The document discusses the integration of security into DevOps practices to accelerate continuous delivery and address security challenges. It presents a case study of Acme Incorporated, detailing their transition from traditional security processes that delayed deployment to a more agile approach where security is embedded within CI/CD pipelines. Key strategies include collaboration among development, operations, and security teams, automated workload security, and the creation of 'golden' images with predefined security policies.

1. DevOps.com and CloudPassage
Continuous Infrastructure Compliance
W. Jenks Gibbons | November 2, 2017

2. Is security a
roadblock for
continuous delivery?
© 2017 CloudPassage2

3. © 2017 CloudPassage3
Traditional security tools
Plan Code Build Test Release Deploy Operate
security gate

4. © 2017 CloudPassage4
Re-align security to modern IT delivery
security guardrails
Plan Code Build Test Release Deploy Operate

5. © 2017 CloudPassage5
Continuous Security - DevSecOps
PLAN
• Map out types of systems
• Design security policies
• Define policy groups
PEOPLE
CREATE
• Insert agent via CI build
scripts, Gold Master
images, etc.
AUTOMATION
PRE-PROD
• Tag production
artifacts with proper
policy groups
AUTOMATION
CONFIGURE
• Apply runtime policies
• SVA, CSM, SAM
• Firewall, authentication
• FIM, LIDS
AUTOMATION
MONITOR
• Monitor production
• Security events to SIEM
• Audit data to GRC
• Metrics to reporting
• Visualize traffic and connections
• Scope new vulnerabilities
AUTOMATION & PEOPLE
VERIFY
• Verify security of builds
• SVA, CSM, SAM
• Generate FIM baselines
AUTOMATION

6. Case Study
Acme Incorporated: Current State
• Development and Operations: understand the needs of the business units
• Development and Operations: work together on their area of responsibility
independently of other teams
• Continuous Integration / Continuous Delivery (CICD)
• Deliver features multiple times a day
• Delivery does not require external approval
• Deployment requires Security Operations approval
© 2017 CloudPassage Confidential6

7. Case Study
Acme Incorporated: Current Problem
• Individual teams are unable to deploy at the at the speed of the business units
• Security is blocking deployment
• Examples:
• Security must confirm there are no vulnerabilities in the image (5 day SLA)
• Security must confirm the image is configured to meet compliance requirements (5 day SLA)
• Security must create an image baseline for file integrity monitoring (5 day SLA)
• Firewall changes for new workloads (5 day SLA)
© 2017 CloudPassage Confidential7

8. Case Study
Acme Incorporated: Current Problem
• Delivery: many times a day
• Delivery team: autonomous
• Deployment team: autonomous
• Deployment approval: multiple teams
• Deployment approval: more than 5x the time to deliver and deploy
© 2017 CloudPassage Confidential8

9. © 2017 CloudPassage9
DevOps delivery pipeline – before security automation
PEOPLE Code Done
AUTOMATION TOOL CHAIN

10. © 2017 CloudPassage10
DevOps delivery pipeline – before security automation
Hours

11. Case Study
Acme Incorporated: Solution
• Add a Security Operations team member to the Development and Operations
feature teams
• Add security to the pipeline
© 2017 CloudPassage Confidential11

12. Case Study
Acme Incorporated: Solution - Plan
• Development, Operations and Security Operations are now working together in
autonomous feature teams
• OS image – the teams will work together to design and create a known “golden”
image for each platform
• Workloads (e.g. VMs, hosts, servers) are are grouped together:
• Jenkins Master
• Jenkins Slaves
• Git
• Web
• DB
• PCI complaint
• HIPAA compliant
© 2017 CloudPassage Confidential12

13. Case Study
Acme Incorporated: Solution - Plan
• Groups are assigned security policies:
• Software Vulnerability Assessment (SVA)
• Configuration Security Monitoring (CSM)
• File Integrity Monitoring (FIM)
• Microsegmentation
• Log-based Intrusion Detection (LIDS)
© 2017 CloudPassage Confidential13

14. Case Study
Acme Incorporated: Solution - Create
• Enable automated workload security by integrating it into the pipeline
• Install a small security agent on the workload.
• Ansible
• Chef
• PowerShell
• Puppet
• “bake” into image
• Ensure the agent works
• in any environment
• at any scale
• on demand
• and offers a broad range of controls
© 2017 CloudPassage Confidential14

15. Case Study
Acme Incorporated: Solution - Pre-Production
• When workloads boot
• Tag the workload with the proper group
• Security policies applied automatically
• Security simply goes along for the ride
© 2017 CloudPassage Confidential15

16. Case Study
Acme Incorporated: Solution – Verify
• Security verification is built into the CICD Pipeline
• During CI
• Code analysis
• Unit, smoke, functional … tests
• Workload security tests
• SVA scan
• CSM scan
• Success and failures are based on critical failures
• Check results into Git – audit trail
© 2017 CloudPassage Confidential16

17. Case Study
Acme Incorporated: Solution – Verify
• Workload security tests (cont.)
• On fail
• Kill instance
• Fix issues
• Check-in to kick-off CI - shorten feedback loop
• On pass – deploy
• take FIM baseline
• move from a Pre-Production to a Production security group
© 2017 CloudPassage Confidential17

18. Case Study
Acme Incorporated: Solution – Monitor
• Separate CI build job
• At specified intervals
• SVA scan
• CSM scan
• FIM scan
• Any critical issues to Slack, JIRA, ServiceNow …
© 2017 CloudPassage Confidential18

19. © 2017 CloudPassage19
DevOps delivery pipeline – after security automation
Minutes

20. © 2017 CloudPassage20
DevOps delivery pipeline - after security automation
PEOPLE Code Notify Done
Source control Commit
CI/CD master Trigger
CI/CD slave Build Test Pass?
CloudPassage Halo Scan Baseline Monitor
Artifact registry Store
Infrastructure Update
Y
N

21. © 2017 CloudPassage21
Practical Example
• Git
• Jenkins
• Slack
• Chef

22. © 2017 CloudPassage22
Check-In
Developer makes a change to code, or to infrastructure (e.g.
golden image)

23. © 2017 CloudPassage23
Jenkins
A web-hook is then configured
to kick off a build in Jenkins.
This could be a code change
or an infrastructure change.

24. © 2017 CloudPassage24
Slack
Jenkins sends notifications to Slack – shorten the feedback loop.

25. © 2017 CloudPassage25
Jenkins, Chef, Test Kitchen, Security Tools
• EC2 Test Kitchen – launch golden image
• Chef – install lightweight security agent
• Python – API calls to security tools
python /home/jenkins/workload_security_analysis.py
python /home/jenkins/deploy.py

26. © 2017 CloudPassage confidential26
Git – Audit Trail
If the build succeeds or fails
an audit report can be
created and checked into Git.

27. © 2017 CloudPassage27
Patch – “Golden Image”
Using the results of the workload security analysis from the audit
report the golden image can be patched.

28. © 2017 CloudPassage28
Create New Golden Image and Check in as Code

29. © 2017 CloudPassage29
Notification, Audit Trail

30. W. Jenks Gibbons
jgibbons@cloudpassage.com