automating security and compliance for hybrid environments · container content scanners &...
TRANSCRIPT
Automating Security and Compliance for Hybrid Environments
Lucy KernerSecurity Global Technical Evangelist and Strategist, Red [email protected]@LucyCloudBling
2
COMMON SECURITY CHALLENGES
Security
Dev
Ops
Inconsistent Patching
Inconsistent Configurations
Change WhodunitsSecrets Management
Application Sprawl
Server Sprawl
Security is frequently the last to know!
SECURITY, COMPLIANCE, AND GOVERNANCE CHALLENGESIN A HYBRID ENVIRONMENT
PRIVATE CLOUDPUBLIC CLOUDVIRTUALIZATION CLOUDOS
CONTAINERS
● GROWING COMPLEXITY INTRODUCES RISK● MANUALLY MONITORING SYSTEMS FOR SECURITY + COMPLIANCE BECOMES DIFFICULT● VISIBILITY AND CONTROL (YOU CAN’T CONTROL WHAT YOU CAN’T SEE)● MANAGING SECURITY POLICIES CONSISTENTLY● USER SELF-SERVICE BUT WITH TIGHT CONTROL OVER ENTIRE ENVIRONMENT
WHY AUTOMATE SECURITY AND COMPLIANCE ?
5
81% of hacking-related breaches leveraged either stolen and/or weak passwords.
2017 Verizon Data Breach Investigations Report [http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017]
6
99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident
Focus on the Biggest Security Threats, Not the Most PublicizedGartner, November 2017
7
LET’S MANUALLY ENSURE SECURITY + COMPLIANCE ...
● Very time consuming, tedious, boring ● Highly prone to human error● Bad actions go undetected(no papertrail)● Not easy to do audits
○ Constant back and forth between Operations + Security teams
● Not repeatable , sharable, or verifiable
8
● Centralized management and visibility of your entire heterogeneous infrastructure
○ Windows, Linux, Virtualization, Public/Private Cloud, Containers, Ticketing System, etc
○ You can’t control what you can’t see
● Infrastructure and Security as code
○ Repeatable, sharable, verifiable, easier to do compliance audits
● Make it easier to pass security audits
○ Controlled visibility into the state of compliance of systems for the security team / security auditor
■ Less back and forth between operations and security teams
○ Proactive scanning and compliance to security baselines
● Security hardened and compliant host at provisioning time
○ Consistency: Eliminate snowflake systems from the start
○ Immutable Operating System: OS can’t be changed by untrusted parties
● Automated proactive continuous monitoring and fixing of all systems in hybrid environment that are out of compliance for entire lifecycle
● Build security into your application pipeline. Automate as much as possible!
INSTEAD, WHAT YOU WANT IS ...
9
● Save time and money● Reduce risk and avoid expensive human errors● Protection from security breaches ● Allows you to build security into your application pipeline from the beginning vs having
security as an afterthought● Ensure and enforce ongoing compliance from a consistent centralized place using a common,
easy to learn automation language● Create a compliant host or service at provisioning time● Repeatable, sharable, verifiable, and easier to do compliance audits● Continuous security, monitoring, and fixing of all systems in hybrid environment that are out of
compliance for entire lifecycle● Automation plays an essential role in system configuration management and DevSecOps
WHY AUTOMATION?
HOW CAN RED HAT HELP ?
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted-on
Deploy to trusted platforms with enhanced security capabilities
Automate systems for security & compliance
Revise, update, remediate as the landscape changes
And integrated throughout the IT lifecycleSECURITY MUST BE CONTINUOUS
SECURITY THROUGHOUT THE LIFECYCLE
12TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFT)ARE
RED HAT SECURITY AD(ISORIES
DESIGN BUILD RUN MANAGE ADAPT
12
13
SECURITY THROUGHOUT THE STACK
BUILT-IN SECURITY AUTOMATION WITH OpenSCAP
● NIST validated and certified Security Content Automation Protocol (SCAP) scanner by Red Hat
● Scans systems and containers for:○ known vulnerabilities = unpatched software○ compliance with security policies (PCI-DSS, US Gov baselines, etc)
● Ansible remediation playbooks provided (new with RHEL 7.5)● Included in Red Hat Enterprise Linux base channel● Red Hat natively ships NIST validated National Checklist content ● SCAP Workbench
○ GUI front end tool for OpenSCAP that serves as an SCAP scanner ○ Provides tailoring functionality for SCAP content○ Local scanning of a single machine
Security Remediations with OpenSCAP and Ansible● Ansible remediation playbooks provided (new with RHEL 7.5)
○ Apply pre-generated Ansible playbook (provided by scap-security-guide)
● Generate a new playbook from a specific security profile (input)
$ oscap xccdf generate fix --fix-type ansible --profile stig-rhel7-disa --output stig-rhel7-disa-profile.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
● Generate a playbook of fixes only (from completed scan report)
$ oscap xccdf generate fix --fix-type ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output standard-playbook-result.yml results.xml
15
Scanning and Hardening/Remediating Containers with OpenSCAP
● Scan container for Unpatched software● Scan container for Configuration compliance
$ sudo atomic scan --scan_type configuration_compliance --scanner_args profile=stig-rhel7-disa,report rhel7:latest
● Remediate the container
$ sudo atomic scan --scan_type configuration_compliance --scanner_args profile=stig-rhel7-disa,report --remediate rhel7:latest
16
MAKING AUDITORS HAPPY WITH OpenSCAP REPORTS
Automated Security and Compliance at scaleacross a hybrid environment with Red Hat
USING RED HAT TECHNOLOGY IN A HYBRID ENVIRONMENT, HOW CAN I:
1) Create a security compliant host at provisioning time2) Do Continuous Monitoring and Security For both VMs and
Containersa) Automate ongoing security compliance and remediationsb) Enforce governance and control in an automated fashionc) Visibility and Control for operations teams
i) Restricted visibility into environment for security teamsd) Proactive Security and Automated Risk Management
Provisioning a security compliant host
21
22
23
24
25
26
27
Enforcing compliance with security policies in an automated fashion
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Automated Security and Compliance with Red Hat Openshift
50
IMPROVING SECURITY WITH CONTAINERS AND OPENSHIFT
In Security, consistency and repeatability is key. Adopting containers in a container platform will improve your
security.
US Government Panel, Openshift Commons Briefing December 2017
US CourtsUS Citizen and Immigration ServicesOak Ridge National LaboratoryInternal Revenue Service
Journey of DevSecOps - US Department Homeland Security June 2017
51
IMPRO(ED SECURITY )ITH CONTAINERS
Improved Patch Management
Consistent & Secure Configurations
Record of ChangesSecrets Management
Application Sprawl
Server Sprawl
Higher Dev Productivity
More Security Built-In
Faster, Easier Deployment for Ops
Security Benefits of Containerized Infrastructure
● Standard, hardened infrastructure○ Force applications to be in line with defined security policies
● Read-only containers = Application whitelisting● Continually (re)deploying from known good source
○ Standardized base container images● No humans in production - SSH turned off● Patching improvements● Complete record of change● Minimal OS● Pipeline Integration moves security left● Security gates: Nothing go to production unless all checks passed.
84% of open source projects do not fix known security defects.
* 2017 State of the Software Supply Chain by Sonatype
54
● Community leadership● Package selection ● Manual inspection● Automated inspection● Packaging guidelines● Trusted builds
● Quality assurance● Certifications● Signing● Distribution● Support● Security updates/patches
Upstream Community projects
Red Hat solutions
Red Hat customers
RED HAT SUPPLY CHAIN SECURITY
Never {pass} defects to downstream work centers.
* The Phoenix Project by George Spafford, Kevin Behr, and Gene Kim
AUTOMATE QUALITY
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
59
60
61
62
63
64
65
66
67
The last thing most managers think about is how to get a new product back if something goes
wrong.* A Strategic Approach to Managing Product Recalls by
N. Craig Smith, Robert J. Thomas, and John Quelch for HBR
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
If you have three days to patch out a CVE in prod, can you?
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
Patch
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
Patch
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
Patch
This is DevSecOps
GENERAL DISTRIBUTION
DEV(SEC)OPS
Everything as code
Automate everything
Application is always releasable
Continuous Integration/Delivery
Application monitoring
Control Planes vs Data Planes
Delivery pipeline
Rebuild vs. Repair
GENERAL DISTRIBUTION76
GENERAL DISTRIBUTION77
OpenShift Application Lifecycle Management(CI/CD)
Build Automation Deployment Automation
Service Catalog(Language Runtimes, Middleware, Databases)
Self-Service
Infrastructure Automation & Cockpit
Networking Storage Registry Logs & Metrics Security
Container Orchestration & Cluster Management(Kubernetes)
Red Hat Enterprise LinuxAnsible / CloudForms
RHEL Container Runtime & Packaging SELinux and SCC
Enterprise Container Host
BRINGING IT ALL TOGETHER
CONTROL
DEFEND
EXTEND
79
Container Content
Container Registry
CI/CD Pipeline
Deployment Policies
Security Ecosystem
CONTROL
DEFEND
EXTEND
Container Host Multi-tenancyContainer Platform
Network Isolation Storage
Audit & Logging API Management
For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as
THE SECURITY ECOSYSTEM
● Network Security● Identity and Access management / Privileged Access
Management● External Certificate Authorities● External (aults / Key Management solutions● Container content scanners & vulnerability management tools● Container runtime analysis tools● Security Information and Event Monitoring SIEM
And use open source & open standardsMore about OpenShift Primed Partners
80
Automate ongoing security compliance and remediations
82
83
84
85
86
87
88
89
90
91
92
Proactive Security and Automated Risk Management with Red Hat
Insights
94
95
96
97
98
99
100
101
102
103
104
USING RED HAT TECHNOLOGY YOU TOO CAN:
1) Create a security compliant host at provisioning time2) Do Continuous Monitoring and Security For both VMs and Containers
a) Automate ongoing security compliance and remediationsb) Enforce governance and control in an automated fashionc) Visibility and Control for operations teams
i) Restricted visibility into environment for security teamsd) Proactive Security and Automated Risk Management
All with FLEXIBILITY + CHOICE using a combination of OpenShift, OpenSCAP, Red Hat CloudForms, Red Hat Satellite, Red Hat Ansible Automation, and Red Hat Insights
● This lab environment is hosted online on the Red Hat Product Demo System (RHPDS)○ Accessible by Red Hat Partners and Red Hat Employees. Red Hat customers, please
work with your Red Hat account team who can access and provision this lab environment for you.
■ Security and Compliance Automation Lab doc: https://github.com/RedHatDemos/SecurityDemos/blob/master/ProactiveSecurityCompliance/documentation/README.adoc
● Ansible playbooks used in lab/demo environment: https://github.com/RedHatDemos/SecurityDemos/tree/master/ProactiveSecurityCompliance
● Also, Ansible remediation playbooks for SCAP profiles available directly in RHEL 7.5■ Red Hat Enterprise Linux Security Technologies Lab doc:
https://github.com/RedHatDemos/SecurityDemos/blob/master/RHELSecurityLabSummit/documentation/README.adoc
Can I try these demos hands on?
SECURITY @ RED HAT SUMMIT 2018Many security sessions, including this session, were recorded and are now on YouTube!(isit: https://www.youtube.com/user/redhatsummit/videos
108
THANK YOU
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHat(ideos
facebook.com/redhatinc
twitter.com/RedHatNews