SlideShare a Scribd company logo

PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

Puppet
Puppet

Here are the slides from Beth Cornils & Verne Lindner's PuppetConf 2016 presentation called How We Are Helping You When Everything is Burning. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa

Technology
1 of 43
Download to read offline
Security Roadmap: How we are helping you when everything is burning Verne Lindner and Beth Cornils, PuppetConf 2016
Who are we? ● @vernelindner @bethpdx ● Sr. UX Architect at Puppet ● Sr. Product Manager at Puppet 2
3
Why are we here? (This room specifically, listening to this talk…)
We want you to have fewer of these 5
Why is Puppet good for security? Infrastructure as code RBAC Auditing Enforcement 6
How is PE helping DevOps and Security teams? Is it a tire fire or a campfire?
Multi-pronged approach to Security 8
Audience participation Let’s take the temperature of security here 9
Why do things burn: key terms ● White Hat - Security and compliance vendors ● Black Hat - Nation states, mafia, ransomware, DDoS 10
Existing terminology ● Vulnerability - Common Vulnerabilities and Exposures (CVEs) ● Unmanaged - Nodes that have an agent but the resource does not have a manifest ● Events - The Events tab, aka Event Inspector, in the PE console
New terms ● Intentional Change - Change driven by an update to Puppet code ● Corrective Change - Change made by Puppet to return a system to the desired state, as defined by Puppet code
White Hat stuff ● Secret management (Conjur) ● Visibility into intentional vs. corrective change ● Whole infrastructure view (long-term) ● Security company integration (CloudPassage)
Let's start with secrets... 14
How do we avoid exposing secrets in Puppet? Easiest to hardest ● Avoid exposing secrets in Logs PDB Console 15 https://flic.kr/p/aCJZrf
Conjur and Puppet 16 $planet = conjur_variable('planet') file { '/etc/hello.txt': content => "Hello ${planet}!n" } conjurize_file { '/etc/hello.txt': variable_map => { planet => ‘!var puppetdemo/planet’ } }
Conjur, Vault, Keywhiz, Amazon KMS, Confidant 17
Visibility into Intentional vs. Corrective Change How to narrow down what might be burning 18
When your infrastructure is burning, how can PE help? ● Intentional change reporting ● Corrective change reporting 19
Corrective change: v1 20
Corrective change workflow 1: by node 21
23 Select report
24 view details
Corrective change workflow 2: across time 25
Event Inspector, Node Graph, resource reporting, and reporting on nodes not under active Puppet management Corrective change: Future 27
Full view of your infrastructure Reducing the clutter in your head via a single view 28
Managed & unmanaged change
Tying in vulnerability scanning How many fucks do I need to give about a given corrective change? 30
Security vendor integration
What vendor integration gets you ● Security company integration (CloudPassage) ● Vulnerability comparison to your PE infrastructure. ● Easier compliance tracking
Summary 33 What have we learned?
Random cat slide 34
Q&A
Other Security talks ● Bill Weiss from Puppet http://sched.co/6fkD ● Peter Souter from Puppet http://sched.co/6fjZ ● Seth Vargo from Hashicorp http://sched.co/6fjv ● Ben Hughes from Etsy http://sched.co/6fkM
Where to find out more More on Conjur https://www.conjur.net/puppet-secret-server Module on Forge https://forge.puppet.com/conjur/conjur
Agile Security and Compliance with CloudPassage and Puppet Application Lifecycle Management with Security using Halo and Puppet
Continuous Security Assessment and Compliance Role based server group for your environments Current security and compliance posture of your environments Critical, Non-Critical Security Incident
Automated Security & Compliance Assessment Monitor and protect workloads using, ● Firewall Automation ● Workload Vulnerability Assessment ● File Integrity Monitoring ● Log-based IDS ● Multi-factor Authentication ● Install & manage Halo agent on workloads ● Change workload configuration and provide remediation based on security & compliance report provided by Halo
Workload Security Assessment Report Workload Security Assessment Report ● Easy to deploy Halo using Puppet ● Agent is in “Read-only” mode and does not change state of workload ● Collect security & compliance issues ● Provide full report in few minutes ● The report provides visibility on: ○ Servers with Critical / Non-critical issues ○ User accounts ○ SW Vulnerability with CVE information ○ Compliance against CIS Benchmark ○ Running processes ● Easily integrate these findings with Puppet to start the remediation process.
App. Lifecycle Mgmt with Security using Halo and Puppet
PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

Recommended

Git session 1
Git session 1Git session 1
Git session 1Hassan Khan
 
How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)Ebru Cucen Çüçen
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security UpdateShawn Wells
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Serverconjur_inc
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
Startup Roadmap Workshop
Startup Roadmap WorkshopStartup Roadmap Workshop
Startup Roadmap WorkshopMichael Skok
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Recommended

Git session 1
Git session 1Git session 1
Git session 1Hassan Khan
 
How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)How to Decentralise Controls (Hint: BDD on Policies)
How to Decentralise Controls (Hint: BDD on Policies)Ebru Cucen Çüçen
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security UpdateShawn Wells
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Serverconjur_inc
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
Startup Roadmap Workshop
Startup Roadmap WorkshopStartup Roadmap Workshop
Startup Roadmap WorkshopMichael Skok
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018Puppet
 
PuppetConf track overview: Security
PuppetConf track overview: SecurityPuppetConf track overview: Security
PuppetConf track overview: SecurityPuppet
 
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Marcin Grzejszczak
 
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppet
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSPuppet
 
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Jen Wong
 
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...SonjaChevre
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityMarcus Meissner
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsLuca Mazzaferro
 
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...Erez PEDRO
 
Observability für alle
Observability für alleObservability für alle
Observability für alleQAware GmbH
 
Microservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyondMicroservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyondDonnie Berkholz
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteWeaveworks
 
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppet
 
Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017Puppet
 
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Claire Priester Papas
 
DevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the realityDevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the realityDonnie Berkholz
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17Shane Coughlan
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSPuppet
 
Introduction to Puppet Enterprise
Introduction to Puppet Enterprise Introduction to Puppet Enterprise
Introduction to Puppet Enterprise Puppet
 
Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 

More Related Content

Similar to PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018Puppet
 
PuppetConf track overview: Security
PuppetConf track overview: SecurityPuppetConf track overview: Security
PuppetConf track overview: SecurityPuppet
 
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Marcin Grzejszczak
 
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppet
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSPuppet
 
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Jen Wong
 
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...SonjaChevre
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityMarcus Meissner
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsLuca Mazzaferro
 
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...Erez PEDRO
 
Observability für alle
Observability für alleObservability für alle
Observability für alleQAware GmbH
 
Microservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyondMicroservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyondDonnie Berkholz
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteWeaveworks
 
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppet
 
Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017Puppet
 
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Claire Priester Papas
 
DevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the realityDevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the realityDonnie Berkholz
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17Shane Coughlan
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSPuppet
 
Introduction to Puppet Enterprise
Introduction to Puppet Enterprise Introduction to Puppet Enterprise
Introduction to Puppet Enterprise Puppet
 

Similar to PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet (20)

Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018Accelerate your Journey to Pervasive Automation 05.03.2018
Accelerate your Journey to Pervasive Automation 05.03.2018
 
PuppetConf track overview: Security
PuppetConf track overview: SecurityPuppetConf track overview: Security
PuppetConf track overview: Security
 
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
Continuous Deployment To The Cloud With Spring Cloud Pipelines @WarsawCloudNa...
 
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, PuppetPuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
PuppetConf 2017: Puppet Enterprise Roadmap 2017- Ryan Coleman, Puppet
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
 
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
Continuous Integration using Hudson and Fitnesse at Ingenuity Systems (Silico...
 
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
Migrating from OpenTracing to OpenTelemetry - Kubernetes Community Days Munic...
 
openSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product SecurityopenSUSE Conference 2022: An overview over SUSE Product Security
openSUSE Conference 2022: An overview over SUSE Product Security
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperations
 
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
CodeValue Architecture Next 2018 - Executive track dilemmas and solutions in...
 
Observability für alle
Observability für alleObservability für alle
Observability für alle
 
Microservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyondMicroservices 101: From DevOps to Docker and beyond
Microservices 101: From DevOps to Docker and beyond
 
Continuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event KeynoteContinuous Lifecycle London 2018 Event Keynote
Continuous Lifecycle London 2018 Event Keynote
 
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, PuppetPuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
PuppetConf 2017: Zero to Kubernetes -Scott Coulton, Puppet
 
Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017Intro to Puppet Enterprise 06.28.2017
Intro to Puppet Enterprise 06.28.2017
 
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
Delivering Infrastructure and Security Policy as Code with Puppet and CyberAr...
 
DevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the realityDevOps, containers & microservices: Separating the hype from the reality
DevOps, containers & microservices: Separating the hype from the reality
 
OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17OpenChain-Monthly-Meeting-2023-01-17
OpenChain-Monthly-Meeting-2023-01-17
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
 
Introduction to Puppet Enterprise
Introduction to Puppet Enterprise Introduction to Puppet Enterprise
Introduction to Puppet Enterprise
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscodePuppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twentiesPuppet
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codePuppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approachPuppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliancePuppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowPuppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppetPuppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkPuppet
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping groundPuppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy SoftwarePuppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User GroupPuppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsPuppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyPuppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet

  • 1. Security Roadmap: How we are helping you when everything is burning Verne Lindner and Beth Cornils, PuppetConf 2016
  • 2. Who are we? ● @vernelindner @bethpdx ● Sr. UX Architect at Puppet ● Sr. Product Manager at Puppet 2
  • 3. 3
  • 4. Why are we here? (This room specifically, listening to this talk…)
  • 5. We want you to have fewer of these 5
  • 6. Why is Puppet good for security? Infrastructure as code RBAC Auditing Enforcement 6
  • 7. How is PE helping DevOps and Security teams? Is it a tire fire or a campfire?
  • 9. Audience participation Let’s take the temperature of security here 9
  • 10. Why do things burn: key terms ● White Hat - Security and compliance vendors ● Black Hat - Nation states, mafia, ransomware, DDoS 10
  • 11. Existing terminology ● Vulnerability - Common Vulnerabilities and Exposures (CVEs) ● Unmanaged - Nodes that have an agent but the resource does not have a manifest ● Events - The Events tab, aka Event Inspector, in the PE console
  • 12. New terms ● Intentional Change - Change driven by an update to Puppet code ● Corrective Change - Change made by Puppet to return a system to the desired state, as defined by Puppet code
  • 13. White Hat stuff ● Secret management (Conjur) ● Visibility into intentional vs. corrective change ● Whole infrastructure view (long-term) ● Security company integration (CloudPassage)
  • 14. Let's start with secrets... 14
  • 15. How do we avoid exposing secrets in Puppet? Easiest to hardest ● Avoid exposing secrets in Logs PDB Console 15 https://flic.kr/p/aCJZrf
  • 16. Conjur and Puppet 16 $planet = conjur_variable('planet') file { '/etc/hello.txt': content => "Hello ${planet}!n" } conjurize_file { '/etc/hello.txt': variable_map => { planet => ‘!var puppetdemo/planet’ } }
  • 17. Conjur, Vault, Keywhiz, Amazon KMS, Confidant 17
  • 18. Visibility into Intentional vs. Corrective Change How to narrow down what might be burning 18
  • 19. When your infrastructure is burning, how can PE help? ● Intentional change reporting ● Corrective change reporting 19
  • 21. Corrective change workflow 1: by node 21
  • 22.
  • 25. Corrective change workflow 2: across time 25
  • 26.
  • 27. Event Inspector, Node Graph, resource reporting, and reporting on nodes not under active Puppet management Corrective change: Future 27
  • 28. Full view of your infrastructure Reducing the clutter in your head via a single view 28
  • 30. Tying in vulnerability scanning How many fucks do I need to give about a given corrective change? 30
  • 32. What vendor integration gets you ● Security company integration (CloudPassage) ● Vulnerability comparison to your PE infrastructure. ● Easier compliance tracking
  • 35. Q&A
  • 36. Other Security talks ● Bill Weiss from Puppet http://sched.co/6fkD ● Peter Souter from Puppet http://sched.co/6fjZ ● Seth Vargo from Hashicorp http://sched.co/6fjv ● Ben Hughes from Etsy http://sched.co/6fkM
  • 37. Where to find out more More on Conjur https://www.conjur.net/puppet-secret-server Module on Forge https://forge.puppet.com/conjur/conjur
  • 38. Agile Security and Compliance with CloudPassage and Puppet Application Lifecycle Management with Security using Halo and Puppet
  • 39. Continuous Security Assessment and Compliance Role based server group for your environments Current security and compliance posture of your environments Critical, Non-Critical Security Incident
  • 40. Automated Security & Compliance Assessment Monitor and protect workloads using, ● Firewall Automation ● Workload Vulnerability Assessment ● File Integrity Monitoring ● Log-based IDS ● Multi-factor Authentication ● Install & manage Halo agent on workloads ● Change workload configuration and provide remediation based on security & compliance report provided by Halo
  • 41. Workload Security Assessment Report Workload Security Assessment Report ● Easy to deploy Halo using Puppet ● Agent is in “Read-only” mode and does not change state of workload ● Collect security & compliance issues ● Provide full report in few minutes ● The report provides visibility on: ○ Servers with Critical / Non-critical issues ○ User accounts ○ SW Vulnerability with CVE information ○ Compliance against CIS Benchmark ○ Running processes ● Easily integrate these findings with Puppet to start the remediation process.
  • 42. App. Lifecycle Mgmt with Security using Halo and Puppet