Automating Security and Compliance for Hybrid Environments

Transcription

1 Automating Security and Compliance for Hybrid Environments Lucy Kerner Security Global Technical Evangelist and Strategist, Red

2 COMMON SECURITY CHALLENGES Inconsistent Patching Change Whodunits Ops Secrets Management Application Sprawl Inconsistent Configurations Dev Security Server Sprawl Security is frequently the last to know! 2

3 SECURITY, COMPLIANCE, AND GOVERNANCE CHALLENGES IN A HYBRID ENVIRONMENT VIRTUALIZATION OS PUBLIC CLOUD CLOUD PRIVATE CLOUD CONTAINERS GROWING COMPLEXITY INTRODUCES RISK MANUALLY MONITORING SYSTEMS FOR SECURITY + COMPLIANCE BECOMES DIFFICULT VISIBILITY AND CONTROL (YOU CAN T CONTROL WHAT YOU CAN T SEE) MANAGING SECURITY POLICIES CONSISTENTLY USER SELF-SERVICE BUT WITH TIGHT CONTROL OVER ENTIRE ENVIRONMENT

4 WHY AUTOMATE SECURITY AND COMPLIANCE?

5 5 81% of hacking-related breaches leveraged either stolen and/or weak passwords Verizon Data Breach Investigations Report [

6 6 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident Focus on the Biggest Security Threats, Not the Most Publicized Gartner, November 2017

7 7 LET S MANUALLY ENSURE SECURITY + COMPLIANCE... Very time consuming, tedious, boring Highly prone to human error Bad actions go undetected(no papertrail) Not easy to do audits Constant back and forth between Operations + Security teams Not repeatable, sharable, or verifiable

8 INSTEAD, WHAT YOU WANT IS... 8 Centralized management and visibility of your entire heterogeneous infrastructure Windows, Linux, Virtualization, Public/Private Cloud, Containers, Ticketing System, etc You can t control what you can t see Infrastructure and Security as code Repeatable, sharable, verifiable, easier to do compliance audits Make it easier to pass security audits Controlled visibility into the state of compliance of systems for the security team / security auditor Less back and forth between operations and security teams Proactive scanning and compliance to security baselines Security hardened and compliant host at provisioning time Consistency: Eliminate snowflake systems from the start Immutable Operating System: OS can t be changed by untrusted parties Automated proactive continuous monitoring and fixing of all systems in hybrid environment that are out of compliance for entire lifecycle Build security into your application pipeline. Automate as much as possible!

9 WHY AUTOMATION? 9 Save time and money Reduce risk and avoid expensive human errors Protection from security breaches Allows you to build security into your application pipeline from the beginning vs having security as an afterthought Ensure and enforce ongoing compliance from a consistent centralized place using a common, easy to learn automation language Create a compliant host or service at provisioning time Repeatable, sharable, verifiable, and easier to do compliance audits Continuous security, monitoring, and fixing of all systems in hybrid environment that are out of compliance for entire lifecycle Automation plays an essential role in system configuration management and DevSecOps

10 HOW CAN RED HAT HELP?

11 SECURITY MUST BE CONTINUOUS And integrated throughout the IT lifecycle Identify security requirements & governance models DESIGN BUILD Built-in from the start; not bolted-on Revise, update, remediate as the landscape changes ADAPT Security policy, process & procedures RUN Deploy to trusted platforms with enhanced security capabilities MANAGE Automate systems for security & compliance

12 SECURITY THROUGHOUT THE LIFECYCLE DESIGN BUILD RUN MANAGE ADAPT RED HAT SECURITY AD(ISORIES TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFT)ARE

13 13 SECURITY THROUGHOUT THE STACK

14 BUILT-IN SECURITY AUTOMATION WITH OpenSCAP NIST validated and certified Security Content Automation Protocol (SCAP) scanner by Red Hat Scans systems and containers for: known vulnerabilities = unpatched software compliance with security policies (PCI-DSS, US Gov baselines, etc) Ansible remediation playbooks provided (new with RHEL 7.5) Included in Red Hat Enterprise Linux base channel Red Hat natively ships NIST validated National Checklist content SCAP Workbench GUI front end tool for OpenSCAP that serves as an SCAP scanner Provides tailoring functionality for SCAP content Local scanning of a single machine

15 15 Security Remediations with OpenSCAP and Ansible Ansible remediation playbooks provided (new with RHEL 7.5) Apply pre-generated Ansible playbook (provided by scap-security-guide) Generate a new playbook from a specific security profile (input) $ oscap xccdf generate fix --fix-type ansible --profile stig-rhel7-disa --output stig-rhel7-disa-profile.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Generate a playbook of fixes only (from completed scan report) $ oscap xccdf generate fix --fix-type ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output standard-playbook-result.yml results.xml

16 16 Scanning and Hardening/Remediating Containers with OpenSCAP Scan container for Unpatched software Scan container for Configuration compliance $ sudo atomic scan --scan_type configuration_compliance --scanner_args profile=stig-rhel7-disa,report rhel7:latest Remediate the container $ sudo atomic scan --scan_type configuration_compliance --scanner_args profile=stig-rhel7-disa,report --remediate rhel7:latest

17 MAKING AUDITORS HAPPY WITH OpenSCAP REPORTS

18 Automated Security and Compliance at scale across a hybrid environment with Red Hat

19 USING RED HAT TECHNOLOGY IN A HYBRID ENVIRONMENT, HOW CAN I: 1) Create a security compliant host at provisioning time 2) Do Continuous Monitoring and Security For both VMs and Containers a) Automate ongoing security compliance and remediations b) Enforce governance and control in an automated fashion c) Visibility and Control for operations teams i) Restricted visibility into environment for security teams d) Proactive Security and Automated Risk Management

20 Provisioning a security compliant host

21 21

22 22

23 23

24 24

25 25

26 26

27 27

28 Enforcing compliance with security policies in an automated fashion

29 29

30 30

31 31

32 32

33 33

34 34

35 35

36 36

37 37

38 38

39 39

40 40

41 41

42 42

43 43

44 44

45 45

46 46

47 47

48 48

49 Automated Security and Compliance with Red Hat Openshift

50 IMPROVING SECURITY WITH CONTAINERS AND OPENSHIFT In Security, consistency and repeatability is key. Adopting containers in a container platform will improve your security. US Courts US Citizen and Immigration Services Oak Ridge National Laboratory Internal Revenue Service US Government Panel, Openshift Commons Briefing December 2017 Journey of DevSecOps - US Department Homeland Security June 2017

51 IMPRO(ED SECURITY )ITH CONTAINERS Improved Patch Management Consistent & Secure Configurations Record of Changes Higher Dev Productivity More Security Built-In Faster, Easier Deployment for Ops Secrets Management Server Sprawl Application Sprawl 51

52 Security Benefits of Containerized Infrastructure Standard, hardened infrastructure Force applications to be in line with defined security policies Read-only containers = Application whitelisting Continually (re)deploying from known good source Standardized base container images No humans in production - SSH turned off Patching improvements Complete record of change Minimal OS Pipeline Integration moves security left Security gates: Nothing go to production unless all checks passed.

53 84% of open source projects do not fix known security defects. * 2017 State of the Software Supply Chain by Sonatype

54 54

55 RED HAT SUPPLY CHAIN SECURITY Community leadership Package selection Manual inspection Automated inspection Packaging guidelines Trusted builds Quality assurance Certifications Signing Distribution Support Security updates/patches Upstream Community projects Red Hat solutions Red Hat customers

56 Never {pass} defects to downstream work centers. * The Phoenix Project by George Spafford, Kevin Behr, and Gene Kim

57 AUTOMATE QUALITY

58 SOFTWARE SUPPLY CHAIN SECURITY POWERED BY RED HAT OPENSHIFT Trusted code repos CCB RAPID ATO REQ DEV UNIT TEST CODE QUAL SEC SCAN INT TEST QA UAT PROD -Jira -Trello -Che -JBDSguac -Cucumber -Arquillian -Junit -Sonarqube -Fortify -AtomicScan -Blackduck -Twistlock AUTOMATED QUALITY -Sysdig -Dynatrace CM CS OPENSHIFT SOFTWARE FACTORY

59 59

60 60

61 61

62 62

63 63

64 64

65 65

66 66

67 67

68 The last thing most managers think about is how to get a new product back if something goes wrong. * A Strategic Approach to Managing Product Recalls by N. Craig Smith, Robert J. Thomas, and John Quelch for HBR

69 SOFTWARE SUPPLY CHAIN SECURITY POWERED BY RED HAT OPENSHIFT Trusted code repos CCB RAPID ATO REQ DEV UNIT TEST CODE QUAL SEC SCAN INT TEST QA UAT PROD -Jira -Trello -Che -JBDSguac -Cucumber -Arquillian -Junit -Sonarqube -Fortify -AtomicScan -Blackduck -Twistlock AUTOMATED QUALITY -Sysdig -Dynatrace CM CS OPENSHIFT SOFTWARE FACTORY

70 If you have three days to patch out a CVE in prod, can you?

71 Patch SOFTWARE SUPPLY CHAIN SECURITY POWERED BY RED HAT OPENSHIFT Trusted code repos CCB RAPID ATO REQ DEV UNIT TEST CODE QUAL SEC SCAN INT TEST QA UAT PROD -Jira -Trello -Che -JBDSguac -Cucumber -Arquillian -Junit -Sonarqube -Fortify -AtomicScan -Blackduck -Twistlock AUTOMATED QUALITY -Sysdig -Dynatrace CM CS OPENSHIFT SOFTWARE FACTORY

72 Patch SOFTWARE SUPPLY CHAIN SECURITY POWERED BY RED HAT OPENSHIFT Trusted code repos CCB RAPID ATO REQ DEV UNIT TEST CODE QUAL SEC SCAN INT TEST QA UAT PROD -Jira -Trello -Che -JBDSguac -Cucumber -Arquillian -Junit -Sonarqube -Fortify -AtomicScan -Blackduck -Twistlock AUTOMATED QUALITY -Sysdig -Dynatrace CM CS OPENSHIFT SOFTWARE FACTORY

73 Patch SOFTWARE SUPPLY CHAIN SECURITY POWERED BY RED HAT OPENSHIFT Trusted code repos CCB RAPID ATO REQ DEV UNIT TEST CODE QUAL SEC SCAN INT TEST QA UAT PROD -Jira -Trello -Che -JBDSguac -Cucumber -Arquillian -Junit -Sonarqube -Fortify -AtomicScan -Blackduck -Twistlock AUTOMATED QUALITY -Sysdig -Dynatrace CM CS OPENSHIFT SOFTWARE FACTORY

74 This is DevSecOps

75 DEV(SEC)OPS Everything as code Application monitoring Automate everything Control Planes vs Data Planes Continuous Integration/Delivery Rebuild vs. Repair Application is always releasable Delivery pipeline GENERAL DISTRIBUTION

76 76 GENERAL DISTRIBUTION

77 77 GENERAL DISTRIBUTION

78 BRINGING IT ALL TOGETHER Self-Service Service Catalog (Language Runtimes, Middleware, Databases) Build Automation Deployment Automation OpenShift Application Lifecycle Management (CI/CD) Container Orchestration & Cluster Management (Kubernetes) Networking Storage Registry Logs & Metrics Infrastructure Automation & Cockpit Enterprise Container Host RHEL Container Runtime & Packaging SELinux and SCC Security CONTROL DEFEND EXTEND Ansible / CloudForms Red Hat Enterprise Linux

79 CONTROL Container Content Container Registry CI/CD Pipeline Deployment Policies DEFEND Container Platform Network Isolation Container Host Multi-tenancy Storage Audit & Logging API Management EXTEND Security Ecosystem 79

80 THE SECURITY ECOSYSTEM For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as Network Security Identity and Access management / Privileged Access Management External Certificate Authorities External (aults / Key Management solutions Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and Event Monitoring SIEM And use open source & open standards More about OpenShift Primed Partners 80

81 Automate ongoing security compliance and remediations

82 82

83 83

84 84

85 85

86 86

87 87

88 88

89 89

90 90

91 91

92 92

93 Proactive Security and Automated Risk Management with Red Hat Insights

94 94

95 95

96 96

97 97

98 98

99 99

100 100

101 101

102 102

103 103

104 104

105 USING RED HAT TECHNOLOGY YOU TOO CAN: 1) Create a security compliant host at provisioning time 2) Do Continuous Monitoring and Security For both VMs and Containers a) Automate ongoing security compliance and remediations b) Enforce governance and control in an automated fashion c) Visibility and Control for operations teams i) Restricted visibility into environment for security teams d) Proactive Security and Automated Risk Management All with FLEXIBILITY + CHOICE using a combination of OpenShift, OpenSCAP, Red Hat CloudForms, Red Hat Satellite, Red Hat Ansible Automation, and Red Hat Insights

106

107 Can I try these demos hands on? This lab environment is hosted online on the Red Hat Product Demo System (RHPDS) Accessible by Red Hat Partners and Red Hat Employees. Red Hat customers, please work with your Red Hat account team who can access and provision this lab environment for you. Security and Compliance Automation Lab doc: /documentation/readme.adoc Ansible playbooks used in lab/demo environment: iance Also, Ansible remediation playbooks for SCAP profiles available directly in RHEL 7.5 Red Hat Enterprise Linux Security Technologies Lab doc: cumentation/readme.adoc

108 RED HAT SUMMIT 2018 Many security sessions, including this session, were recorded and are now on YouTube! (isit: 108

109 THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhat(ideos