With the advent of virtualization, infrastructure has become software, introducing new possibilities for managing “infrastructure as code.” Today, techniques such as containerization and automation are hallmarks of programmable infrastructure, and a primary aspect of the DevOps revolution in IT operations. But what do these radical changes mean for security?
In this presentation, Scott Crawford of 451 Research and Dave Meltzer of Tripwire discuss:
-What these changes mean for the tools and expertise required to manage security and their impact on security readiness
-Where security can be applied to new environments such as containerized IT
-How to verify that the security measures you’ve applied are effective
08448380779 Call Girls In Civil Lines Women Seeking Men
DevOps Security: A New Paradigm
1. DevOps: A New Paradigm
for Security Operations
February 14, 2018
Scott Crawford
Research Director
Information Security
451 Research
David Meltzer
CTO
Tripwire
2. DevOps: A new operational paradigm
• Building on the advantages
of virtualization
• “Infrastructure as code”
• The entire stack becomes
programmable
• Automation becomes
central
• Not just about the tech –
Breaking down silos of
culture & practice, too!
2
3. Security principles: The same, only different
The same:
• Reducing attack surface
• Defining secure configuration
• Defining secure operations
• Assessment & validation
Different:
• The “stack”
• A central focus today: Containers
• The tools
• The processes
• A key security advantage: Immutability
3
4. Containers: A closer look
• A self-contained package
of everything needed to
run one software unit
• Why? Efficiency:
• Packaging
• Portability
• Manageability
• Security benefits
• Reduced attack surface
• Reduced variability
• Reduced vulnerability
• …but with a gotcha or
two (more shortly)
4
VM
paradigm
Container
paradigm
vs.
Images: http://www.dockermall.com/coexistence-or-love-to-kill-
container-virtual-machine-and-docker-concept-full-analysis/
5. A new IT ecosystem
• Containers: building everything in
• “Infrastructure as code”: Versioning,
repositories, registries
• API-driven
• Modularity
• Immutability
• Orchestration, at multiple levels
• Availability
• Componentry
• Complete application
• “Microservices”
• Composite applications
5
container
con-
tainer
container
Application
container
containercontainer
container
Pod Swarm
container
micro-
service
micro-
service
Application
micro-
servicemicro-
service
10. The temptation: Automation “without borders”
10
Build Deploy Operate
• Cutting to the chase: e.g. build systems
with deployment platform access
• Automating this access via, e.g., web hooks
• Why this isn’t a good idea:
• Building automation without code review
in the build tool
• Credentials to one platform embedded in
another
• Individual platforms with access to
multiple others
• Applying “SoD” to the toolchain
• CI to build, push to registry
• Orchestration to pull and deploy
11. Operations: Orchestrating the production environment
• DevOps orchestration: Automation at
multiple levels
• Containers & software: Kubernetes,
Mesopshere, Rancher, etc.
• Infrastructure: Puppet, Chef, Ansible, etc.
• Enforcement of security definitions at
multiple levels
• Network infrastructure
• Underlying platform configuration &
control
• Access & RBAC
• Policy segmentation of resources
• And much, much more
11
spec:
nodeSelector:
role: policyA
InSpec
Declarative
language
12. Some additional operational principles
• Immutability
• One of DevOps’ most valuable security aspects
• Less:
• Repair production instances
• More
• Remediate the image
• On-demand deployment, incremental
• CI, CD …Why not continuous validation?
• Build assessment/re-assessment
• Production environment: Assessment & evaluation
• Catching drift, vulnerability persistence
• When new vulnerabilities emerge
12
13. Going forward
• More granular modularity = More
orchestration
• = More automation
• Shifting emphasis of people
• From app development to app
engineering
13
• Critical to security:
• Familiarity with tools, processes
• Applying security knowledge via
tools
• Identifying key points of control
To make the road as smooth as possible…
• How’s the relationship with Dev & Ops teams?
• Does your team have the skills?
• Do they have the right tools?