security, identity, and devops, oh my - print
TRANSCRIPT
![Page 1: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/1.jpg)
November15,2016
Security,Identity,andDevOps,ohmy…ChrisSanchez,FounderandCTO,ziberneticsTwitter- @[email protected]
![Page 2: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/2.jpg)
November15,2016
![Page 3: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/3.jpg)
November15,2016
![Page 4: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/4.jpg)
November15,2016Post questions to #security-track
Background• 20+yearsinAustinTechnologyasanEngineer,Manager,Mentor,Executive,andEntrepreneur
• TechVeteran– iChat/Acuity,CALEBTechnologies,Webify,PointSource,21CT,CognitiveScale,SunMicrosystems,IBM
• PassionforIdentityandDevOps
• Foundedziberneticsin2015– ResearchandDevelopmentprojects
• Identity,HIPAASecurity,DevOps,Cloud,Linux
– Consultancyforearlystageandgrowthstartups
![Page 5: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/5.jpg)
November15,2016Post questions to #security-track
PopQuiz:Whyisthisbad?pg_hba.conf
host all pgbot 192.168.5.0/24 trust
host all pgbot 172.20.0.0/16 trust
First2peopletopostthemostinterestingsecurityissuestothe#security-track with#IdentityOpswillwinabumpersticker.è
#IdentityOps
![Page 6: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/6.jpg)
November15,2016Post questions to #security-track
DevOpsishardbecause____
movingfast,lotoftooling,skills,knowledge
![Page 7: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/7.jpg)
November15,2016Post questions to #security-track
Whatmakesitharder?
TheBusinessismovingfaster
![Page 8: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/8.jpg)
November15,2016Post questions to #security-track
Whatmakesitharder?
andchanging…
![Page 9: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/9.jpg)
November15,2016Post questions to #security-track
andharder
Securityishard
![Page 10: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/10.jpg)
November15,2016Post questions to #security-track
…andharder
Securitygetslittletonoplanning
![Page 11: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/11.jpg)
November15,2016Post questions to #security-track
What’sneeded?
SecurityStrategyó DevOpsStrategy
![Page 12: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/12.jpg)
November15,2016Post questions to #security-track
There'snoneedtofear,IdentityOpsishere.
WhatisIdentityOps?
Security– Treatasafirstclasscitizen
Identity– Rightresource,time,reason
DevOps– Securitythatscales
![Page 13: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/13.jpg)
November15,2016Post questions to #security-track
IdentityOpsEssentials
![Page 14: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/14.jpg)
November15,2016Post questions to #security-track
UseCase:SSHAccess– UseCase: Provideuser-levelaccesstoLinuxserversand
supportbusinessandITpolicy– SolutionOptions:SSHPublicKeyAuthentication– Advantages:
• Wellunderstoodandsecuresolution• VerygoodsupportbyallLinuxdistributions
– Challenges:• Onlyprovidesforauthn,notauthz• Moreoperationaloverhead– e.g.usermanagement
![Page 15: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/15.jpg)
November15,2016Post questions to #security-track
UseCase:SSHAccess• Solution:SSHFabric
– ModeltheconceptofUsers,Layers,Groups,andHostsasvirtualobjectsthatareoverlaidontopofanexistingLinuxinfrastructure
– Keepsssh keyscentralizedinanLDAPDirectory(notauthorized_keys file)anddeliverreal-timeforauthn
– AdvancedauthorizationthatintegrateswithPAMforseamless,fine-grainedauthz
– Centralizedpolicyforsudo access
![Page 16: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/16.jpg)
November15,2016Post questions to #security-track
1)ModelConcepts
![Page 17: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/17.jpg)
November15,2016Post questions to #security-track
1)ModelConceptsLayers
Hosts
prod_pub
Groups
Users
![Page 18: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/18.jpg)
November15,2016Post questions to #security-track
2)CentralizeSSHKeysLDAPSchema
![Page 19: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/19.jpg)
November15,2016Post questions to #security-track
2)CentralizeSSHKeysConfigureSSH:/etc/ssh/sshd_config
![Page 20: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/20.jpg)
November15,2016Post questions to #security-track
2)CentralizeSSHKeysCustomScript:sshldap-pubkey.sh
![Page 21: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/21.jpg)
November15,2016Post questions to #security-track
3)ConfigurePAMConfigureLDAP:/etc/ldap.conf
![Page 22: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/22.jpg)
November15,2016Post questions to #security-track
3)ConfigurePAMForceTLStoLDAP
![Page 23: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/23.jpg)
November15,2016Post questions to #security-track
3)ConfigurePAMConfigureAuthz:/etc/pam.d/common-account
![Page 24: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/24.jpg)
November15,2016Post questions to #security-track
3)ConfigurePAMConfigureAuthn:/etc/pam.d/common-auth
![Page 25: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/25.jpg)
November15,2016Post questions to #security-track
3)ConfigurePAMEnableLDAP:/etc/nsswitch.conf
![Page 26: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/26.jpg)
November15,2016Post questions to #security-track
RestrictHostAccess:/etc/security/access.conf
4)Configuresudo
![Page 27: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/27.jpg)
November15,2016Post questions to #security-track
4)ConfiguresudoCreatesudo rule:/etc/sudoers.d/sshldap
![Page 28: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/28.jpg)
November15,2016Post questions to #security-track
LDAPandLinuxareConnected
5)TestSSHFabric
![Page 29: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/29.jpg)
November15,2016Post questions to #security-track
5)TestSSHFabricPolicyAllow:grp_itops,security_admins
![Page 30: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/30.jpg)
November15,2016Post questions to #security-track
5)TestSSHFabric
PolicyDeny:Allother
![Page 31: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/31.jpg)
November15,2016Post questions to #security-track
5)TestSSHFabricUpdatePolicy
![Page 32: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/32.jpg)
November15,2016Post questions to #security-track
5)TestSSHFabricPolicyAllow:ops_prv
![Page 33: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/33.jpg)
November15,2016Post questions to #security-track
5)TestSSHFabricPolicyAllowSudo:ops-prv-sudo
![Page 34: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/34.jpg)
November15,2016Post questions to #security-track
UseCase:DockerAccess
– UseCase: ProvideaccesstoDockerruntimewhilesupportingbusinessandITpolicy
– SolutionOptions:DockergrouporAuthz plug-in
– Advantages:• Usersdon’trequireadminaccess• Plug-inarchitectureisveryflexible(Authz)
– Challenges:• HavetorelyonlocalLinuxgroups• DockergrouporAdminaccessisrequired• Accessiscoarse– youcandoanything
![Page 35: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/35.jpg)
November15,2016Post questions to #security-track
UseCase:DockerAccess
• Solution:DockerFabric– ModeltheconceptofUsers,Layers,Groups,and
HostsasvirtualobjectsthatareoverlaidontopofanexistingLinuxinfrastructure(sameasprevioususecase)
– CentralizedpolicyforUser-levelaccesstoDocker(viaTLSandFlaskapp)
– Keepsrulescentralizedarepositorythatareenforcedatruntime(sameasprevioususecase)
![Page 36: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/36.jpg)
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
SetupDockerGroup:/etc/default/docker
![Page 37: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/37.jpg)
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
UpdateDockersocketaccess:/lib/systemd/system/docker.socket
![Page 38: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/38.jpg)
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
CreateAuthz Plugin:/etc/default/docker_fabric_authz
![Page 39: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/39.jpg)
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
CreateAuthz Plugin:/etc/systemd/system/docker.service.d/docker_fabric_authz.conf
![Page 40: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/40.jpg)
November15,2016Post questions to #security-track
2)CentralizePolicyforUser-levelAccess
CreateAuthz Plugin:/usr/local/bin/docker_fabric_authz.py
![Page 41: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/41.jpg)
November15,2016Post questions to #security-track
export theUser="Branton Davis”
alias dockera="docker -H=$(hostname):2376 \--tlsverify \--tlscacert=/etc/zinet/pki/server/zibernetics-int-cacert.crt \--tlscert=\"/etc/zinet/pki/user/\${theUser}.crt\" \--tlskey=\"/etc/zinet/pki/user/\${theUser}.ukey\" "
4)TestDockerFabric
![Page 42: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/42.jpg)
November15,2016Post questions to #security-track
4)TestDockerFabric
PolicyDeny:Allothers
![Page 43: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/43.jpg)
November15,2016Post questions to #security-track
4)TestDockerFabric
UpdatePolicy
![Page 44: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/44.jpg)
November15,2016Post questions to #security-track
4)TestDockerFabric
PolicyAllow:ops_prv
![Page 45: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/45.jpg)
November15,2016Post questions to #security-track
IdentityOpsSummary
DirectoryBusinessPolicies Linux.Docker
![Page 46: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/46.jpg)
November15,2016Post questions to #security-track
IdentityOpsSummaryCentralized,real-timepolicyforaccessmanagement
Uniformapplicationofpolicyandreal-timeenforcement
Betteroperationalefficiency
Enableusecases:leastprivilege,nonrepudiation,segregationofduties,auditability
![Page 47: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/47.jpg)
November15,2016Post questions to #security-track
W:http://www.zibernetics.com T:@CSanchezAustin E:[email protected]
FirstpersontopostWileE.Coyote’smiddlenametothe#security-trackwith#IdentityOpswillwinabumpersticker.è
#IdentityOps
![Page 48: Security, Identity, and DevOps, oh my - Print](https://reader031.vdocument.in/reader031/viewer/2022022202/58829a6c1a28ab92618b4d3f/html5/thumbnails/48.jpg)
November15,2016Post questions to #security-track
Thankyou!W:http://www.zibernetics.com T:@CSanchezAustin E:[email protected]