Security, Identity, and DevOps, oh my - Print
-
Upload
chris-sanchez -
Category
Software
-
view
32 -
download
2
Transcript of Security, Identity, and DevOps, oh my - Print
November15,2016
Security,Identity,andDevOps,ohmy…ChrisSanchez,FounderandCTO,ziberneticsTwitter- @[email protected]
November15,2016
November15,2016
November15,2016Post questions to #security-track
Background• 20+yearsinAustinTechnologyasanEngineer,Manager,Mentor,Executive,andEntrepreneur
• TechVeteran– iChat/Acuity,CALEBTechnologies,Webify,PointSource,21CT,CognitiveScale,SunMicrosystems,IBM
• PassionforIdentityandDevOps
• Foundedziberneticsin2015– ResearchandDevelopmentprojects
• Identity,HIPAASecurity,DevOps,Cloud,Linux
– Consultancyforearlystageandgrowthstartups
November15,2016Post questions to #security-track
PopQuiz:Whyisthisbad?pg_hba.conf
host all pgbot 192.168.5.0/24 trust
host all pgbot 172.20.0.0/16 trust
First2peopletopostthemostinterestingsecurityissuestothe#security-track with#IdentityOpswillwinabumpersticker.è
#IdentityOps
November15,2016Post questions to #security-track
DevOpsishardbecause____
movingfast,lotoftooling,skills,knowledge
November15,2016Post questions to #security-track
Whatmakesitharder?
TheBusinessismovingfaster
November15,2016Post questions to #security-track
Whatmakesitharder?
andchanging…
November15,2016Post questions to #security-track
andharder
Securityishard
November15,2016Post questions to #security-track
…andharder
Securitygetslittletonoplanning
November15,2016Post questions to #security-track
What’sneeded?
SecurityStrategyó DevOpsStrategy
November15,2016Post questions to #security-track
There'snoneedtofear,IdentityOpsishere.
WhatisIdentityOps?
Security– Treatasafirstclasscitizen
Identity– Rightresource,time,reason
DevOps– Securitythatscales
November15,2016Post questions to #security-track
IdentityOpsEssentials
November15,2016Post questions to #security-track
UseCase:SSHAccess– UseCase: Provideuser-levelaccesstoLinuxserversand
supportbusinessandITpolicy– SolutionOptions:SSHPublicKeyAuthentication– Advantages:
• Wellunderstoodandsecuresolution• VerygoodsupportbyallLinuxdistributions
– Challenges:• Onlyprovidesforauthn,notauthz• Moreoperationaloverhead– e.g.usermanagement
November15,2016Post questions to #security-track
UseCase:SSHAccess• Solution:SSHFabric
– ModeltheconceptofUsers,Layers,Groups,andHostsasvirtualobjectsthatareoverlaidontopofanexistingLinuxinfrastructure
– Keepsssh keyscentralizedinanLDAPDirectory(notauthorized_keys file)anddeliverreal-timeforauthn
– AdvancedauthorizationthatintegrateswithPAMforseamless,fine-grainedauthz
– Centralizedpolicyforsudo access
November15,2016Post questions to #security-track
1)ModelConcepts
November15,2016Post questions to #security-track
1)ModelConceptsLayers
Hosts
prod_pub
Groups
Users
November15,2016Post questions to #security-track
2)CentralizeSSHKeysLDAPSchema
November15,2016Post questions to #security-track
2)CentralizeSSHKeysConfigureSSH:/etc/ssh/sshd_config
November15,2016Post questions to #security-track
2)CentralizeSSHKeysCustomScript:sshldap-pubkey.sh
November15,2016Post questions to #security-track
3)ConfigurePAMConfigureLDAP:/etc/ldap.conf
November15,2016Post questions to #security-track
3)ConfigurePAMForceTLStoLDAP
November15,2016Post questions to #security-track
3)ConfigurePAMConfigureAuthz:/etc/pam.d/common-account
November15,2016Post questions to #security-track
3)ConfigurePAMConfigureAuthn:/etc/pam.d/common-auth
November15,2016Post questions to #security-track
3)ConfigurePAMEnableLDAP:/etc/nsswitch.conf
November15,2016Post questions to #security-track
RestrictHostAccess:/etc/security/access.conf
4)Configuresudo
November15,2016Post questions to #security-track
4)ConfiguresudoCreatesudo rule:/etc/sudoers.d/sshldap
November15,2016Post questions to #security-track
LDAPandLinuxareConnected
5)TestSSHFabric
November15,2016Post questions to #security-track
5)TestSSHFabricPolicyAllow:grp_itops,security_admins
November15,2016Post questions to #security-track
5)TestSSHFabric
PolicyDeny:Allother
November15,2016Post questions to #security-track
5)TestSSHFabricUpdatePolicy
November15,2016Post questions to #security-track
5)TestSSHFabricPolicyAllow:ops_prv
November15,2016Post questions to #security-track
5)TestSSHFabricPolicyAllowSudo:ops-prv-sudo
November15,2016Post questions to #security-track
UseCase:DockerAccess
– UseCase: ProvideaccesstoDockerruntimewhilesupportingbusinessandITpolicy
– SolutionOptions:DockergrouporAuthz plug-in
– Advantages:• Usersdon’trequireadminaccess• Plug-inarchitectureisveryflexible(Authz)
– Challenges:• HavetorelyonlocalLinuxgroups• DockergrouporAdminaccessisrequired• Accessiscoarse– youcandoanything
November15,2016Post questions to #security-track
UseCase:DockerAccess
• Solution:DockerFabric– ModeltheconceptofUsers,Layers,Groups,and
HostsasvirtualobjectsthatareoverlaidontopofanexistingLinuxinfrastructure(sameasprevioususecase)
– CentralizedpolicyforUser-levelaccesstoDocker(viaTLSandFlaskapp)
– Keepsrulescentralizedarepositorythatareenforcedatruntime(sameasprevioususecase)
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
SetupDockerGroup:/etc/default/docker
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
UpdateDockersocketaccess:/lib/systemd/system/docker.socket
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
CreateAuthz Plugin:/etc/default/docker_fabric_authz
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
CreateAuthz Plugin:/etc/systemd/system/docker.service.d/docker_fabric_authz.conf
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
CreateAuthz Plugin:/usr/local/bin/docker_fabric_authz.py
November15,2016Post questions to #security-track
export theUser="Branton Davis”
alias dockera="docker -H=$(hostname):2376 \--tlsverify \--tlscacert=/etc/zinet/pki/server/zibernetics-int-cacert.crt \--tlscert=\"/etc/zinet/pki/user/\${theUser}.crt\" \--tlskey=\"/etc/zinet/pki/user/\${theUser}.ukey\" "
4)TestDockerFabric
November15,2016Post questions to #security-track
4)TestDockerFabric
PolicyDeny:Allothers
November15,2016Post questions to #security-track
4)TestDockerFabric
UpdatePolicy
November15,2016Post questions to #security-track
4)TestDockerFabric
PolicyAllow:ops_prv
November15,2016Post questions to #security-track
IdentityOpsSummary
DirectoryBusinessPolicies Linux.Docker
November15,2016Post questions to #security-track
IdentityOpsSummaryCentralized,real-timepolicyforaccessmanagement
Uniformapplicationofpolicyandreal-timeenforcement
Betteroperationalefficiency
Enableusecases:leastprivilege,nonrepudiation,segregationofduties,auditability
November15,2016Post questions to #security-track
W:http://www.zibernetics.com T:@CSanchezAustin E:[email protected]
FirstpersontopostWileE.Coyote’smiddlenametothe#security-trackwith#IdentityOpswillwinabumpersticker.è
#IdentityOps
November15,2016Post questions to #security-track
Thankyou!W:http://www.zibernetics.com T:@CSanchezAustin E:[email protected]