A Discussion of Automated Infrastructure Security with a Practical Example
1 like824 views
The document discusses the integration of security into DevOps practices to accelerate continuous delivery and address security challenges. It presents a case study of Acme Incorporated, detailing their transition from traditional security processes that delayed deployment to a more agile approach where security is embedded within CI/CD pipelines. Key strategies include collaboration among development, operations, and security teams, automated workload security, and the creation of 'golden' images with predefined security policies.
A Discussion of Automated Infrastructure Security with a Practical Example
- 1. DevOps.com and CloudPassage Continuous Infrastructure Compliance W. Jenks Gibbons | November 2, 2017
- 2. Is security a roadblock for continuous delivery? © 2017 CloudPassage2
- 3. © 2017 CloudPassage3 Traditional security tools Plan Code Build Test Release Deploy Operate security gate
- 4. © 2017 CloudPassage4 Re-align security to modern IT delivery security guardrails Plan Code Build Test Release Deploy Operate
- 5. © 2017 CloudPassage5 Continuous Security - DevSecOps PLAN • Map out types of systems • Design security policies • Define policy groups PEOPLE CREATE • Insert agent via CI build scripts, Gold Master images, etc. AUTOMATION PRE-PROD • Tag production artifacts with proper policy groups AUTOMATION CONFIGURE • Apply runtime policies • SVA, CSM, SAM • Firewall, authentication • FIM, LIDS AUTOMATION MONITOR • Monitor production • Security events to SIEM • Audit data to GRC • Metrics to reporting • Visualize traffic and connections • Scope new vulnerabilities AUTOMATION & PEOPLE VERIFY • Verify security of builds • SVA, CSM, SAM • Generate FIM baselines AUTOMATION
- 6. Case Study Acme Incorporated: Current State • Development and Operations: understand the needs of the business units • Development and Operations: work together on their area of responsibility independently of other teams • Continuous Integration / Continuous Delivery (CICD) • Deliver features multiple times a day • Delivery does not require external approval • Deployment requires Security Operations approval © 2017 CloudPassage Confidential6
- 7. Case Study Acme Incorporated: Current Problem • Individual teams are unable to deploy at the at the speed of the business units • Security is blocking deployment • Examples: • Security must confirm there are no vulnerabilities in the image (5 day SLA) • Security must confirm the image is configured to meet compliance requirements (5 day SLA) • Security must create an image baseline for file integrity monitoring (5 day SLA) • Firewall changes for new workloads (5 day SLA) © 2017 CloudPassage Confidential7
- 8. Case Study Acme Incorporated: Current Problem • Delivery: many times a day • Delivery team: autonomous • Deployment team: autonomous • Deployment approval: multiple teams • Deployment approval: more than 5x the time to deliver and deploy © 2017 CloudPassage Confidential8
- 9. © 2017 CloudPassage9 DevOps delivery pipeline – before security automation PEOPLE Code Done AUTOMATION TOOL CHAIN
- 10. © 2017 CloudPassage10 DevOps delivery pipeline – before security automation Hours
- 11. Case Study Acme Incorporated: Solution • Add a Security Operations team member to the Development and Operations feature teams • Add security to the pipeline © 2017 CloudPassage Confidential11
- 12. Case Study Acme Incorporated: Solution - Plan • Development, Operations and Security Operations are now working together in autonomous feature teams • OS image – the teams will work together to design and create a known “golden” image for each platform • Workloads (e.g. VMs, hosts, servers) are are grouped together: • Jenkins Master • Jenkins Slaves • Git • Web • DB • PCI complaint • HIPAA compliant © 2017 CloudPassage Confidential12
- 13. Case Study Acme Incorporated: Solution - Plan • Groups are assigned security policies: • Software Vulnerability Assessment (SVA) • Configuration Security Monitoring (CSM) • File Integrity Monitoring (FIM) • Microsegmentation • Log-based Intrusion Detection (LIDS) © 2017 CloudPassage Confidential13
- 14. Case Study Acme Incorporated: Solution - Create • Enable automated workload security by integrating it into the pipeline • Install a small security agent on the workload. • Ansible • Chef • PowerShell • Puppet • “bake” into image • Ensure the agent works • in any environment • at any scale • on demand • and offers a broad range of controls © 2017 CloudPassage Confidential14
- 15. Case Study Acme Incorporated: Solution - Pre-Production • When workloads boot • Tag the workload with the proper group • Security policies applied automatically • Security simply goes along for the ride © 2017 CloudPassage Confidential15
- 16. Case Study Acme Incorporated: Solution – Verify • Security verification is built into the CICD Pipeline • During CI • Code analysis • Unit, smoke, functional … tests • Workload security tests • SVA scan • CSM scan • Success and failures are based on critical failures • Check results into Git – audit trail © 2017 CloudPassage Confidential16
- 17. Case Study Acme Incorporated: Solution – Verify • Workload security tests (cont.) • On fail • Kill instance • Fix issues • Check-in to kick-off CI - shorten feedback loop • On pass – deploy • take FIM baseline • move from a Pre-Production to a Production security group © 2017 CloudPassage Confidential17
- 18. Case Study Acme Incorporated: Solution – Monitor • Separate CI build job • At specified intervals • SVA scan • CSM scan • FIM scan • Any critical issues to Slack, JIRA, ServiceNow … © 2017 CloudPassage Confidential18
- 19. © 2017 CloudPassage19 DevOps delivery pipeline – after security automation Minutes
- 20. © 2017 CloudPassage20 DevOps delivery pipeline - after security automation PEOPLE Code Notify Done Source control Commit CI/CD master Trigger CI/CD slave Build Test Pass? CloudPassage Halo Scan Baseline Monitor Artifact registry Store Infrastructure Update Y N
- 21. © 2017 CloudPassage21 Practical Example • Git • Jenkins • Slack • Chef
- 22. © 2017 CloudPassage22 Check-In Developer makes a change to code, or to infrastructure (e.g. golden image)
- 23. © 2017 CloudPassage23 Jenkins A web-hook is then configured to kick off a build in Jenkins. This could be a code change or an infrastructure change.
- 24. © 2017 CloudPassage24 Slack Jenkins sends notifications to Slack – shorten the feedback loop.
- 25. © 2017 CloudPassage25 Jenkins, Chef, Test Kitchen, Security Tools • EC2 Test Kitchen – launch golden image • Chef – install lightweight security agent • Python – API calls to security tools python /home/jenkins/workload_security_analysis.py python /home/jenkins/deploy.py
- 26. © 2017 CloudPassage confidential26 Git – Audit Trail If the build succeeds or fails an audit report can be created and checked into Git.
- 27. © 2017 CloudPassage27 Patch – “Golden Image” Using the results of the workload security analysis from the audit report the golden image can be patched.
- 28. © 2017 CloudPassage28 Create New Golden Image and Check in as Code
- 29. © 2017 CloudPassage29 Notification, Audit Trail