Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Engineering Continuous Security and Compliance


Published on

Cloud Native Night December 2018, Munich: Talk by Andreas Zitzelsberger (@andreasz82, Principal Software Architect at QAware)

Join our Meetup:

Abstract: Currently, security and compliance are two separate worlds. There are numerous roles involved which do not collaborate well. The sheer complexity involved in both fields leads to costly mistakes and often, to only a one-time token effort.
At the heart of the problem, it’s about managing policies.
We show how we apply engineering virtues like automation, abstraction and creating interfaces to policy management, resulting in a methodology and tool set helping security and compliance to work in unison towards better and more secure products, while reducing headaches to those involved.


Beispiel für Policies in der Infrastruktur: Kubernetes Admission Control mit Post-Processing und OPA (Open Policy Agent) Showcase:

Beispiel für Policies in der Anwendung: Micronaut mit OPA Demo

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Engineering Continuous Security and Compliance

  1. 1. Andreas Zitzelsberger, QAware @andreasz82 Engineering Continuous Security and Compliance
  2. 2. The Problem
  3. 3. Source: NASA
  4. 4. Source: Monty Python’s Flying Circus
  5. 5. Developers Managers Auditors Regulators Security Officers Architects Customers Source: NASA
  6. 6. Developers Managers Auditors Regulators Security Officers Architects Customers
  7. 7. k8s Admission Controller k8s Network Policy Clair / OWASP results rules k8s Pod Security Policy Istio Traffic Mgmt Policy Istio Auth Policy KubeCI pipeline anatomy SonarQube rules Hosts of Enforcement Points A Legion of Compliance Sources ISO 27001 GDPR BAFIN HIPAA CIS NIST BSI ... ... ? ?
  8. 8. What Do We Need?
  9. 9. We need Continuous Security together with Continuous Compliance, automated, making things more secure, making professional’s lives easier and not getting in the way of productive development.
  10. 10. Source: Getty Images
  11. 11. The Goals
  12. 12. Centralized policy management creates confidence and auditability Uniform real-time policies prevent costly mistakes Bridging business and technical policies helps stakeholders work together
  13. 13. Centralized Policy Management
  14. 14. GitSec Centralized policies in versioned repositories Use Git as repository Methodology how to map repositories and branches to running software
  15. 15. 1. guard, watch 2. a watching, keeping watch 3. to keep watch 4. persons keeping watch, a guard, sentinels of the place where captives are kept, a prison of the time (of night) during which guard was kept, a watch i.e., a period of time during which part of the guard was on duty, and at the end of which others relieved them φυλακή The tool set for GitSec
  16. 16. Policy Manager K8s Adapter Istio Adapter ... Adapter Open Policy Adapter Apps K8s Istio ... POlPoliPolicy Repository Policy Checker Master Data Integration Phylake High-Level Architecture
  17. 17. Uniform Real-Time Policies
  18. 18. What Is the Open Policy Agent (OPA)? The Open Policy Agent (OPA) is a cloud native real-time policy engine CNCF project (Sandbox) Can be deployed as a sidecar or standalone app Integrations for common infrastructure components The Rego language is an accessible formal policy language Tooling for developing policies in Rego Unify as far as possible on Open Policies
  19. 19. Bridging Business and Technical Policies
  20. 20. Business Policies Derived Policies Technical Policies “Be GoDB compliant” “Archive your software” Use the K8s admission controller to trigger the archiving system
  21. 21. Business Policies godb = true hippa = false stgb203 = false gdpr = true bsiC5 = true coporateSecurityGuideline = true k8sBestPractices = true
  22. 22. archivingRequired = compliance.godb auditingRequired = any([compliance.godb, compliance.hippa, compliance.bsiC5]) noSnapshots = any([compliance.godb, compliance.bsiC5, compliance.coporateSecurityGuideline]) Derived Policies
  23. 23. deny["Invalid Git commit hash annotation" ] { policies.archivingRequired not re_match(`^[a-f0-9]{40}$`, gitCommitAnnotation (input)) } deny[msg] { policies.noSnapshots endswith(containers(input)[i].image, ":latest") msg = sprintf("No explicit image version for the container %s" , [containers(input)[i].name]) } Technical Policies
  24. 24. Where do we stand now?
  25. 25. Very rough outline of the GitSec methodology Prototype implementation of Phylake in Go Prototypical policy manager checker Supports Kubernetes admission control and Istio network policies Simple YAML business policy definitions We are at the very beginning
  26. 26. Lessons Learned
  27. 27. Our ideas are sound and create value The GitSec concepts need more love and much more detail Open Policy is not widely supported yet ⇒ It makes sense to integrate component-specific policy definitions now and converge on Open Policies later
  28. 28. Can I Take Part?
  29. 29. Absolutely! We want Phylake to be community-driven Open Source (It isn’t, yet) We’re still at the early stages Take part, or just stay informed Contact me: @andreasz82