Automating security policies From deployment to auditing with - PowerPoint PPT Presentation

Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

Who am I ? ● Jonathan Clarke Job: Co-founder and “CTO” at Normation ● Line of work: ● Initially system administration, infrastructure management... – Now automating all that! (+ paperwork...) – Free software: ● Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine – Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) 2 Normation – CC-BY-SA normation.com

Context IT infrastructure 3 Normation – CC-BY-SA normation.com

Context IT infrastructure Automation 4 Normation – CC-BY-SA normation.com

Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly 5 Normation – CC-BY-SA normation.com

Context IT infrastructure Automation Tools: 6 Normation – CC-BY-SA normation.com

What about compliance? IT infrastructure Compliance? 7 Normation – CC-BY-SA normation.com

What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview 8 Normation – CC-BY-SA normation.com

What about compliance? IT infrastructure Compliance to what? 9 Normation – CC-BY-SA normation.com

What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations 10 Normation – CC-BY-SA normation.com

What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service 11 Normation – CC-BY-SA normation.com

How is this different from “just” automation? Automation vs Compliance How different is this technically? 12 Normation – CC-BY-SA normation.com

How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the checks in the security checks efficient agent background (file copying Reporting can over network...) be done later 13 Normation – CC-BY-SA normation.com

How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Support all the Make sure you Two systems may know what {old,weird,buggy, be alike on paper, systems exist: new,”different”} they very rarely rely on an {OS,software, are in reality. inventory DB versions} 14 Normation – CC-BY-SA normation.com

How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? 15 Normation – CC-BY-SA normation.com

How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) 16 Normation – CC-BY-SA normation.com

The result 100% 17 Normation – CC-BY-SA normation.com

So, what have we actually done? Applied these principles in 18 Normation – CC-BY-SA normation.com

Introducing Rudder Rudder's goal is to provide a Key values Plug and play plug-and-play solution, that is Open source extendable to automate Simple IT infrastructure , Smart however complex (or not) . Works out-of-the-box Combine thanks to proven tools smart default settings and best practices Extendable via modules to extend their adoption for flexibility and integration 19 Normation – CC-BY-SA normation.com

Introducing Rudder http://www.rudder-project.org/ Simplified user experience Specifically designed for via a Web UI automation & compliance Based on CFEngine 3 Graphical reporting Pre-packaged for all Open Source supported OSes Vagrant config to test: https://github.com/normation/rudder-vagrant/ 20 Normation – CC-BY-SA normation.com

Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration less bugs, shared code... from implementation Clear separation of roles Cover as many systems Multi-platform as possible Linux, Unix, Windows, Android... Reporting Avoid bottleneck Done after the checks, Different report types separate process 21 Normation – CC-BY-SA normation.com

Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING Technical abstraction c c (method vs parameters) Community Expert Configure parameters Sysadmins Initial application Continuous verification Configuration agent 22 Normation – CC-BY-SA normation.com

Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? 23 Normation – CC-BY-SA normation.com

Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com