OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO...
Transcript of OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO...
![Page 1: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/1.jpg)
Identity Management and Compliance in OpenShiftOr “Use DevOps to Make Your Auditors and Suits Happy”Marc BoorshteinCTO, Tremolo Security
Ellen NewlandsSenior Security Product Manager, Cloud Business Unit at Red Hat
May 3, 2017
![Page 2: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/2.jpg)
Who Are We?
Marc Boorshtein - CTO Tremolo Security, Inc.
● 15+ years of identity management implementation experience● Multiple deployments across large commercial and federal customers
Ellen Newlands - Senior Security Product Manager, Cloud Business Unit at Red Hat
● Red Hat Product Manager for Identity and Access Management● Extensive experience in enterprise and WEB identity management and single sign-on
![Page 3: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/3.jpg)
What Will We Be Talking About?
● Why is identity management and compliance important to you?● What is “compliance”?● How does identity management apply to compliance?● How does Red Hat and OpenShift manage security?● What “compliance” looks like without and with DevOps● How OpenShift manages it’s identities● Demo!
![Page 4: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/4.jpg)
Why is Compliance Important to You?It’s not just for meetings and auditors...
DevOps + Identity Management =
( )+
![Page 5: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/5.jpg)
What is Compliance?When someone asks if you’re compliant...
NIST 800-53
Criminal Justice Information Systems (CJIS)
Step 1 - Define Your Policy Step 2 - Follow Your Policy
NIST 800-53 Framework CJIS Implementation
![Page 6: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/6.jpg)
Where Does Identity Management Fit?
NIST 800-53
Criminal Justice Information Systems (CJIS)
AC-2 / Authorizes access to the information system based on: 1. A valid access authorization;
Request for access is approved by your manager
Section 5.6.2.1.1 - Passwords Identity Management
Identity Management
![Page 7: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/7.jpg)
OpenShift Container Platform Security
Visit the Security zone in the Red Hat booth for more information on OpenShift & container security
Integrated security features including● Role-based Access Controls with LDAP and OAuth integration● Privilege access management● Automated certificate management● Scalable secrets management● Private data and logins exchanged with OpenShift are transmitted over SSL ● Application passwords are filtered from OpenShift log files and encrypted.● Pushing and pulling of private data is done over SSH
○ Authenticated with keys, not passwords, ○ This helps prevent brute force cracking○ Tools are available for users to deploy similar steps for their applications
![Page 8: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/8.jpg)
Red Hat Enterprise Linux provides the foundation for secure, scalable containers
On bare metal, on Red Hat Virtualization
In your datacenter or the public cloud
Red Hat Enterprise Linux: Support Compliance for OpenShift
RED HAT ENTERPRISE LINUX
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
NETWORKING SECURITYSTORAGE REGISTRYLOGS &
METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT(KUBERNETES)
ATOMIC HOST
CONTAINER RUNTIME & PACKAGING(DOCKER)
Red Hat OpenShift Dedicated available on both AWS & GCP
OpenShift on public cloud inherits the security features of your public cloud provider
For example, to know more about the security of Amazon EC2
Red Hat provides industry-leading responsiveness to security vulnerabilities
![Page 9: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/9.jpg)
Identity Management Compliance Without DevOps
User needs access to an application
User emails project owner asking for access
Project owner forwards to admin with the word “approved”
Admin creates access and stores email in special folder
Auditor asks for approval trail Admin forwards emails
Admin tells user they’re approved to access the project :-(
![Page 10: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/10.jpg)
Identity Management Compliance With DevOps
User needs access to a project
Logs into IDM and requests access
Project owner clicks “Approve”
IDM system creates access and builds audit trail
Auditor logs into IDM system Auditor pulls reports
IDM system notifies user of access :-D
![Page 11: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/11.jpg)
How this applies to OpenShift
WHO?● User Object in EtcD● LDAP● OpenID Connect● Reverse Proxy + Header
WHAT?● Subject + Role + Project =
RoleBinding● Local Objects● Management
○ OpenShift Console○ LDAP Sync○ oadm○ Web services
WHY?● External Workflow
![Page 12: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/12.jpg)
Demo
![Page 13: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/13.jpg)
DEMO
![Page 14: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/14.jpg)
Shameless Self Promotion
● Booth 145○ Mobile Battery Chargers○ Screen Cleaners
● Web - http://tremolo.io● Twitter - @tremolosecurity / @mlbiam● Github - https://www.github.com/tremolosecurity/● Blog this session is based on -
https://www.tremolosecurity.com/openshift-compliance-and-identity-management/
![Page 15: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/15.jpg)
THANK YOUplus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews
![Page 16: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/16.jpg)
How this applies to OpenShift
Layer Technology In Demo
Cloud ● OpenStack - Keystone● Amazon - IAM● etc
N/A
Operating System 1. LDAP2. AD3. SSSD
Red Hat Identity Management
![Page 17: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/17.jpg)
How this applies to OpenShift
Layer Technology In Demo
OpenShift Console and CLI Authentication● LDAP● Password File● OpenID Connect● Header + Reverse Proxy
Authorization● Internal User and Group
objects● Web services● LDAP Sync
Authentication● Username + Password -
KeyCloak● U2F - Unison● Compliance Banner -
Unison● OpenID Connect
Authorization● Unison self service
Container 1. External Identity Provider2. External User System
N/A
![Page 18: OpenShift Identity Management and Compliance in · 2018-02-06 · Who Are We? Marc Boorshtein - CTO Tremolo Security, Inc. 15+ years of identity management implementation experience](https://reader034.fdocuments.us/reader034/viewer/2022042202/5ea37a99fadb086e5e25e477/html5/thumbnails/18.jpg)