Successfully reported this slideshow.
Your SlideShare is downloading. ×

Scaling Security in the Cloud With Open Source

Check these out next

1 of 26 Ad
1 of 26 Ad

Scaling Security in the Cloud With Open Source

Download to read offline

The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.

The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.

Advertisement
Advertisement

More Related Content

Slideshows for you (19)

Similar to Scaling Security in the Cloud With Open Source (20)

Advertisement

Scaling Security in the Cloud With Open Source

  1. 1. Scaling Security in the Cloud With Open Source Cloud Village @ DEF CON 27 James Strassburg Technical Fellow / Chief Software Architect Direct Supply
  2. 2. Our Cloud Vision and Strategy Immutable Servers Infrastructure as Code Automated Deployments Secure by Default Platform as a Service
  3. 3. No automation A few scripts DevOps / Continuous Delivery EVIL
  4. 4. What happened?
  5. 5. How can we do more with less?
  6. 6. “Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.”
  7. 7. ● Static Secrets - Key/Value Secrets Engine ● Dynamic Secrets ○ Database Credentials - PostgreSQL Database Secrets Engine ○ AWS Access Keys - AWS Secrets Engine ● SSH One Time Password Secrets Engine Our use cases...
  8. 8. Authentication
  9. 9. Key/Value Secrets Engine
  10. 10. PostgreSQL Database Secrets Engine
  11. 11. AWS Secrets Engine
  12. 12. SSH One Time Password Secrets Engine
  13. 13. Cloud Custodian ● Cloud configuration governance ● Automated checking and enforcement ● Policy as code ● Notifications
  14. 14. Cloud Custodian - Example Policy
  15. 15. Cloud Custodian - Notifications
  16. 16. Security Scanning Automation / Dealing With Cattle ● Eliminate manual effort to update scan configurations ● Group instances logically by owner ● Support custom scans based on tags
  17. 17. Scanner Based Scanning
  18. 18. Agent Based Scanning
  19. 19. Secure by Default
  20. 20. What went not so well... ● Lots of work before Custodian deployed ● Teams started rolling their own sans modules ● Our integration with a cloud consultancy is preventing us from taking advantage of some newer features
  21. 21. Resources ● https://carbon.now.sh/ ● https://unsplash.com/ ● https://www.vaultproject.io/ ● https://cloudcustodian.io/ ➢ code formatting ➢ images ➢ HashiCorp Vault ➢ Cloud Custodian james.strassburg@directsupply.com @jstrassburg

Editor's Notes

  • Since 1985, Direct Supply has been committed to enhancing the lives of seniors and those who care for them. We help Senior Living providers create amazing environments, improve care and outcomes, optimize building operations, streamline procurement and more.
  • -method=AWS for IAM auth
  • Note the filters and actions, taking a less-heavy handed approach where we can
  • We’re using Custodian for lots more including deregistering old AMI’s, whitelisting AWS services, and adding a security group for patching to running ec2 instances… which leads me to...
  • All driven by tags on the scanner and the instances
    pyTenable
  • Tenable agent is baked into our base Linux/Windows cookbooks/images
    Automation is, again, driven by tags. The relevant tags are included in a tagging module
  • When given a new technology, developers will first look for examples to copy. We tried to ensure the first things they found were correct.
  • AWS Organizations, control tower

×