automating security policies
play

Automating security policies From deployment to auditing with - PowerPoint PPT Presentation

Sep 27, 2022 •42 likes •282 views

Automating security policies From deployment to auditing with Rudder Jonathan CLARKE jcl@normation.com Normation CC-BY-SA normation.com Who am I ? Jonathan Clarke Job: Co-founder and CTO at Normation Line of work:

  1. Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

  2. Who am I ? ● Jonathan Clarke Job: Co-founder and “CTO” at Normation ● Line of work: ● Initially system administration, infrastructure management... – Now automating all that! (+ paperwork...) – Free software: ● Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine – Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) 2 Normation – CC-BY-SA normation.com

  3. Context IT infrastructure 3 Normation – CC-BY-SA normation.com

  4. Context IT infrastructure Automation 4 Normation – CC-BY-SA normation.com

  5. Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly 5 Normation – CC-BY-SA normation.com

  6. Context IT infrastructure Automation Tools: 6 Normation – CC-BY-SA normation.com

  7. What about compliance? IT infrastructure Compliance? 7 Normation – CC-BY-SA normation.com

  8. What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview 8 Normation – CC-BY-SA normation.com

  9. What about compliance? IT infrastructure Compliance to what? 9 Normation – CC-BY-SA normation.com

  10. What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations 10 Normation – CC-BY-SA normation.com

  11. What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service 11 Normation – CC-BY-SA normation.com

  12. How is this different from “just” automation? Automation vs Compliance How different is this technically? 12 Normation – CC-BY-SA normation.com

  13. How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the checks in the security checks efficient agent background (file copying Reporting can over network...) be done later 13 Normation – CC-BY-SA normation.com

  14. How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Support all the Make sure you Two systems may know what {old,weird,buggy, be alike on paper, systems exist: new,”different”} they very rarely rely on an {OS,software, are in reality. inventory DB versions} 14 Normation – CC-BY-SA normation.com

  15. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? 15 Normation – CC-BY-SA normation.com

  16. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) 16 Normation – CC-BY-SA normation.com

  17. The result 100% 17 Normation – CC-BY-SA normation.com

  18. So, what have we actually done? Applied these principles in 18 Normation – CC-BY-SA normation.com

  19. Introducing Rudder Rudder's goal is to provide a Key values Plug and play plug-and-play solution, that is Open source extendable to automate Simple IT infrastructure , Smart however complex (or not) . Works out-of-the-box Combine thanks to proven tools smart default settings and best practices Extendable via modules to extend their adoption for flexibility and integration 19 Normation – CC-BY-SA normation.com

  20. Introducing Rudder http://www.rudder-project.org/ Simplified user experience Specifically designed for via a Web UI automation & compliance Based on CFEngine 3 Graphical reporting Pre-packaged for all Open Source supported OSes Vagrant config to test: https://github.com/normation/rudder-vagrant/ 20 Normation – CC-BY-SA normation.com

  21. Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration less bugs, shared code... from implementation Clear separation of roles Cover as many systems Multi-platform as possible Linux, Unix, Windows, Android... Reporting Avoid bottleneck Done after the checks, Different report types separate process 21 Normation – CC-BY-SA normation.com

  22. Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING Technical abstraction c c (method vs parameters) Community Expert Configure parameters Sysadmins Initial application Continuous verification Configuration agent 22 Normation – CC-BY-SA normation.com

  23. Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? 23 Normation – CC-BY-SA normation.com

  24. Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems And what happens if they do CS 239 something else Security for Networks and And whos responsible for making sure System Software thats

245 views • 3 slides
Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) & MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Security Summer 2016 Cornell University 1 Today Security policies Enforcement

Security Summer 2016 Cornell University 1 Today Security policies Enforcement

CS 4410 Operating Systems Security Summer 2016 Cornell University 1 Today Security policies Enforcement Authenticating people Passwords 2 Security policy Security policies prescribe what must be done and what must not be

431 views • 13 slides
Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats Security policies Confidentiality Policies Policy The Bell-LaPadula Model Specification Integrity Policies The Biba

698 views • 49 slides
Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems

Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems

Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 2 Page 1 CS 236 Online Outline Security design principles Security policies Basic concepts Security

419 views • 12 slides
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security Project 4. Next Steps With SCAP 5. Summary

388 views • 23 slides
Security Policies CS461/ECE422 Computer Security I Fall 2009 -1 Overview Natural language

Security Policies CS461/ECE422 Computer Security I Fall 2009 -1 Overview Natural language

Security Policies CS461/ECE422 Computer Security I Fall 2009 -1 Overview Natural language policies Example policies Implementation policies High level Low level -2 Reading Material Computer Security,

764 views • 40 slides
How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management

506 views • 34 slides
Security Policies EGI OMB meeting 27 July 2017 David Kelsey (STFC/RAL) www.egi.eu EGI-Engage

Security Policies EGI OMB meeting 27 July 2017 David Kelsey (STFC/RAL) www.egi.eu EGI-Engage

Updated (VO) Community Security Policies EGI OMB meeting 27 July 2017 David Kelsey (STFC/RAL) www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 EGI security policies

319 views • 12 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

878 views • 31 slides
More Enforceable Security Policies by Lujo Bauer, Jarred Ligatti and David W alker Presented by

More Enforceable Security Policies by Lujo Bauer, Jarred Ligatti and David W alker Presented by

More Enforceable Security Policies by Lujo Bauer, Jarred Ligatti and David W alker Presented by Khoo Yit Phang April 21, 2008 To Build Secure Systems... 1.What sort of security policies can and should w e demand of our system? 2.What mechanism

325 views • 15 slides
CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Security Policies Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a

532 views • 41 slides
Automating batch fecundity measurements Automating batch fecundity measurements using digital

Automating batch fecundity measurements Automating batch fecundity measurements using digital

W orking Group on Acoustic and Egg Surveys for Sardine and Anchovy in I CES Areas VI I I and I X, Nantes, 2 4 -2 8 / 1 1 / 2 0 0 8 Automating batch fecundity measurements Automating batch fecundity measurements using digital image analysis

391 views • 13 slides
ddurkee@connectingpoint.biz Security Policies Who has them? Do we need them? Wireless

ddurkee@connectingpoint.biz Security Policies Who has them? Do we need them? Wireless

Dan Durkee, Executive VP\Partner\Network Engineer Connecting Point Computer Center 303 S Third St, Bismarck, ND 58504 ddurkee@connectingpoint.biz Security Policies Who has them? Do we need them? Wireless Encryption Where have we

1.68k views • 56 slides
Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of Informatics The University of Edinburgh Monday 17 March 2008 Semester 2 Week 11 Coursework Statistics Total of 30 submissions, with all topics

554 views • 23 slides
AIST GRID CA Updates APGrid PMA meeting, Nov. 29, 2005 Yoshio Tanaka (yoshio.tanaka@aist.go.jp

AIST GRID CA Updates APGrid PMA meeting, Nov. 29, 2005 Yoshio Tanaka (yoshio.tanaka@aist.go.jp

AIST GRID CA Updates APGrid PMA meeting, Nov. 29, 2005 Yoshio Tanaka (yoshio.tanaka@aist.go.jp yoshio.tanaka@aist.go.jp) ) Yoshio Tanaka ( Grid Technology Research Center, Grid Technology Research Center, AIST, Japan Japan AIST, National

256 views • 13 slides
Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter 7: Unix Security Chapter 7: 2 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix

667 views • 62 slides
System Configuration as a Privilege Glenn Wurster , Paul C. van Oorschot School of Computer

System Configuration as a Privilege Glenn Wurster , Paul C. van Oorschot School of Computer

System Configuration as a Privilege Glenn Wurster , Paul C. van Oorschot School of Computer Science Carleton University, Canada HotSec 2009 11 Aug 2009 Glenn Wurster, Paul C. van Oorschot System Config Privilege 1/ 19 1 The Configuration

526 views • 19 slides
Isn't it Ironic? Managing a bare metal cloud Devananda van der Veen twitter: @devananda

Isn't it Ironic? Managing a bare metal cloud Devananda van der Veen twitter: @devananda

Isn't it Ironic? Managing a bare metal cloud Devananda van der Veen twitter: @devananda devananda.github.io/talks/isnt-it-ironic.html Who am I Master Engineer at HP OpenStack Ironic PTL OpenStack Technical Committee What we're going to talk

625 views • 40 slides
1 Grading Policy Homework and Projects Homework 15% Homeworks: 7 homework

1 Grading Policy Homework and Projects Homework 15% Homeworks: 7 homework

Course Information CS/ECE 438, CSE 425 Instructor Communication Networks Prof. Nikita Borisov Office Hours: 460 CSL, 244-5385 10-12 Tuesdays nikita@uiuc.edu or by appointment TA Nikita Borisov Monika Battala,

342 views • 9 slides
Device connection and startup 1 computer startup startup via network bootp

Device connection and startup 1 computer startup startup via network bootp

Device connection and startup 1 computer startup startup via network bootp connection to the network 2 when powered on the CPU sets the PC (program counter) on a predefined value challenge: what value is the PC set to on an

590 views • 41 slides
The plan Intro: LOCAL model, synchronicity, Bellman- Ford Network Algorithms Subdiameter

The plan Intro: LOCAL model, synchronicity, Bellman- Ford Network Algorithms Subdiameter

The plan Intro: LOCAL model, synchronicity, Bellman- Ford Network Algorithms Subdiameter algorithms: independent sets and matchings CONGEST model: pipelining, more matching, Boaz Patt-Shamir lower bounds Tel Aviv University 1 2

312 views • 16 slides

More recommend