devops, security, and compliance
TRANSCRIPT
DevOps, Security, and ComplianceWORKING IN UNISON
Elizabeth LawlerCo-Founder & CEO
About meI like….
“Machine” identity and access management at scale
Mapping compliance requirements to next generation IT systems
Building a business
My kids, dog, cat, chickens, and my husband
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Organization
Multidisciplinary TeamsEngineeringOperationsSecurityProduct Owner
Tight Feedback LoopsStrong Business Decision Alignment
Methodology
Metricing
Continuous Review and Improvement (Post-mortems)
Automate process steps
Version Everything
Automate Testing
Technology
Version control systems
Configuration Management
Systems from moving from build-deploy-test-release
Elastic Computing Enviroments
DevOps transformations: Domains of change
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Reduce Costs Reduce Time to Market Reduce Risk
•Close data centers and move to cloud • Replace people with automated processes
•Automate production deployments •Smaller more frequent changes provide real time customer feedback (Split A/B)
•Move security left -add more security checks into automation workflow •Rapid deployment of patches
Why Change?
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
It Takes a Team Effort
Collaboration between business, compliance, and engineering to:
1. Understand and communicate risks
2. Respond accordingly
3. Improve continuously
while:
1. Remaining agile
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
“Every modern industry with the potential to impact public safety, human life, or national security has matured to the rigor that looks like a supply chain...except for software…Do we have good building codes for building
software?”
-Josh Corman, Co-Founder, Rugged Ops
Source: Josh Corman, Continuous Integrations with a software supply chain, DevOps Days 2015, Washington D.C.
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Common “Technical” Advantages of DevOps
Continuous monitoring and logging
Engagement of security stakeholders earlier in the application development process
Increasing number of tools available for code analysis and supply chain control
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Common Security Issues in DevOps
• New to market tooling
• Open-source tooling which lacks security controls
• Lack of organizational understanding of DevOps practices
• Inability to enforce good security practices in opaque or internally unmonitored systems
• Strong reliance on external tooling or infrastructure (security exposure beyond internal IT systems)
• Lack of checkpoints or segregation of duties
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Why is “compliance” in DevOps businessDevops adoption is of strategic value to the business
The processes, tools and techniques are in the spotlight from a security and compliance perspective
Let’s Get Started
Knowledge Transfer:
Security, Compliance and Engineering need to speak a common language
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Planning for Continuous Security and Compliance
Get management buy-in to include security and compliance work in the normal planning and delivery processes
Plan and work with Stories: Story #1: “Meet the compliance team [Spike]
GET BUY-IN PLAN IMPROVE
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Most of the time it is Alphabet Soup
HIPAANIST-CSFSOXPCIPIPEDA
ID.AM-2: Software platforms within the organization are inventoried
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
CCS CSC 2COBIT 5 BAI09.01, BAI09.02,
BAI09.05ISA 62443-2-1:2009 4.2.3.4ISA 62443-3-3:2013 SR 7.8ISO/IEC 27001:2013 A.8.1.1,
A.8.1.2NIST SP 800-53 Rev. 4 CM-8
COBIT 5 APO01.02, DSS06.03ISA 62443-2-1:2009 4.3.2.3.3ISO/IEC 27001:2013 A.6.1.1NIST SP 800-53 Rev. 4 CP-2, PS-
7, PM-11
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Language barriers between security and engineering
Controls framework
● Identify
● Protect
● Detect
● Respond
● Recover
Analogous Control Activities & Services for Operators
● Asset Management (CMDB)
● Network Security, Authentication, Key Management
● Log Aggregation and Reporting
● Alerting, Incident Communication and Escalation Plan
● Post-mortems, metrics tracking (e.g., MTTD, MTTR)
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Example Security and Compliance GoalCertify the security of the CI/CD pipeline
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
The Challenge - Moving from People Process to Automation LEGACY IT ERA Automation
Complexity Known # of identifiable components 100s-1000s system components
Provisioned by People +/- approvals, traceable Code - ? approvals, ? traceable
Provisioned with days-weeks seconds-minutes
Threat concerns Insiders Tampered code or build systems
Mainframe Client/Server Web Containerized Cloud
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Comprehensive Inventory is a Common Control Gap
Inventory of Authorized and Unauthorized Devices is known or can be evaluated in an traditional IT environment
1) Ephemeral IT infrastructure (Cloud and Containers) have time as a important factor in understanding inventory
2) Launching or scaling infrastructure is initiated by automated processes
3) Multiple versions could be in deployment simultaneously and need to be tracked in parallel
App App New New
Load Balancer
Tools
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Gap analysis for a CI/CD pipeline
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Control Example: Domain Access Control (PR.AC)
Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
Subcontrol - PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
Applies to
● CCS CSC 12, 15 ● ISA 62443-2-1:2009 4.3.3.7.3● ISA 62443-3-3:2013 SR 2.1● ISO/IEC 27001:2013 A.6.1.2, A.9.1.2,
A.9.2.3, A.9.4.1, A.9.4.4● NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-
5, AC-6, AC-16
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Potential Remediation Approaches for a CI/CD pipeline
Securing Your Pipeline● Create identities for testing
systems● Manage developer access to
testing systems (e.g., Jenkins)● Remove secrets from source code● Manage secrets in configuration
files● Restrict access to identifying
hashes for build products and artifacts
● Log build activities with relevant identities and hashes to establish an audit trail
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Gap AnalysisCurrent state: Any Developer
Universal access to Jenkins by developers
Embedded shared system credentials
Reporting?
Audit?
Example: Jenkins Logs
Are they archived?
Are they modifiable?
Can they be rotated out of existence?
Is this good enough?
Can you prove least privilege or separation of duties in this part of the pipeline?
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Where do you fall on the spectrum?Example NIST-CSF - 4 TIERS OF CYBER SECURITY AWARENESS
TIER 1 - Partial
TIER 2 - Risk Informed
TIER 3 - Repeatable
TIER 4 - AdaptiveAutomated
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Remediation - Separation of Duties and Least PrivilegeCI Role Before After
Commit Developers Developers
Manage build job Developers Project team admins
Initiate build Developers Project team developers
Tag release Developers Release-bot (non-human actor)
Promote to Prod Developers Project team admins
Access to Prod Developers No standing access
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Automation Benefits: continuous delivery of security
EXAMPLE COMPLIANCE
CONTROL
PR.AC-1: Identities and credentials are managed for authorized devices and users
STATIC OR ACTIVE
ANALYSIS
Processes and procedures for managing identities and credentials are documented
STATIC ANALYSISCompliance procedures like checklists with signoff and
auth forms
EVENT
Hire a new person
Provision a new device
Elevate auth for a system admin
ACTIVE ANALYSIS Tooling provides wizards to gate processes, audit logs of activities, and dashboards for reporting views that act as a
real time audit
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Test and Verify: Example using cucumber (also InSpec)
Teams that focus on testing, early detection, and measuring progress have 30% fewer defects in production
Source: The Journey to DevSecOps, Shannon Lietz, 2016
NIST CONTROL PR.AC-4
Describe compliance in plain english
What do you have in place/plan to have in place?
Describe passing scenarios
Write code that leads to pass state
FAIL
Write tests in Ruby and run it
Source: Audit Compliance with BDD tools, Kevin O’Brien, Conjur blog
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Communication Pitfall:: JSON is not a “report”
RepeatableReliable Fast
AuditableReportable
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Focus on what is high-value to the business
Most commonly, infrastructure security risks (whether from insider threats, misadventures of well-meaning IT professionals, or breaches and APTs) are:
1. Access control
2. Management of virtual assets and inventories
3. Credentials and shared accounts which are common attack vectors
If you can automate and abstract these 3 things, you can mitigate lots of the risk in your organization- that is VALUE to the business
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Don’t get dinged on an AuditUser identities not provided by enterprise
master user directory (ex. AD)
Infrastructure credentials not actuallyrotated
Cloud credentials
Backdoor SSH keys
User SSH keys
SSL certificates
Least privilege access not implemented in practice; excessive trust in personnel
Impermanent audit log retention
Reliance on authentication rather than authorization
Using tools “not fit for purpose” (eg. using private source control repos to store secrets and credentials)
DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON
Build it in incrementally www.10factor.ci
Thank You
Elizabeth Lawler@ElizabethLawler
conjur.net
“It takes a village”... Thank you
Kevin GilpinStacy McAuliffeChristopher FarnhamSteve CoplanJosh BregmanAndy EllicottDustin Collins and the rest of the team at Conjur