3. Well, mostly.
• Ongoing maintenance of security policies
• Artificial barriers (‘inconvenience’) lead to lost productivity and
possible downtime
Wednesday, 6 June 12
SECURITY =~ INCONVENIENCE
INCONVENIENCE != SECURITY
LAZY THINKING!
All security is good, right?
Security policies have:
* an ongoing maintenance cost
* an inconvenience factor
Inconvenience leads to lost productivity (I don't know what my application is doing in
production)
and downtime (I can't bring the server back up - I'm not on the VPN).
Fortunately - you don't necessarily need to increase your exposure to decrease your
inconvenience.
4. Avoid ‘wasteful’ security: policies
that provide minimal benefit.
Obvious, right?
Wednesday, 6 June 12
Easiest target: avoid security policies that don't actually provide security benefit.
Seems obvious? It isn't.
Some of the truisms from server security in the 90's and 00's no longer apply.
5. Environments Then
Bob
Steve
Carol
Wednesday, 6 June 12
Some of the truisms from server security in the 90's and 00's no longer apply.
Servers used to be shared between actual, real users (or customers). UNIX security
theory is based around that assumption. Users, groups, permissions, sudo, logging,
all that shit.
6. Environments Now
Bob
Steve
Carol
Wednesday, 6 June 12
These days: your server instance is yours. You've got one non-root logon ('ubuntu',
'aws', 'vagrant'), you use that to sudo.
If your user account is compromised, you're going to take that server offline, fire up
another one, and do a root cause analysis before wiping it.
7. Policies Then
• Compilers don’t belong in production
• Clamp down on installed software
• Hard gates between local applications and users
Wednesday, 6 June 12
Because we're interacting with servers in a new way, some of the security measures of
the past have been downgraded to 'inconvenience':
* don't install a compiler on your production server (that's the 80's talking)
* hard-limit what software is installed/running on your instances (that's what your
ingress firewall is for)
* SELinux (you're not ASIO)
8. Inconvenience Now
• GCC is required to build your nginx configuration file.
• Open ports? This is what we have ingress firewalls for.
• A compromised server is treated as fully compromised,
regardless of access level
Wednesday, 6 June 12
Because we're interacting with servers in a new way, some of the security measures of
the past have been downgraded to 'inconvenience':
* don't install a compiler on your production server (that's the 80's talking)
* hard-limit what software is installed/running on your instances (that's what your
ingress firewall is for)
* SELinux (you're not ASIO)
9. Server-local permissions are for
accident prevention, not security.
‘sudo’ means ‘think first’
Wednesday, 6 June 12
Remember: instance-level permission elevation is about preventing accidents. 'sudo'
means 'think first'. It's also there so you can give developers read-only access to the
resources they need to do their own problem solving: logs, configuration, all that.
That's accident prevention, too: a sufficiently skilled developer, with ill intent, will find
a way to make your life difficult regardless of whether you gave him a production
account or not.
10. Think outcomes, not policies.
‘What am I achieving by limiting this?’
Wednesday, 6 June 12
Now! Let's talk coverage.
I see this all the time: operations staff patching what they understand, ignoring what
they don't. Or, even worse, they'll deliberatly go overboard securing the system
because they know the application is terrible. This isn't useful: if the application gets
hacked, you're offline anyway. Assuming a targetted attack your database credentials
are in an easily accessed, readable location - and the attacker has jumped another
fence you've put up.
11. These Common Policies
• Hard locking application library dependencies
• Insisting on using CentOS because it’s “security focused”
• Disallowing developer access to production logs
Wednesday, 6 June 12
Here's some common patterns and why they don't make sense:
* you're hard-locking what the application's library dependencies .. so the developers are just writing their own insecure, unreliable variants
* you're insisting on using CentOS because it's more "secure" than Ubuntu ... but you're using 'community' packages because CentOS doesn't really
include anything useful or modern
* you're disallowing your developers access to your production logs .. but without an idea of scale, the next deployment will confuse n2 and log(n)
12. Actually Lead To
• Developers creating insecure, unreliable library ‘copies’
• Use of uncertified ‘community’ packages to make up for CentOS
shortfalls
• Developers without production access have no concept of scale,
implement for themselves, not your actual load
Wednesday, 6 June 12
Here's some common patterns and why they don't make sense:
* you're hard-locking what the application's library dependencies .. so the
developers are just writing their own insecure, unreliable variants
* you're insisting on using CentOS because it's more "secure" than Ubuntu ... but
you're using 'community' packages because CentOS doesn't really include anything
useful or modern
* you're disallowing your developers access to your production logs .. but without an
idea of scale, the next deployment will confuse n2 and log(n)
13. Finally,
Credit: SMBC
Wednesday, 6 June 12
Thanks for listening.