DevOps, Security, and Compliance WORKING IN UNISON

Transcription

1 DevOps, Security, and Compliance WORKING IN UNISON

2 I like. About me Elizabeth Lawler Co-Founder & CEO Machine identity and access management at scale Mapping compliance requirements to next generation IT systems Building a business My kids, dog, cat, chickens, and my husband

3 DevOps transformations: Domains of change Organization Multidisciplinary Teams Engineering Operations Security Product Owner Tight Feedback Loops Strong Business Decision Alignment Metricing Methodology Continuous Review and Improvement (Postmortems) Automate process steps Version Everything Automate Testing Technology Version control systems Configuration Management Systems from moving from build-deploy-test-release Elastic Computing Enviroments

4 Why Change? Reduce Costs Close data centers and move to cloud Replace people with automated processes Reduce Time to Market Automate production deployments Smaller more frequent changes provide real time customer feedback (Split A/B) Reduce Risk Move security left - add more security checks into automation workflow Rapid deployment of patches

5 It Takes a Team Effort Collaboration between business, compliance, and engineering to: 1. Understand and communicate risks 2. Respond accordingly 3. Improve continuously while: 1. Remaining agile

6 Every modern industry with the potential to impact public safety, human life, or national security has matured to the rigor that looks like a supply chain...except for software Do we have good building codes for building software? -Josh Corman, Co-Founder, Rugged Ops Source: Josh Corman, Continuous Integrations with a software supply chain, DevOps Days 2015, Washington D.C.

7 Common Technical Advantages of DevOps Continuous monitoring and logging Engagement of security stakeholders earlier in the application development process Increasing number of tools available for code analysis and supply chain control

8 Common Security Issues in DevOps New to market tooling Open-source tooling which lacks security controls Lack of organizational understanding of DevOps practices Inability to enforce good security practices in opaque or internally unmonitored systems Strong reliance on external tooling or infrastructure (security exposure beyond internal IT systems) Lack of checkpoints or segregation of duties

9 Why is compliance in DevOps business Devops adoption is of strategic value to the business The processes, tools and techniques are in the spotlight from a security and compliance perspective

10 Let s Get Started

11 Knowledge Transfer: Security, Compliance and Engineering need to speak a common language

12 Planning for Continuous Security and Compliance GET BUY-IN PLAN IMPROVE Get management buy-in to include security and compliance work in the normal planning and delivery processes Plan and work with Stories: Story #1: Meet the compliance team [Spike]

13 Most of the time it is Alphabet Soup HIPAA NIST-CSF SOX PCI PIPEDA ID.AM-2: Software platforms within the organization are inventoried ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established CCS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 COBIT 5 APO01.02, DSS06.03 ISA : ISO/IEC 27001:2013 A NIST SP Rev. 4 CP-2, PS- 7, PM-11

14 Language barriers between security and engineering Controls framework Identify Protect Detect Respond Recover Analogous Control Activities & Services for Operators Asset Management (CMDB) Network Security, Authentication, Key Management Log Aggregation and Reporting Alerting, Incident Communication and Escalation Plan Post-mortems, metrics tracking (e.g., MTTD, MTTR)

15 Example Security and Compliance Goal Certify the security of the CI/CD pipeline Developer Dev team Deploy Check INFRASTRUCTURE Dev team, tools, & tools admins Dev team, tools, tools admins, & operators

16 DEVOPS, SECURITY & COMPLIANCE: WORKING IN UNISON The Challenge - Moving from People Process to Automation LEGACY IT ERA Automation Complexity Known # of identifiable components 100s-1000s system components Provisioned by People +/- approvals, traceable Code -? approvals,? traceable Provisioned with days-weeks seconds-minutes Threat concerns Insiders Tampered code or build systems Mainframe Client/ Server Web Containerized Cloud

17 Comprehensive Inventory is a Common Control Gap Inventory of Authorized and Unauthorized Devices is known or can be evaluated in an traditional IT environment 1) Ephemeral IT infrastructure (Cloud and Containers) have time as a important factor in understanding inventory 2) Launching or scaling infrastructure is initiated by automated processes 3) Multiple versions could be in deployment simultaneously and need to be tracked in parallel Load Balancer App App New New T o o l s

18 Gap analysis for a CI/CD pipeline Developer Dev team Deploy Check INFRASTRUCTURE Dev team, tools, & tools admins Dev team, tools, tools admins, & operators

19 Control Example: Domain Access Control (PR.AC) Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Subcontrol - PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties Applies to CCS CSC 12, 15 ISA : ISA :2013 SR 2.1 ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A NIST SP Rev. 4 AC-2, AC-3, AC- 5, AC-6, AC-16

20 Potential Remediation Approaches for a CI/CD pipeline Securing Your Pipeline Create identities for testing systems Manage developer access to testing systems (e.g., Jenkins) Remove secrets from source code Manage secrets in configuration files Restrict access to identifying hashes for build products and artifacts Log build activities with relevant identities and hashes to establish an audit trail

21 Gap Analysis Current state: Any Developer Universal access to Jenkins by developers Embedded shared system credentials Reporting? Audit? Example: Jenkins Logs Are they archived? Are they modifiable? Can they be rotated out of existence? Is this good enough? Can you prove least privilege or separation of duties in this part of the pipeline?

22 Where do you fall on the spectrum? Example NIST-CSF - 4 TIERS OF CYBER SECURITY AWARENESS TIER 1 - Partial TIER 2 - Risk Informed TIER 3 - Repeatable TIER 4 - Adaptive Automated

23 Remediation - Separation of Duties and Least Privilege CI Role Before After Commit Developers Developers Manage build job Developers Project team admins Initiate build Developers Project team developers Tag release Developers Release-bot (nonhuman actor) Promote to Prod Developers Project team admins Access to Prod Developers No standing access

24 Automation Benefits: continuous delivery of security EXAMPLE COMPLIANCE CONTROL PR.AC-1: Identities and credentials are managed for authorized devices and users STATIC OR ACTIVE ANALYSIS Processes and procedures for managing identities and credentials are documented EVENT Hire a new person Provision a new device Elevate auth for a system admin STATIC ANALYSIS Compliance procedures like checklists with signoff and auth forms ACTIVE ANALYSIS Tooling provides wizards to gate processes, audit logs of activities, and dashboards for reporting views that act as a real time audit

25 Test and Verify: Example using cucumber (also InSpec) Teams that focus on testing, early detection, and measuring progress have 30% fewer defects in production Write code that leads to pass state Source: The Journey to DevSecOps, Shannon Lietz, 2016 FAIL NIST CONTROL PR.AC-4 Describe compliance in plain english What do you have in place/plan to have in place? Describe passing scenarios Write tests in Ruby and run it Source: Audit Compliance with BDD tools, Kevin O Brien, Conjur blog

26 Communication Pitfall:: JSON is not a report Repeatable Reliable Fast Auditable Reportable

27 Focus on what is high-value to the business Most commonly, infrastructure security risks (whether from insider threats, misadventures of well-meaning IT professionals, or breaches and APTs) are: 1. Access control 2. Management of virtual assets and inventories 3. Credentials and shared accounts which are common attack vectors If you can automate and abstract these 3 things, you can mitigate lots of the risk in your organization- that is VALUE to the business

28 Don t get dinged on an Audit User identities not provided by enterprise master user directory (ex. AD) Infrastructure credentials not actually rotated Cloud credentials Backdoor SSH keys Impermanent audit log retention Reliance on authentication rather than authorization Using tools not fit for purpose (eg. using private source control repos to store secrets and credentials) User SSH keys SSL certificates Least privilege access not implemented in practice; excessive trust in personnel

29 Build it in incrementally

30 Thank You It takes a village... Thank you Kevin Gilpin Stacy McAuliffe Christopher Farnham Steve Coplan Josh Bregman Andy Ellicott Dustin Collins and the rest of the team at Conjur Elizabeth conjur.net