Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Scaling Security in the Cloud
With Open Source
Cloud Village @ DEF CON 27
James Strassburg
Technical Fellow / Chief Softwa...
Our Cloud Vision and Strategy
Immutable Servers
Infrastructure as Code
Automated Deployments
Secure by Default
Platform as...
No automation A few scripts
DevOps / Continuous
Delivery
EVIL
What happened?
How can we do
more with less?
“Secure, store and tightly control access to tokens, passwords,
certificates, encryption keys for protecting secrets and o...
● Static Secrets - Key/Value Secrets Engine
● Dynamic Secrets
○ Database Credentials - PostgreSQL Database Secrets Engine
...
Authentication
Key/Value Secrets Engine
PostgreSQL Database
Secrets Engine
AWS Secrets Engine
SSH One Time Password
Secrets Engine
Cloud Custodian
● Cloud configuration governance
● Automated checking and enforcement
● Policy as code
● Notifications
Cloud Custodian - Example Policy
Cloud Custodian - Notifications
Security Scanning Automation /
Dealing With Cattle
● Eliminate manual effort to update
scan configurations
● Group instanc...
Scanner Based
Scanning
Agent Based
Scanning
Secure by Default
What went not so well...
● Lots of work before Custodian deployed
● Teams started rolling their own sans modules
● Our int...
Resources
● https://carbon.now.sh/
● https://unsplash.com/
● https://www.vaultproject.io/
● https://cloudcustodian.io/
➢ c...
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Scaling Security in the Cloud With Open Source

Download to read offline

The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Scaling Security in the Cloud With Open Source

  1. 1. Scaling Security in the Cloud With Open Source Cloud Village @ DEF CON 27 James Strassburg Technical Fellow / Chief Software Architect Direct Supply
  2. 2. Our Cloud Vision and Strategy Immutable Servers Infrastructure as Code Automated Deployments Secure by Default Platform as a Service
  3. 3. No automation A few scripts DevOps / Continuous Delivery EVIL
  4. 4. What happened?
  5. 5. How can we do more with less?
  6. 6. “Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.”
  7. 7. ● Static Secrets - Key/Value Secrets Engine ● Dynamic Secrets ○ Database Credentials - PostgreSQL Database Secrets Engine ○ AWS Access Keys - AWS Secrets Engine ● SSH One Time Password Secrets Engine Our use cases...
  8. 8. Authentication
  9. 9. Key/Value Secrets Engine
  10. 10. PostgreSQL Database Secrets Engine
  11. 11. AWS Secrets Engine
  12. 12. SSH One Time Password Secrets Engine
  13. 13. Cloud Custodian ● Cloud configuration governance ● Automated checking and enforcement ● Policy as code ● Notifications
  14. 14. Cloud Custodian - Example Policy
  15. 15. Cloud Custodian - Notifications
  16. 16. Security Scanning Automation / Dealing With Cattle ● Eliminate manual effort to update scan configurations ● Group instances logically by owner ● Support custom scans based on tags
  17. 17. Scanner Based Scanning
  18. 18. Agent Based Scanning
  19. 19. Secure by Default
  20. 20. What went not so well... ● Lots of work before Custodian deployed ● Teams started rolling their own sans modules ● Our integration with a cloud consultancy is preventing us from taking advantage of some newer features
  21. 21. Resources ● https://carbon.now.sh/ ● https://unsplash.com/ ● https://www.vaultproject.io/ ● https://cloudcustodian.io/ ➢ code formatting ➢ images ➢ HashiCorp Vault ➢ Cloud Custodian james.strassburg@directsupply.com @jstrassburg
  • PrzemysawLamorski

    Apr. 15, 2020

The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.

Views

Total views

3,598

On Slideshare

0

From embeds

0

Number of embeds

3,308

Actions

Downloads

10

Shares

0

Comments

0

Likes

1

×