Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security, Identity, and DevOps, oh my - Print

138 views

Published on

My talk from All Day DevOps 2016 introducing IdentityOps. IdentityOps is a set of strategies that integrates security, Identity and DevOps to solve common use cases for technical operations.

Key take aways of IdentityOps:
* Centralized policy for access management to resources
* Uniform application of policy and real-time enforcement
* Better operational efficiency
* Enable use cases: least privilege, nonrepudiation, segregation of duties, and audibility

Published in: Software
  • Be the first to comment

  • Be the first to like this

Security, Identity, and DevOps, oh my - Print

  1. 1. November 15, 2016 Security, Identity, and DevOps, oh my… Chris Sanchez, Founder and CTO, zibernetics Twitter - @CSanchezAustin chris@zibernetics.com
  2. 2. November 15, 2016
  3. 3. November 15, 2016
  4. 4. November 15, 2016Post questions to #security-track Background • 20+ years in Austin Technology as an Engineer, Manager, Mentor, Executive, and Entrepreneur • Tech Veteran – iChat/Acuity, CALEB Technologies, Webify, PointSource, 21CT, CognitiveScale, Sun Microsystems, IBM • Passion for Identity and DevOps • Founded zibernetics in 2015 – Research and Development projects • Identity, HIPAA Security, DevOps, Cloud, Linux – Consultancy for early stage and growth startups
  5. 5. November 15, 2016Post questions to #security-track Pop Quiz: Why is this bad? pg_hba.conf host all pgbot 192.168.5.0/24 trust host all pgbot 172.20.0.0/16 trust First 2 people to post the most interesting security issues to the #security-track with #IdentityOps will win a bumper sticker. è #IdentityOps
  6. 6. November 15, 2016Post questions to #security-track DevOps is hard because ____ moving fast, lot of tooling, skills, knowledge
  7. 7. November 15, 2016Post questions to #security-track What makes it harder? The Business is moving faster
  8. 8. November 15, 2016Post questions to #security-track What makes it harder? and changing…
  9. 9. November 15, 2016Post questions to #security-track and harder Security is hard
  10. 10. November 15, 2016Post questions to #security-track …and harder Security gets little to no planning
  11. 11. November 15, 2016Post questions to #security-track What’s needed? Security Strategy ó DevOps Strategy
  12. 12. November 15, 2016Post questions to #security-track There's no need to fear, IdentityOps is here. What is IdentityOps? Security – Treat as a first class citizen Identity – Right resource, time, reason DevOps – Security that scales
  13. 13. November 15, 2016Post questions to #security-track IdentityOps Essentials
  14. 14. November 15, 2016Post questions to #security-track Use Case: SSH Access – Use Case: Provide user-level access to Linux servers and support business and IT policy – Solution Options: SSH Public Key Authentication – Advantages: • Well understood and secure solution • Very good support by all Linux distributions – Challenges: • Only provides for authn, not authz • More operational overhead – e.g. user management
  15. 15. November 15, 2016Post questions to #security-track Use Case: SSH Access • Solution: SSH Fabric – Model the concept of Users, Layers, Groups, and Hosts as virtual objects that are overlaid on top of an existing Linux infrastructure – Keeps ssh keys centralized in an LDAP Directory (not authorized_keys file) and deliver real-time for authn – Advanced authorization that integrates with PAM for seamless, fine-grained authz – Centralized policy for sudo access
  16. 16. November 15, 2016Post questions to #security-track 1) Model Concepts
  17. 17. November 15, 2016Post questions to #security-track 1) Model Concepts Layers Hosts prod_pub Groups Users
  18. 18. November 15, 2016Post questions to #security-track 2) Centralize SSH Keys LDAP Schema
  19. 19. November 15, 2016Post questions to #security-track 2) Centralize SSH Keys Configure SSH: /etc/ssh/sshd_config
  20. 20. November 15, 2016Post questions to #security-track 2) Centralize SSH Keys Custom Script: sshldap-pubkey.sh
  21. 21. November 15, 2016Post questions to #security-track 3) Configure PAM Configure LDAP: /etc/ldap.conf
  22. 22. November 15, 2016Post questions to #security-track 3) Configure PAM Force TLS to LDAP
  23. 23. November 15, 2016Post questions to #security-track 3) Configure PAM Configure Authz: /etc/pam.d/common-account
  24. 24. November 15, 2016Post questions to #security-track 3) Configure PAM Configure Authn: /etc/pam.d/common-auth
  25. 25. November 15, 2016Post questions to #security-track 3) Configure PAM Enable LDAP: /etc/nsswitch.conf
  26. 26. November 15, 2016Post questions to #security-track Restrict Host Access: /etc/security/access.conf 4) Configure sudo
  27. 27. November 15, 2016Post questions to #security-track 4) Configure sudo Create sudo rule: /etc/sudoers.d/sshldap
  28. 28. November 15, 2016Post questions to #security-track LDAP and Linux are Connected 5) Test SSH Fabric
  29. 29. November 15, 2016Post questions to #security-track 5) Test SSH Fabric Policy Allow: grp_itops, security_admins
  30. 30. November 15, 2016Post questions to #security-track 5) Test SSH Fabric Policy Deny: All other
  31. 31. November 15, 2016Post questions to #security-track 5) Test SSH Fabric Update Policy
  32. 32. November 15, 2016Post questions to #security-track 5) Test SSH Fabric Policy Allow: ops_prv
  33. 33. November 15, 2016Post questions to #security-track 5) Test SSH Fabric Policy Allow Sudo: ops-prv-sudo
  34. 34. November 15, 2016Post questions to #security-track Use Case: Docker Access – Use Case: Provide access to Docker runtime while supporting business and IT policy – Solution Options: Docker group or Authz plug-in – Advantages: • Users don’t require admin access • Plug-in architecture is very flexible (Authz) – Challenges: • Have to rely on local Linux groups • Docker group or Admin access is required • Access is coarse – you can do anything
  35. 35. November 15, 2016Post questions to #security-track Use Case: Docker Access • Solution: Docker Fabric – Model the concept of Users, Layers, Groups, and Hosts as virtual objects that are overlaid on top of an existing Linux infrastructure (same as previous use case) – Centralized policy for User-level access to Docker (via TLS and Flask app) – Keeps rules centralized a repository that are enforced at runtime (same as previous use case)
  36. 36. November 15, 2016Post questions to #security-track 2) Centralize Policy for User-level Access Setup Docker Group: /etc/default/docker
  37. 37. November 15, 2016Post questions to #security-track 2) Centralize Policy for User-level Access Update Docker socket access: /lib/systemd/system/docker.socket
  38. 38. November 15, 2016Post questions to #security-track 2) Centralize Policy for User-level Access Create Authz Plugin: /etc/default/docker_fabric_authz
  39. 39. November 15, 2016Post questions to #security-track 2) Centralize Policy for User-level Access Create Authz Plugin: /etc/systemd/system/docker.service.d/docker_fabric_authz.conf
  40. 40. November 15, 2016Post questions to #security-track 2) Centralize Policy for User-level Access Create Authz Plugin: /usr/local/bin/docker_fabric_authz.py
  41. 41. November 15, 2016Post questions to #security-track export theUser="Branton Davis” alias dockera="docker -H=$(hostname):2376 --tlsverify --tlscacert=/etc/zinet/pki/server/zibernetics-int-cacert.crt --tlscert="/etc/zinet/pki/user/${theUser}.crt" --tlskey="/etc/zinet/pki/user/${theUser}.ukey" " 4) Test Docker Fabric
  42. 42. November 15, 2016Post questions to #security-track 4) Test Docker Fabric Policy Deny: All others
  43. 43. November 15, 2016Post questions to #security-track 4) Test Docker Fabric Update Policy
  44. 44. November 15, 2016Post questions to #security-track 4) Test Docker Fabric Policy Allow: ops_prv
  45. 45. November 15, 2016Post questions to #security-track IdentityOps Summary DirectoryBusiness Policies Linux. Docker
  46. 46. November 15, 2016Post questions to #security-track IdentityOps Summary Centralized, real-time policy for access management Uniform application of policy and real-time enforcement Better operational efficiency Enable use cases: least privilege, nonrepudiation, segregation of duties, auditability
  47. 47. November 15, 2016Post questions to #security-track W: http://www.zibernetics.com T: @CSanchezAustin E: chris@zibernetics.com First person to post Wile E. Coyote’s middle name to the #security-track with #IdentityOps will win a bumper sticker. è #IdentityOps
  48. 48. November 15, 2016Post questions to #security-track Thank you! W: http://www.zibernetics.com T: @CSanchezAustin E: chris@zibernetics.com

×