devops, security, and compliance

DevOps, Security, and ComplianceWORKING IN UNISON

Elizabeth LawlerCo-Founder & CEO

About meI like….

“Machine” identity and access management at scale

Mapping compliance requirements to next generation IT systems

Building a business

My kids, dog, cat, chickens, and my husband

DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON

Organization

Multidisciplinary TeamsEngineeringOperationsSecurityProduct Owner

Tight Feedback LoopsStrong Business Decision Alignment

Methodology

Metricing

Continuous Review and Improvement (Post-mortems)

Automate process steps

Version Everything

Automate Testing

Technology

Version control systems

Configuration Management

Systems from moving from build-deploy-test-release

Elastic Computing Enviroments

DevOps transformations: Domains of change


Reduce Costs Reduce Time to Market Reduce Risk

•Close data centers and move to cloud • Replace people with automated processes

•Automate production deployments •Smaller more frequent changes provide real time customer feedback (Split A/B)

•Move security left -add more security checks into automation workflow •Rapid deployment of patches

Why Change?


It Takes a Team Effort

Collaboration between business, compliance, and engineering to:

1. Understand and communicate risks

2. Respond accordingly

3. Improve continuously

while:

1. Remaining agile


“Every modern industry with the potential to impact public safety, human life, or national security has matured to the rigor that looks like a supply chain...except for software…Do we have good building codes for building

software?”

-Josh Corman, Co-Founder, Rugged Ops

Source: Josh Corman, Continuous Integrations with a software supply chain, DevOps Days 2015, Washington D.C.


Common “Technical” Advantages of DevOps

Continuous monitoring and logging

Engagement of security stakeholders earlier in the application development process

Increasing number of tools available for code analysis and supply chain control


Common Security Issues in DevOps

• New to market tooling

• Open-source tooling which lacks security controls

• Lack of organizational understanding of DevOps practices

• Inability to enforce good security practices in opaque or internally unmonitored systems

• Strong reliance on external tooling or infrastructure (security exposure beyond internal IT systems)

• Lack of checkpoints or segregation of duties


Why is “compliance” in DevOps businessDevops adoption is of strategic value to the business

The processes, tools and techniques are in the spotlight from a security and compliance perspective

Let’s Get Started

Knowledge Transfer:

Security, Compliance and Engineering need to speak a common language


Planning for Continuous Security and Compliance

Get management buy-in to include security and compliance work in the normal planning and delivery processes

Plan and work with Stories: Story #1: “Meet the compliance team [Spike]

GET BUY-IN PLAN IMPROVE


Most of the time it is Alphabet Soup

HIPAANIST-CSFSOXPCIPIPEDA

ID.AM-2: Software platforms within the organization are inventoried

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

CCS CSC 2COBIT 5 BAI09.01, BAI09.02,

BAI09.05ISA 62443-2-1:2009 4.2.3.4ISA 62443-3-3:2013 SR 7.8ISO/IEC 27001:2013 A.8.1.1,

A.8.1.2NIST SP 800-53 Rev. 4 CM-8

COBIT 5 APO01.02, DSS06.03ISA 62443-2-1:2009 4.3.2.3.3ISO/IEC 27001:2013 A.6.1.1NIST SP 800-53 Rev. 4 CP-2, PS-

7, PM-11


Language barriers between security and engineering

Controls framework

● Identify

● Protect

● Detect

● Respond

● Recover

Analogous Control Activities & Services for Operators

● Asset Management (CMDB)

● Network Security, Authentication, Key Management

● Log Aggregation and Reporting

● Alerting, Incident Communication and Escalation Plan

● Post-mortems, metrics tracking (e.g., MTTD, MTTR)


Example Security and Compliance GoalCertify the security of the CI/CD pipeline

INFRASTRUCTURE

Check

Deploy

Dev team, tools, & tools admins

Dev teamDeveloper

Dev team, tools, tools admins, &

operators


The Challenge - Moving from People Process to Automation LEGACY IT ERA Automation

Complexity Known # of identifiable components 100s-1000s system components

Provisioned by People +/- approvals, traceable Code - ? approvals, ? traceable

Provisioned with days-weeks seconds-minutes

Threat concerns Insiders Tampered code or build systems

Mainframe Client/Server Web Containerized Cloud


Comprehensive Inventory is a Common Control Gap

Inventory of Authorized and Unauthorized Devices is known or can be evaluated in an traditional IT environment

1) Ephemeral IT infrastructure (Cloud and Containers) have time as a important factor in understanding inventory

2) Launching or scaling infrastructure is initiated by automated processes

3) Multiple versions could be in deployment simultaneously and need to be tracked in parallel

App App New New

Load Balancer

Tools


Gap analysis for a CI/CD pipeline

INFRASTRUCTURE

Check

Deploy

Dev team, tools, & tools admins

Dev teamDeveloper

Dev team, tools, tools admins, &

operators


Control Example: Domain Access Control (PR.AC)

Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.

Subcontrol - PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties

Applies to

● CCS CSC 12, 15 ● ISA 62443-2-1:2009 4.3.3.7.3● ISA 62443-3-3:2013 SR 2.1● ISO/IEC 27001:2013 A.6.1.2, A.9.1.2,

A.9.2.3, A.9.4.1, A.9.4.4● NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-

5, AC-6, AC-16


Potential Remediation Approaches for a CI/CD pipeline

Securing Your Pipeline● Create identities for testing

systems● Manage developer access to

testing systems (e.g., Jenkins)● Remove secrets from source code● Manage secrets in configuration

files● Restrict access to identifying

hashes for build products and artifacts

● Log build activities with relevant identities and hashes to establish an audit trail


Gap AnalysisCurrent state: Any Developer

Universal access to Jenkins by developers

Embedded shared system credentials

Reporting?

Audit?

Example: Jenkins Logs

Are they archived?

Are they modifiable?

Can they be rotated out of existence?

Is this good enough?

Can you prove least privilege or separation of duties in this part of the pipeline?


Where do you fall on the spectrum?Example NIST-CSF - 4 TIERS OF CYBER SECURITY AWARENESS

TIER 1 - Partial

TIER 2 - Risk Informed

TIER 3 - Repeatable

TIER 4 - AdaptiveAutomated


Remediation - Separation of Duties and Least PrivilegeCI Role Before After

Commit Developers Developers

Manage build job Developers Project team admins

Initiate build Developers Project team developers

Tag release Developers Release-bot (non-human actor)

Promote to Prod Developers Project team admins

Access to Prod Developers No standing access


Automation Benefits: continuous delivery of security

EXAMPLE COMPLIANCE

CONTROL

PR.AC-1: Identities and credentials are managed for authorized devices and users

STATIC OR ACTIVE

ANALYSIS

Processes and procedures for managing identities and credentials are documented

STATIC ANALYSISCompliance procedures like checklists with signoff and

auth forms

EVENT

Hire a new person

Provision a new device

Elevate auth for a system admin

ACTIVE ANALYSIS Tooling provides wizards to gate processes, audit logs of activities, and dashboards for reporting views that act as a

real time audit


Test and Verify: Example using cucumber (also InSpec)

Teams that focus on testing, early detection, and measuring progress have 30% fewer defects in production

Source: The Journey to DevSecOps, Shannon Lietz, 2016

NIST CONTROL PR.AC-4

Describe compliance in plain english

What do you have in place/plan to have in place?

Describe passing scenarios

Write code that leads to pass state

FAIL

Write tests in Ruby and run it

Source: Audit Compliance with BDD tools, Kevin O’Brien, Conjur blog


Communication Pitfall:: JSON is not a “report”

RepeatableReliable Fast

AuditableReportable


Focus on what is high-value to the business

Most commonly, infrastructure security risks (whether from insider threats, misadventures of well-meaning IT professionals, or breaches and APTs) are:

1. Access control

2. Management of virtual assets and inventories

3. Credentials and shared accounts which are common attack vectors

If you can automate and abstract these 3 things, you can mitigate lots of the risk in your organization- that is VALUE to the business


Don’t get dinged on an AuditUser identities not provided by enterprise

master user directory (ex. AD)

Infrastructure credentials not actuallyrotated

Cloud credentials

Backdoor SSH keys

User SSH keys

SSL certificates

Least privilege access not implemented in practice; excessive trust in personnel

Impermanent audit log retention

Reliance on authentication rather than authorization

Using tools “not fit for purpose” (eg. using private source control repos to store secrets and credentials)


Build it in incrementally www.10factor.ci

Thank You

Elizabeth Lawler@ElizabethLawler

conjur.net

“It takes a village”... Thank you

Kevin GilpinStacy McAuliffeChristopher FarnhamSteve CoplanJosh BregmanAndy EllicottDustin Collins and the rest of the team at Conjur

devops, security, and compliance

Documents