Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HARDENING YOUR CONFIG
MANAGEMENT
SECURITY AND ATTACK VECTORS IN
CONFIG MANAGEMENT
WHO AM I?
> Peter Souter
> @petersouter
> @petems - IRC/GitHub
> Professional Services Engineer at
Puppet Labs
> Work with...
THIS IS MY 3RD FOSDEM!
WHAT IS THIS
ALL ABOUT?HTTPS://FLIC.KR/P/BHYT8B
SECURITY IS
HARD
AND UNDER
APPRECIATED!
HTTPS://TWITTER.COM/PETECHESLOCK/STATUS/595617204273618944
SPECIFIC REQUIREMENTS
MULTIPLE SYSTEMS
EVERY OS HAS IT'S OWN QUIRKS AND
NUANCES
CONFIG MANAGEMENT IS
HERE TO SAVE THE DAY!
HOWEVER...
QUIS CUSTODIET
IPSOS
CUSTODES?
A SYSTEM CAPABLE OF PERFORMING
CHANGES FOR CONFIGURATION ACROSS
THOUSANDS OF SERVERS...
COULD CAUSE A LOT OF
DAMAGE!
CONFIG MANAGEMENT: A
PRETTY BIG ATTACK
VECTOR....
HOW DO WE HARDEN
CONFIG MANAGEMENT
ITSELF?
DON'T WANT TO FOCUS
TOO MUCH ON THE TOOLS
THEMSELVES
I HAVE BIASES
BOTH CONSCIOUS AND SUBCONSCIOUS
THERE IS NO ONE-SIZE-
FITS-ALL TO HARDEN
CONFIG MANAGEMENT!
IT’S A LOT OF CHANGES
TO PROCESSES
PEOPLE ARE HARDER TO
CHANGE THAN
COMPUTERS!
ACCEPT THAT YOU WILL
FAIL, PLAN ACCORDINGLY
THE BADDIES HAVE MORE
TIME/MONEY/ENERGY
THAN YOU DO!
YOU WILL FAIL AT SOME
POINT. YOU NEED TO FAIL
SECURELY
A QUICK SURVEY
WHO HERE USES...
ANSIBLE
CFENGINE
CHEF
PUPPET
SALTSTACK
WHERE TO START?
FIRST 3 RESULTS ARE
FROM A COMPANY THAT
RHYMES WITH RIPTIRE...
4TH RESULT: OWASP
PRINCIPLES
5TH RESULT...
8TH RESULT: PRETTY
GOOD BLOG POST
STILL, NOT SUPER IN-
DEPTH...
GUESS I'LL HAVE TO
ACTUALLY DO SOME
RESEARCH...
DATA
IT'S EASY TO LEAK DATA...
ESPECIALLY SOMETHING
YOU CAN LOOK FOR
AUTOMATICALLY
BEST PRACTICE
SEPARATION OF CONCERNS
REMOVE DATA FROM CODE
ESPECIALLY COMPANY SPECIFIC DATA!
DATA ABSTRACTION:
PUPPET - HIERA
CHEF - DATA BAGS/ATTRIBUTES
ANSIBLE - ROLES
SALT - GRAINS/PILLAR
BAD
GOOD
ADVANTAGE:
NOT ONLY MORE SECURE,
CLEANER CODE THAT'S
MORE REUSABLE!
THEORETICAL SCENARIO:
YOU SHOULD BE ABLE TO RELEASE
MOST CODE YOU WRITE PUBLICALLY
WITHOUT ANY SORT OF SECURITY
ISSUES
ANYTHING SENSITIVE SHOULD BE KEPT
IN THE DATA ABSTRACTION LAYER
EXAMPLE: GDS
HTTPS://GITHUB.COM/ALPHAGOV/
GOVUK-PUPPET
HTTPS://
GDSTECHNOLOGY.BLOG.GOV.UK/
2016/01/19/OPENING-GOV-UKS-
PUPPET-REPOSITOR...
YOUR DATA SHOULD IS
NOW SEPARATED. HOORAY!
BUT IT'S PLAINTEXT. BOO!
ENCRYPTION
ENCRYPTING DATA WITH
YOUR APPLICATION
SPECIFIC TOOLS:
PUPPET - HIERA-EYAML
CHEF - CHEF-VAULT
ANSIBLE - ANSIBLE VAULT
SALT - SALT.MODULES.GPG
CFENGINE - CF-KEYCRYPT
TOOL-SPECIFIC VAULTS ARE GREAT,
BUT ARE OFTEN LIMITED IN
FUNCTIONALITY OUTSIDE THAT TOOL.
YOU DON'T WANT TO STORE THE SAME
PASSWORD IN 10 DIFFERENT SYSTEMS
IF YOU CAN HELP IT
THAT'S 10X MORE THAT NEEDS TO BE
SECU...
EXTERNAL
SECRET
SERVERS?
OPEN SOURCE POTENTIALS CHOICES:
OPENSTACK'S BARBICAN
CLOUDFLARE'S REDOCTOBER
HASHICOP'S VAULT
GOING DEEPER:
SECURING DATA WITH
SOURCE CONTROL
"I wanted to make a configuration
management repository open for
others to look at and contribute
to (à la Wikimedia's Pup...
However, the repository contained
secret material, like SSL keys and
passwords...
git-crypt was developed so the
secret material could be
protected without having to
remove it from the repository
(which i...
GIT-CRYPT?
HTTPS://WWW.AGWA.NAME/
PROJECTS/GIT-CRYPT/
GIT-SUBMODULES OR
SEPARATE REPOS
STAY IN (VERSION)
CONTROL
GATE CONFIG
MANAGEMENT CHANGES
BEHIND VERSION CONTROL
REMEMBER TO KEEP
COMMITS CLEAN AS WELL!
commit 88a055c4c3dcec34d5r9054011963649be89d49c
Merge: 783d425 1743488
Author: Peter Souter <petems@users.noreply.github.c...
RBAC FOR GIT REPOS
CONTAINING THE DATA
RBAC
SPLIT ACCESS TO CONFIG
MANAGEMENT TOOLS
BASED ON NEED
MOST APPLICATIONS HAVE SOME FORM
OF RBAC HOOKS TO ANOTHER
AUTHORIZED SYSTEM (LDAP, AD, ETC.)
REVIEW PROCESSES
(AUTOMATED AND MANUAL)
AUTOMATED
SPEC TESTING
AUTOMATED TESTING SUITES
LINTING/SYNTAX CHECKING
MANUAL
CODE REVIEWS
GET SECURITY TEAM INVOLVED IN THE
PROCESSES!
WORK WITH AUDITORS
PEOPLE LOVE TO HATE
AUDITORS
ADVERSARIAL
ENVIRONMENTS ARE NOT
FUN
IF YOU HAVE A GOOD WORKING
RELATIONSHIP WITH THEM, THEY'RE LIKE
AN ADDITION TO YOUR TEAM.
LET'S FACE IT, YOU'LL HAVE TO DEAL
WITH THEM ANYWAY, SO YOU MIGHT AS
WELL MAKE IT ENJOYABLE!
ASK AROUND
SOFT SKILL/CULTURAL
SOLUTION
COMPARE YOUR SECURITY
WITH OTHERS WHEN
POSSIBLE
A SECURITY MODEL MADE
IN A VACUUM IS A SMELL
IF YOU'RE A CUSTOMER,
ASK YOUR VENDOR
IF YOU'RE A FOSS USER,
ASK ON MAILING LISTS
GAME DAYS AND DRILLS
IF SOMEONE HAD ACCESS
TO THE VARIOUS PARTS OF
YOUR CONFIG
MANAGEMENT INFRA...
HOW MUCH DAMAGE COULD THEY DO?
HOW FAST COULD YOU REVOKE
ACCESS?
HOW LONG WOULD IT TAKE YOU TO
NOTICE?
MONITOR, DON'T
JUST LOG
GET A BASELINE OF WHAT
YOUR CONFIG
MANAGEMENT DEPLOYS
LOOK LIKE
ELK, STATSD, RIEMANN,
COLLECTD, ETC.
GET DATA ON WHAT LOOKS
SUSPICIOUS
ACTIVITY WHEN YOU DON'T EXPECT IT
4XX, 5XX ERRORS FROM YOUR CONFIG
MANAGEMENT INFRA
UNEXPLAINED INCREASES IN THE
TEMPERATU...
COULD BE MALICIOUS,
COULD BE ACCIDENTAL,
COULD BE A BUG...
ALL OF WHICH YOU
SHOULD KNOW ABOUT!
REDUCE
SURFACE LEVEL
OF ATTACK
NOT SECURITY THROUGH
OBSCURITY!
A BASIC EXAMPLE AT THE
APPLICATION LEVEL
> Chef: sensitive: true
> Puppet: show_diff=false
> Ansible: no_log: True
> Salt: --state-verbose=false
SECURITY
BASELINE
USE THE SAME SECURITY BASELINE FOR
ANY SORT OF SYSTEM:
NO DIRECT INTERNET ACCESS UNLESS ABSOLUTELY NECESSARY
USE BASTION H...
HARDEN CONFIG
MANAGEMENT
INFRASTRUCTURE WITH
CONFIG MANAGEMENT!
CENTER FOR INTERNET SECURITY
BENCHMARKS
HARDENING.IO
SOME 3 LETTER AGENCIES
HAVE EVEN RELEASED
THEIR CONFIG
MANAGEMENT CODE...
IN LIGHT OF RECENT EVENTS, THAT
MIGHT BE NOT SUCH A GREAT THING
BUT HEY, IT'S CONFIG MANAGEMENT, SO
YOU CAN INSPECT AND AD...
SSH
PRIMARILY FOR ANSIBLE
BUT SSH CAN BE USED
FOR OTHER TOOLS AS
WELL...
PUPPET - SUPPLY DROP/CAPISTRANO
CHEF - KNIFE SOLO
SALT - SALT SSH
CUSTOM MADE SSH-LOOPS WRAPPING
LOCAL MODES FOR TOOLS
SSH HARDENING STANDARDS
> Whitelisted access
> Bastion hosts
> Restrict users
> Increase key strength
> Rotate keys
> Pre-...
HARDEN YOUR SSH WITH
CONFIG MANAGEMENT! :)
IF YOU'RE USING ~/.ssh/id_rsa
FOR EVERYTHING...
YOU'RE DOING IT WRONG :(
DEEPER SSH HARDENING...
SSH KEYS ON HARDWARE
YUBIKEY
SMARTCARD
THOUGHT EXPERIMENT:
DISABLE SSH COMPLETELY?
CONCLUSION
> Get your data out of your code
> Encrypt it and control access
> Most normal security conventions apply
> Fol...
GOING TO CONFIG
MANAGEMENT CAMP?
QUESTIONS? IDEAS?
HOW ARE YOU HARDENING YOUR CONFIG
MANAGEMENT?
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Hardening Your Config Management - Security and Attack Vectors in Config Management
Upcoming SlideShare
Loading in …5
×

Hardening Your Config Management - Security and Attack Vectors in Config Management

767 views

Published on

Configuration management is a great tool for helping with hardening and securing servers. But with any addition of new technology comes a new attack vector: Who watches the watchers?

Security is painful. Luckily the invention of configuration management tools has made this process easier, by allowing repeatable configuration for common hardening. However there comes a catch-22: How do we harden the configuration management itself?

When you have a tool that enables you to change systems at a fundamental level, it's a fairly tempting target for malicious agents, and one that would cause a lot of problems if compromised.

We'll be discussing some general patterns we can use to mitigate these problems: - Whitelisting "master" API's - Encrypting sensitive data - Adding a security element to code review

And we'll talk about some application specific options for some of most popular tools out there, such as Puppet, Chef, Ansible, cfengine and Salt.

Published in: Technology

Hardening Your Config Management - Security and Attack Vectors in Config Management

  1. 1. HARDENING YOUR CONFIG MANAGEMENT SECURITY AND ATTACK VECTORS IN CONFIG MANAGEMENT
  2. 2. WHO AM I? > Peter Souter > @petersouter > @petems - IRC/GitHub > Professional Services Engineer at Puppet Labs > Work with customers when they buy services and teach Puppet classes
  3. 3. THIS IS MY 3RD FOSDEM!
  4. 4. WHAT IS THIS ALL ABOUT?HTTPS://FLIC.KR/P/BHYT8B
  5. 5. SECURITY IS HARD AND UNDER APPRECIATED! HTTPS://TWITTER.COM/PETECHESLOCK/STATUS/595617204273618944
  6. 6. SPECIFIC REQUIREMENTS MULTIPLE SYSTEMS EVERY OS HAS IT'S OWN QUIRKS AND NUANCES
  7. 7. CONFIG MANAGEMENT IS HERE TO SAVE THE DAY!
  8. 8. HOWEVER...
  9. 9. QUIS CUSTODIET IPSOS CUSTODES?
  10. 10. A SYSTEM CAPABLE OF PERFORMING CHANGES FOR CONFIGURATION ACROSS THOUSANDS OF SERVERS...
  11. 11. COULD CAUSE A LOT OF DAMAGE!
  12. 12. CONFIG MANAGEMENT: A PRETTY BIG ATTACK VECTOR....
  13. 13. HOW DO WE HARDEN CONFIG MANAGEMENT ITSELF?
  14. 14. DON'T WANT TO FOCUS TOO MUCH ON THE TOOLS THEMSELVES
  15. 15. I HAVE BIASES BOTH CONSCIOUS AND SUBCONSCIOUS
  16. 16. THERE IS NO ONE-SIZE- FITS-ALL TO HARDEN CONFIG MANAGEMENT!
  17. 17. IT’S A LOT OF CHANGES TO PROCESSES
  18. 18. PEOPLE ARE HARDER TO CHANGE THAN COMPUTERS!
  19. 19. ACCEPT THAT YOU WILL FAIL, PLAN ACCORDINGLY
  20. 20. THE BADDIES HAVE MORE TIME/MONEY/ENERGY THAN YOU DO!
  21. 21. YOU WILL FAIL AT SOME POINT. YOU NEED TO FAIL SECURELY
  22. 22. A QUICK SURVEY
  23. 23. WHO HERE USES... ANSIBLE CFENGINE CHEF PUPPET SALTSTACK
  24. 24. WHERE TO START?
  25. 25. FIRST 3 RESULTS ARE FROM A COMPANY THAT RHYMES WITH RIPTIRE...
  26. 26. 4TH RESULT: OWASP PRINCIPLES
  27. 27. 5TH RESULT...
  28. 28. 8TH RESULT: PRETTY GOOD BLOG POST
  29. 29. STILL, NOT SUPER IN- DEPTH...
  30. 30. GUESS I'LL HAVE TO ACTUALLY DO SOME RESEARCH...
  31. 31. DATA
  32. 32. IT'S EASY TO LEAK DATA...
  33. 33. ESPECIALLY SOMETHING YOU CAN LOOK FOR AUTOMATICALLY
  34. 34. BEST PRACTICE SEPARATION OF CONCERNS
  35. 35. REMOVE DATA FROM CODE ESPECIALLY COMPANY SPECIFIC DATA!
  36. 36. DATA ABSTRACTION: PUPPET - HIERA CHEF - DATA BAGS/ATTRIBUTES ANSIBLE - ROLES SALT - GRAINS/PILLAR
  37. 37. BAD
  38. 38. GOOD
  39. 39. ADVANTAGE: NOT ONLY MORE SECURE, CLEANER CODE THAT'S MORE REUSABLE!
  40. 40. THEORETICAL SCENARIO:
  41. 41. YOU SHOULD BE ABLE TO RELEASE MOST CODE YOU WRITE PUBLICALLY WITHOUT ANY SORT OF SECURITY ISSUES
  42. 42. ANYTHING SENSITIVE SHOULD BE KEPT IN THE DATA ABSTRACTION LAYER
  43. 43. EXAMPLE: GDS
  44. 44. HTTPS://GITHUB.COM/ALPHAGOV/ GOVUK-PUPPET HTTPS:// GDSTECHNOLOGY.BLOG.GOV.UK/ 2016/01/19/OPENING-GOV-UKS- PUPPET-REPOSITORY/
  45. 45. YOUR DATA SHOULD IS NOW SEPARATED. HOORAY!
  46. 46. BUT IT'S PLAINTEXT. BOO!
  47. 47. ENCRYPTION
  48. 48. ENCRYPTING DATA WITH YOUR APPLICATION SPECIFIC TOOLS:
  49. 49. PUPPET - HIERA-EYAML CHEF - CHEF-VAULT ANSIBLE - ANSIBLE VAULT SALT - SALT.MODULES.GPG CFENGINE - CF-KEYCRYPT
  50. 50. TOOL-SPECIFIC VAULTS ARE GREAT, BUT ARE OFTEN LIMITED IN FUNCTIONALITY OUTSIDE THAT TOOL.
  51. 51. YOU DON'T WANT TO STORE THE SAME PASSWORD IN 10 DIFFERENT SYSTEMS IF YOU CAN HELP IT THAT'S 10X MORE THAT NEEDS TO BE SECURED
  52. 52. EXTERNAL SECRET SERVERS?
  53. 53. OPEN SOURCE POTENTIALS CHOICES: OPENSTACK'S BARBICAN CLOUDFLARE'S REDOCTOBER HASHICOP'S VAULT
  54. 54. GOING DEEPER:
  55. 55. SECURING DATA WITH SOURCE CONTROL
  56. 56. "I wanted to make a configuration management repository open for others to look at and contribute to (à la Wikimedia's Puppet repository)...
  57. 57. However, the repository contained secret material, like SSL keys and passwords...
  58. 58. git-crypt was developed so the secret material could be protected without having to remove it from the repository (which is what Wikimedia had to do). - ANDREW AYER
  59. 59. GIT-CRYPT? HTTPS://WWW.AGWA.NAME/ PROJECTS/GIT-CRYPT/
  60. 60. GIT-SUBMODULES OR SEPARATE REPOS
  61. 61. STAY IN (VERSION) CONTROL
  62. 62. GATE CONFIG MANAGEMENT CHANGES BEHIND VERSION CONTROL
  63. 63. REMEMBER TO KEEP COMMITS CLEAN AS WELL!
  64. 64. commit 88a055c4c3dcec34d5r9054011963649be89d49c Merge: 783d425 1743488 Author: Peter Souter <petems@users.noreply.github.com> Date: Mon April 1 23:47:43 2030 +0000 Turned off SSL, we don't need that right? also password is now password123
  65. 65. RBAC FOR GIT REPOS CONTAINING THE DATA
  66. 66. RBAC
  67. 67. SPLIT ACCESS TO CONFIG MANAGEMENT TOOLS BASED ON NEED
  68. 68. MOST APPLICATIONS HAVE SOME FORM OF RBAC HOOKS TO ANOTHER AUTHORIZED SYSTEM (LDAP, AD, ETC.)
  69. 69. REVIEW PROCESSES (AUTOMATED AND MANUAL)
  70. 70. AUTOMATED SPEC TESTING AUTOMATED TESTING SUITES LINTING/SYNTAX CHECKING
  71. 71. MANUAL CODE REVIEWS GET SECURITY TEAM INVOLVED IN THE PROCESSES!
  72. 72. WORK WITH AUDITORS
  73. 73. PEOPLE LOVE TO HATE AUDITORS
  74. 74. ADVERSARIAL ENVIRONMENTS ARE NOT FUN
  75. 75. IF YOU HAVE A GOOD WORKING RELATIONSHIP WITH THEM, THEY'RE LIKE AN ADDITION TO YOUR TEAM.
  76. 76. LET'S FACE IT, YOU'LL HAVE TO DEAL WITH THEM ANYWAY, SO YOU MIGHT AS WELL MAKE IT ENJOYABLE!
  77. 77. ASK AROUND
  78. 78. SOFT SKILL/CULTURAL SOLUTION
  79. 79. COMPARE YOUR SECURITY WITH OTHERS WHEN POSSIBLE
  80. 80. A SECURITY MODEL MADE IN A VACUUM IS A SMELL
  81. 81. IF YOU'RE A CUSTOMER, ASK YOUR VENDOR IF YOU'RE A FOSS USER, ASK ON MAILING LISTS
  82. 82. GAME DAYS AND DRILLS
  83. 83. IF SOMEONE HAD ACCESS TO THE VARIOUS PARTS OF YOUR CONFIG MANAGEMENT INFRA...
  84. 84. HOW MUCH DAMAGE COULD THEY DO? HOW FAST COULD YOU REVOKE ACCESS? HOW LONG WOULD IT TAKE YOU TO NOTICE?
  85. 85. MONITOR, DON'T JUST LOG
  86. 86. GET A BASELINE OF WHAT YOUR CONFIG MANAGEMENT DEPLOYS LOOK LIKE
  87. 87. ELK, STATSD, RIEMANN, COLLECTD, ETC.
  88. 88. GET DATA ON WHAT LOOKS SUSPICIOUS
  89. 89. ACTIVITY WHEN YOU DON'T EXPECT IT 4XX, 5XX ERRORS FROM YOUR CONFIG MANAGEMENT INFRA UNEXPLAINED INCREASES IN THE TEMPERATURE OF YOUR MACHINES IN THE DATA CENTRE GENERAL ERRORS IN VARIOUS LOGS
  90. 90. COULD BE MALICIOUS, COULD BE ACCIDENTAL, COULD BE A BUG...
  91. 91. ALL OF WHICH YOU SHOULD KNOW ABOUT!
  92. 92. REDUCE SURFACE LEVEL OF ATTACK
  93. 93. NOT SECURITY THROUGH OBSCURITY!
  94. 94. A BASIC EXAMPLE AT THE APPLICATION LEVEL
  95. 95. > Chef: sensitive: true > Puppet: show_diff=false > Ansible: no_log: True > Salt: --state-verbose=false
  96. 96. SECURITY BASELINE
  97. 97. USE THE SAME SECURITY BASELINE FOR ANY SORT OF SYSTEM: NO DIRECT INTERNET ACCESS UNLESS ABSOLUTELY NECESSARY USE BASTION HOSTS FOR DIRECT INTERNET ACCESS MIRROR REPOS AND ARTIFACTS KEEP PACKAGES UP TO DATE AND PATCHED SENSIBLE FIREWALL RULES
  98. 98. HARDEN CONFIG MANAGEMENT INFRASTRUCTURE WITH CONFIG MANAGEMENT!
  99. 99. CENTER FOR INTERNET SECURITY BENCHMARKS
  100. 100. HARDENING.IO
  101. 101. SOME 3 LETTER AGENCIES HAVE EVEN RELEASED THEIR CONFIG MANAGEMENT CODE...
  102. 102. IN LIGHT OF RECENT EVENTS, THAT MIGHT BE NOT SUCH A GREAT THING BUT HEY, IT'S CONFIG MANAGEMENT, SO YOU CAN INSPECT AND ADAPT WHERE NECESSARY!
  103. 103. SSH
  104. 104. PRIMARILY FOR ANSIBLE
  105. 105. BUT SSH CAN BE USED FOR OTHER TOOLS AS WELL...
  106. 106. PUPPET - SUPPLY DROP/CAPISTRANO CHEF - KNIFE SOLO SALT - SALT SSH CUSTOM MADE SSH-LOOPS WRAPPING LOCAL MODES FOR TOOLS
  107. 107. SSH HARDENING STANDARDS > Whitelisted access > Bastion hosts > Restrict users > Increase key strength > Rotate keys > Pre-populated knownhosts
  108. 108. HARDEN YOUR SSH WITH CONFIG MANAGEMENT! :)
  109. 109. IF YOU'RE USING ~/.ssh/id_rsa FOR EVERYTHING... YOU'RE DOING IT WRONG :(
  110. 110. DEEPER SSH HARDENING...
  111. 111. SSH KEYS ON HARDWARE YUBIKEY SMARTCARD
  112. 112. THOUGHT EXPERIMENT: DISABLE SSH COMPLETELY?
  113. 113. CONCLUSION > Get your data out of your code > Encrypt it and control access > Most normal security conventions apply > Follow best practices from communities and organizations > Auditing and gating help > Work together! :)
  114. 114. GOING TO CONFIG MANAGEMENT CAMP?
  115. 115. QUESTIONS? IDEAS? HOW ARE YOU HARDENING YOUR CONFIG MANAGEMENT?

×