=\"/etc/zinet/pki/user/\${theUser}.ukey\" "

4)TestDockerFabric

November15,2016Post questions to #security-track

4)TestDockerFabric

PolicyDeny:Allothers

November15,2016Post questions to #security-track

4)TestDockerFabric

UpdatePolicy

November15,2016Post questions to #security-track

4)TestDockerFabric

PolicyAllow:ops_prv

November15,2016Post questions to #security-track

IdentityOpsSummary

DirectoryBusinessPolicies Linux.Docker

November15,2016Post questions to #security-track

IdentityOpsSummaryCentralized,real-timepolicyforaccessmanagement

Uniformapplicationofpolicyandreal-timeenforcement

Betteroperationalefficiency

Enableusecases:leastprivilege,nonrepudiation,segregationofduties,auditability

November15,2016Post questions to #security-track

W:http://www.zibernetics.com T:@CSanchezAustin E:chris@zibernetics.com

FirstpersontopostWileE.Coyote’smiddlenametothe#security-trackwith#IdentityOpswillwinabumpersticker.è

#IdentityOps

November15,2016Post questions to #security-track

Thankyou!W:http://www.zibernetics.com T:@CSanchezAustin E:chris@zibernetics.com

Top related

Speed and Scale: How Machine Identity Protection is Crucial … · 2019-12-12 · How Machine Identity Protection is Crucial for Digital Transformation and DevOps Who should read
 Documents
Oh, oh, oh-oh Oh, oh, oh-oh Oh, oh, oh-oh Oh, oh, oh-oh
 Documents
Devops Devops Devops
 Technology
leading a devops transformation · 2018-03-15 · Oh no! agile! Oh no! Value stream Business Engineering Operations. @jezhumble Project A Project B DBAs Infrastructure team Service
 Documents
Panel Discussion Cloud & DevOps August Big Grouphwpi.harvard.edu/files/cloud2/files/cloud-devops-biggroup-aug15.pdf · DevOps Manager Identity & Access Management • Leads IAM DevOps
 Documents
devops, platforms and devops platforms
 Technology
devops, microservices, and platforms, oh my!
 Technology
Rugged DevOps: Bridging Security and DevOps
 Technology
Continuous Deployment, and #NoEstimates, and DevOps Oh My! - Lean Agile …2015.leanagilekc.com/wp-content/uploads/2015/08/Lean... · 2015-10-29 · Training the DevOps Lion 1. Define
 Documents
DevOps, CI, APIs, Oh My! Security Gone Agile · DevOps, CI, APIs, Oh My! Security Gone Agile Matt Tesauro, SANS AppSec 2014 – Austin, TX, February 2014 . ... •Fully programmatic,
 Documents
BRANDING & IDENTITY - OH-TECH.orgBRANDING & IDENTITY STANDARDS ... Powerpoint Template 24 Desktop Backgrounds 25 OH-TECH Color Palette 26 1 0 2 0 3 0 4 0 4 1 4 2 4 3 4 4 4 5 4 6 4
 Documents
DASA DevOps Professional Enable and Scale Syllabus English · DevOps DevOps Agile Skills Association The DASA DevOps Certification Scheme DASA DevOps Leader DASA DevOps Coach DASA
 Documents
DevOps, CI, APIs, Oh My! Security Gone Agile - SANS · DevOps, CI, APIs, Oh My! Security Gone Agile Matt Tesauro, SANS AppSec 2014 – Austin, TX, February 2014 . RACKSPACE ... Securing
 Documents
AMIS Oracle OpenWorld 2015 Review – part 3- PaaS Database, Integration, Identity Mgt, IT Ops and DevOps
 Technology
Experiencing Multiplicity: food and identity Minjoo Oh.
 Documents
Speed and Scale: How Machine Identity Protection is ...€¦ · These problems exist because solving machine identity protection challenges within DevOps environments requires
 Documents
DevOps Oxford- DevOps + BigData @ RealTime
 Documents
Cloud Foundry Summit 2015: Devops, microservices and platforms, oh my!
 Technology
Oh Yeah!. Identity & Symbols Symbols-concrete representations of ideas or concepts. Identity-Sum of characteristics distinguishing one thing from.
 Documents
Enterprise DevOps - BJSS Ltd.bjss.com/bjss_assets/uploads/2015/05/BJSS_WhitePaper_DevOps.pdf · DevOps and the Cloud 6 DevOps Resources 6 DevOps ... Enterprise DevOps A BJSS WHITE
 Documents

Copyright © 2022 FDOCUMENTS