Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Scaling Security in the Cloud With Open Source

699 views

Published on

The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Scaling Security in the Cloud With Open Source

  1. 1. Scaling Security in the Cloud With Open Source Cloud Village @ DEF CON 27 James Strassburg Technical Fellow / Chief Software Architect Direct Supply
  2. 2. Our Cloud Vision and Strategy Immutable Servers Infrastructure as Code Automated Deployments Secure by Default Platform as a Service
  3. 3. No automation A few scripts DevOps / Continuous Delivery EVIL
  4. 4. What happened?
  5. 5. How can we do more with less?
  6. 6. “Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.”
  7. 7. ● Static Secrets - Key/Value Secrets Engine ● Dynamic Secrets ○ Database Credentials - PostgreSQL Database Secrets Engine ○ AWS Access Keys - AWS Secrets Engine ● SSH One Time Password Secrets Engine Our use cases...
  8. 8. Authentication
  9. 9. Key/Value Secrets Engine
  10. 10. PostgreSQL Database Secrets Engine
  11. 11. AWS Secrets Engine
  12. 12. SSH One Time Password Secrets Engine
  13. 13. Cloud Custodian ● Cloud configuration governance ● Automated checking and enforcement ● Policy as code ● Notifications
  14. 14. Cloud Custodian - Example Policy
  15. 15. Cloud Custodian - Notifications
  16. 16. Security Scanning Automation / Dealing With Cattle ● Eliminate manual effort to update scan configurations ● Group instances logically by owner ● Support custom scans based on tags
  17. 17. Scanner Based Scanning
  18. 18. Agent Based Scanning
  19. 19. Secure by Default
  20. 20. What went not so well... ● Lots of work before Custodian deployed ● Teams started rolling their own sans modules ● Our integration with a cloud consultancy is preventing us from taking advantage of some newer features
  21. 21. Resources ● https://carbon.now.sh/ ● https://unsplash.com/ ● https://www.vaultproject.io/ ● https://cloudcustodian.io/ ➢ code formatting ➢ images ➢ HashiCorp Vault ➢ Cloud Custodian james.strassburg@directsupply.com @jstrassburg

×