Here are the slides from Beth Cornils & Verne Lindner's PuppetConf 2016 presentation called How We Are Helping You When Everything is Burning. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa
10. Why do things burn: key terms
● White Hat - Security and compliance vendors
● Black Hat - Nation states, mafia, ransomware, DDoS
10
11. Existing terminology
● Vulnerability - Common Vulnerabilities and Exposures (CVEs)
● Unmanaged - Nodes that have an agent but the resource does not have a manifest
● Events - The Events tab, aka Event Inspector, in the PE console
12. New terms
● Intentional Change - Change driven by an update to Puppet code
● Corrective Change - Change made by Puppet to return a system to the desired
state, as defined by Puppet code
13. White Hat stuff
● Secret management (Conjur)
● Visibility into intentional vs. corrective change
● Whole infrastructure view (long-term)
● Security company integration (CloudPassage)
32. What vendor integration gets you
● Security company integration (CloudPassage)
● Vulnerability comparison to your PE infrastructure.
● Easier compliance tracking
36. Other Security talks
● Bill Weiss from Puppet http://sched.co/6fkD
● Peter Souter from Puppet http://sched.co/6fjZ
● Seth Vargo from Hashicorp http://sched.co/6fjv
● Ben Hughes from Etsy http://sched.co/6fkM
37. Where to find out more
More on Conjur https://www.conjur.net/puppet-secret-server
Module on Forge https://forge.puppet.com/conjur/conjur
38. Agile Security and Compliance with
CloudPassage and Puppet
Application Lifecycle Management with Security using Halo and Puppet
39. Continuous Security Assessment and Compliance
Role based server
group for your
environments
Current security and
compliance posture of
your environments
Critical,
Non-Critical
Security Incident
40. Automated Security & Compliance Assessment
Monitor and protect workloads using,
● Firewall Automation
● Workload Vulnerability
Assessment
● File Integrity Monitoring
● Log-based IDS
● Multi-factor Authentication
● Install & manage Halo agent on
workloads
● Change workload configuration
and provide remediation based
on security & compliance report
provided by Halo
41. Workload Security Assessment Report
Workload Security Assessment Report
● Easy to deploy Halo using Puppet
● Agent is in “Read-only” mode and does
not change state of workload
● Collect security & compliance issues
● Provide full report in few minutes
● The report provides visibility on:
○ Servers with Critical / Non-critical
issues
○ User accounts
○ SW Vulnerability with CVE
information
○ Compliance against CIS Benchmark
○ Running processes
● Easily integrate these findings with Puppet
to start the remediation process.