Automating security           policies  From deployment to auditing with RudderJonathan CLARKE – jcl@normation.com   Norma...
Who am I ?●   Jonathan Clarke     ●   Job: Co-founder and CTO at Normation     ●   Line of work:          –   Initially sy...
Context          IT infrastructure                         Normation – CC-BY-SA                         normation.com     ...
Context          IT infrastructure             Automation                          Normation – CC-BY-SA                   ...
Context          IT infrastructure               Automation                    Motivations:  Avoid        Build new      R...
Context          IT infrastructure             Automation                 Tools:                          Normation – CC-B...
What about compliance?        IT infrastructure              Compliance?                            Normation – CC-BY-SA  ...
What about compliance?         IT infrastructure               Compliance?                  Motivations:                Ge...
What about compliance?        IT infrastructure         Compliance to what?                           Normation – CC-BY-SA...
What about compliance?          IT infrastructure          Compliance to what?          Rules come from everywhere:       ...
What about compliance?        IT infrastructure             Compliance to what?                Practical examples         ...
How is this different from “just” automation?              Automation                  vs              Compliance   How di...
How is this different from “just” automation?                         Frequency                  The more often you check,...
How is this different from “just” automation?                       All or nothing                 Compliance matters on e...
How is this different from “just” automation?                You cannot get it wrong.                You cannot get it wro...
How is this different from “just” automation?                   You cannot get it wrong.                   You cannot get ...
So, what have we actually done?            Applied these principles in                                          Normation ...
Introducing Rudder                        http://rudder.cm/         Specifically designed for             Simplified user ...
Introducing Rudder                     Normation – CC-BY-SA                     normation.com          19
Key points for security compliance        Continuous checking               High freqency, trust in        Every 5 minutes...
Rudder - workflow                                           Define                       Changes                          ...
Final thoughtsSummary:- Security compliance is a very demanding type of automation- Possible today with open source tools-...
Questions?                 Follow us on Twitter:                  @RudderProjectJonathan CLARKE – jcl@normation.com      N...
Upcoming SlideShare
Loading in …5
×

Automating security policies (compliance) with Rudder

1,686 views

Published on

Designing, applying and keeping track of security-oriented rules for your IT infrastructure can be time-consuming, costly and approximate job. Whether you're in charge of defining the policy, implementing it or checking for discrepencies, you'll be aware that all of this takes time, often out-of-hours time, that there is a lot of room for error and usually a considerable gap between ideals and reality - just how big a gap may or may not be shared with everyone involved.

This talk will show how Rudder, an open source stack for automating configuration and auditing, can be used to ease and improve on several of these issues. Topics covered will include deploying identical settings everywhere, saving time for multiple changes, near real-time auditing of actual settings, gaining global overview to help analyze vulnerability impacts, and improved reactivity. I will include real-life examples and feedback from several companies where this has been put into action, including benefits (of course) and shortcomings (because there are always some).

The aim of this session is to discuss methods and the approach of automation applied to this field, while demonstrating and giving feedback on some of the possibilities offered by Rudder. I hope to avoid being side-tracked into talking about detailed security recommendations, sticking to simple best practices for the sake of examples, thus focusing on the approach.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,686
On SlideShare
0
From Embeds
0
Number of Embeds
80
Actions
Shares
0
Downloads
23
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Automating security policies (compliance) with Rudder

  1. 1. Automating security policies From deployment to auditing with RudderJonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
  2. 2. Who am I ?● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (thats 7 os!) Normation – CC-BY-SA normation.com 2
  3. 3. Context IT infrastructure Normation – CC-BY-SA normation.com 3
  4. 4. Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
  5. 5. Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale outhuman error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
  6. 6. Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
  7. 7. What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
  8. 8. What about compliance? IT infrastructure Compliance? Motivations: Get a Get anKnow about Prove complete objectiveconfig drift compliance overview overview Normation – CC-BY-SA normation.com 8
  9. 9. What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
  10. 10. What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
  11. 11. What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
  12. 12. How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
  13. 13. How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on theefficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
  14. 14. How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal?Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper,systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
  15. 15. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
  16. 16. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Dont touch stuff Start with no changes. Classicyou dont need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...)(One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
  17. 17. So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
  18. 18. Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
  19. 19. Introducing Rudder Normation – CC-BY-SA normation.com 19
  20. 20. Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
  21. 21. Rudder - workflow Define Changes security policy (fixes, upgrades...) ManagementREPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
  22. 22. Final thoughtsSummary:- Security compliance is a very demanding type of automation- Possible today with open source tools- Main issue is about how you use them!Next steps?- Authorizations: who can change which parameters? (law vs regulations vs policy...)- Correlate with monitoring data: determine root causes, crosseffects...It works but the tools can be improved:- detect changes (inotify?) - even 1 minute not always enough- dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
  23. 23. Questions? Follow us on Twitter: @RudderProjectJonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

×