The document discusses the intersection of security, identity, and DevOps, emphasizing the importance of integrating security strategies within DevOps practices. It introduces the concept of 'IdentityOps,' which aims to manage identity and access control through centralized policies and real-time enforcement in IT environments, specifically focusing on use cases like SSH and Docker access. The presentation also highlights the need for better operational efficiency and compliance with business policies while ensuring secure access management.

1. November 15, 2016
Security, Identity, and DevOps, oh my…
Chris Sanchez, Founder and CTO, zibernetics
Twitter - @CSanchezAustin
chris@zibernetics.com

2. November 15, 2016

3. November 15, 2016

4. November 15, 2016Post questions to #security-track
Background
• 20+ years in Austin Technology as an Engineer, Manager, Mentor, Executive, and Entrepreneur
• Tech Veteran – iChat/Acuity, CALEB Technologies, Webify, PointSource, 21CT, CognitiveScale, Sun
Microsystems, IBM
• Passion for Identity and DevOps
• Founded zibernetics in 2015
– Research and Development projects
• Identity, HIPAA Security, DevOps, Cloud, Linux
– Consultancy for early stage and growth startups

5. November 15, 2016Post questions to #security-track
Pop Quiz: Why is this bad?
pg_hba.conf
host all pgbot 192.168.5.0/24 trust
host all pgbot 172.20.0.0/16 trust
First 2 people to post the most
interesting security issues to the
#security-track with #IdentityOps will
win a bumper sticker. è
#IdentityOps

6. November 15, 2016Post questions to #security-track
DevOps is hard because ____
moving fast, lot of tooling, skills, knowledge

7. November 15, 2016Post questions to #security-track
What makes it harder?
The Business is moving faster

8. November 15, 2016Post questions to #security-track
What makes it harder?
and changing…

9. November 15, 2016Post questions to #security-track
and harder
Security is hard

10. November 15, 2016Post questions to #security-track
…and harder
Security gets little to no planning

11. November 15, 2016Post questions to #security-track
What’s needed?
Security Strategy ó DevOps Strategy

12. November 15, 2016Post questions to #security-track
There's no need to fear, IdentityOps is here.
What is IdentityOps?
Security – Treat as a first class citizen
Identity – Right resource, time, reason
DevOps – Security that scales

13. November 15, 2016Post questions to #security-track
IdentityOps Essentials

14. November 15, 2016Post questions to #security-track
Use Case: SSH Access
– Use Case: Provide user-level access to Linux servers and
support business and IT policy
– Solution Options: SSH Public Key Authentication
– Advantages:
• Well understood and secure solution
• Very good support by all Linux distributions
– Challenges:
• Only provides for authn, not authz
• More operational overhead – e.g. user management

15. November 15, 2016Post questions to #security-track
Use Case: SSH Access
• Solution: SSH Fabric
– Model the concept of Users, Layers, Groups, and
Hosts as virtual objects that are overlaid on top of an
existing Linux infrastructure
– Keeps ssh keys centralized in an LDAP Directory (not
authorized_keys file) and deliver real-time for authn
– Advanced authorization that integrates with PAM for
seamless, fine-grained authz
– Centralized policy for sudo access

16. November 15, 2016Post questions to #security-track
1) Model Concepts

17. November 15, 2016Post questions to #security-track
1) Model Concepts
Layers
Hosts
prod_pub
Groups
Users

18. November 15, 2016Post questions to #security-track
2) Centralize SSH Keys
LDAP Schema

19. November 15, 2016Post questions to #security-track
2) Centralize SSH Keys
Configure SSH: /etc/ssh/sshd_config

20. November 15, 2016Post questions to #security-track
2) Centralize SSH Keys
Custom Script: sshldap-pubkey.sh

21. November 15, 2016Post questions to #security-track
3) Configure PAM
Configure LDAP: /etc/ldap.conf

22. November 15, 2016Post questions to #security-track
3) Configure PAM
Force TLS to LDAP

23. November 15, 2016Post questions to #security-track
3) Configure PAM
Configure Authz: /etc/pam.d/common-account

24. November 15, 2016Post questions to #security-track
3) Configure PAM
Configure Authn: /etc/pam.d/common-auth

25. November 15, 2016Post questions to #security-track
3) Configure PAM
Enable LDAP: /etc/nsswitch.conf

26. November 15, 2016Post questions to #security-track
Restrict Host Access: /etc/security/access.conf
4) Configure sudo

27. November 15, 2016Post questions to #security-track
4) Configure sudo
Create sudo rule: /etc/sudoers.d/sshldap

28. November 15, 2016Post questions to #security-track
LDAP and Linux are Connected
5) Test SSH Fabric

29. November 15, 2016Post questions to #security-track
5) Test SSH Fabric
Policy Allow: grp_itops, security_admins

30. November 15, 2016Post questions to #security-track
5) Test SSH Fabric
Policy Deny: All other

31. November 15, 2016Post questions to #security-track
5) Test SSH Fabric
Update Policy

32. November 15, 2016Post questions to #security-track
5) Test SSH Fabric
Policy Allow: ops_prv

33. November 15, 2016Post questions to #security-track
5) Test SSH Fabric
Policy Allow Sudo: ops-prv-sudo

34. November 15, 2016Post questions to #security-track
Use Case: Docker Access
– Use Case: Provide access to Docker runtime
while supporting business and IT policy
– Solution Options: Docker group or Authz plug-in
– Advantages:
• Users don’t require admin access
• Plug-in architecture is very flexible (Authz)
– Challenges:
• Have to rely on local Linux groups
• Docker group or Admin access is required
• Access is coarse – you can do anything

35. November 15, 2016Post questions to #security-track
Use Case: Docker Access
• Solution: Docker Fabric
– Model the concept of Users, Layers, Groups, and
Hosts as virtual objects that are overlaid on top of
an existing Linux infrastructure (same as previous
use case)
– Centralized policy for User-level access to Docker
(via TLS and Flask app)
– Keeps rules centralized a repository that are
enforced at runtime (same as previous use case)

36. November 15, 2016Post questions to #security-track
2) Centralize Policy for User-level Access
Setup Docker Group: /etc/default/docker

37. November 15, 2016Post questions to #security-track
2) Centralize Policy for User-level Access
Update Docker socket access: /lib/systemd/system/docker.socket

38. November 15, 2016Post questions to #security-track
2) Centralize Policy for User-level Access
Create Authz Plugin: /etc/default/docker_fabric_authz

39. November 15, 2016Post questions to #security-track
2) Centralize Policy for User-level Access
Create Authz Plugin: /etc/systemd/system/docker.service.d/docker_fabric_authz.conf

40. November 15, 2016Post questions to #security-track
2) Centralize Policy for User-level Access
Create Authz Plugin: /usr/local/bin/docker_fabric_authz.py

41. November 15, 2016Post questions to #security-track
export theUser="Branton Davis”
alias dockera="docker -H=$(hostname):2376
--tlsverify
--tlscacert=/etc/zinet/pki/server/zibernetics-int-cacert.crt
--tlscert="/etc/zinet/pki/user/${theUser}.crt"
--tlskey="/etc/zinet/pki/user/${theUser}.ukey" "
4) Test Docker Fabric

42. November 15, 2016Post questions to #security-track
4) Test Docker Fabric
Policy Deny: All others

43. November 15, 2016Post questions to #security-track
4) Test Docker Fabric
Update Policy

44. November 15, 2016Post questions to #security-track
4) Test Docker Fabric
Policy Allow: ops_prv

45. November 15, 2016Post questions to #security-track
IdentityOps Summary
DirectoryBusiness Policies Linux. Docker

46. November 15, 2016Post questions to #security-track
IdentityOps Summary
Centralized, real-time policy for
access management
Uniform application of policy and
real-time enforcement
Better operational efficiency
Enable use cases: least privilege,
nonrepudiation, segregation of
duties, auditability

47. November 15, 2016Post questions to #security-track
W: http://www.zibernetics.com T: @CSanchezAustin E: chris@zibernetics.com
First person to post Wile E. Coyote’s
middle name to the #security-track
with #IdentityOps will win a bumper
sticker. è
#IdentityOps

48. November 15, 2016Post questions to #security-track
Thank you!
W: http://www.zibernetics.com T: @CSanchezAustin E: chris@zibernetics.com