$30 off During Our Annual Pro Sale. View Details »

Compliance as Code

Ladislav Prskavec
January 23, 2020
Technology
0
260

Compliance as Code

Compliance is an important part of IT systems. It is often performed only as a regular annual audit. The auditors pick up samples of data to check. They can’t check all the data.

I went through classical audits, where you fill tens of excel sheets and then consult with internal audit what and how to improve etc. As SRE (Site Reliability Engineer) deals with monitoring and automation, there is also depriving people of manual work. I have seen how the problem is solved on a large scale (cloud providers). I have experience with Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS). I’ll show you how to move from Excel to an automatic, near real-time compliance check solution using Chef Inspec Framework.

Ladislav Prskavec

January 23, 2020
Tweet

More Decks by Ladislav Prskavec

See All by Ladislav Prskavec
How to make own observability solution?
abtris
0
37
OpenTelemetry as best way how to instrument your CICD pipeline
abtris
0
65
Prague Go Meetup #12 Introductions
abtris
0
16
How we run stateful services for customers in Kubernetes
abtris
0
120
Go Release 1.20
abtris
0
72
CI pipelines should be code! Dagger Go SDK
abtris
1
180
Getting started with fuzzing
abtris
0
170
Jamstack in 2021
abtris
0
39
How we build services in Oracle Cloud Infrastructure
abtris
1
68

Other Decks in Technology

See All in Technology
Azure OpenAI Serviceの採用と挑戦 - Azure AI Hub meetup #1
cimadai
1
290
Go Getでのchecksum不一致に遭遇した話とその対応
replu
0
190
2023년의 딥러닝과 LLM 생태계
inureyes
PRO
0
580
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
220
2023-12-01 吉祥寺.pm ベストプラクティスと組織とIaC
masasuzu
1
370
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
650
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.3k
継続的なコツコツ技術広報とブランディング磨き込みの過程と課題/engineering-brand
nishiuma
0
110
ニフティの過去・現在・未来 - NIFTY Tech Day 2023
niftycorp
0
160
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
350
実装がすべてではない、開発者の周りから考える Web プロダクトセキュリティ
oldbigbuddha
1
230
ココナラでエンジニアマネージャーをやってみた!
coconala_engineer
1
130

Featured

See All Featured
How to Ace a Technical Interview
jacobian
272
22k
Code Review Best Practice
trishagee
53
14k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
Ruby is Unlike a Banana
tanoku
93
10k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.9k
How STYLIGHT went responsive
nonsquared
89
4.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
140k
Happy Clients
brianwarren
91
6.1k
Product Roadmaps are Hard
iamctodd
43
9.1k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M

Transcript

  1. Compliance as Code
    Ladislav Prskavec
    Ladislav Prskavec - itSMF, 23. 1. 2020 1

    View Slide

  2. Who Am I
    4 Senior Manager in Oracle Cloud Infrastructure
    4 Twitter: @abtris
    4 Blog and talks: https://blog.prskavec.net/
    Ladislav Prskavec - itSMF, 23. 1. 2020 2

    View Slide

  3. Compliance
    Ladislav Prskavec - itSMF, 23. 1. 2020 3

    View Slide

  4. Ladislav Prskavec - itSMF, 23. 1. 2020 4

    View Slide

  5. Automating Away the
    Regulatory Compliance
    Myth
    Ladislav Prskavec - itSMF, 23. 1. 2020 5

    View Slide

  6. Regulatory Compliance
    Ladislav Prskavec - itSMF, 23. 1. 2020 6

    View Slide

  7. Ladislav Prskavec - itSMF, 23. 1. 2020 7

    View Slide

  8. Ladislav Prskavec - itSMF, 23. 1. 2020 8

    View Slide

  9. Ladislav Prskavec - itSMF, 23. 1. 2020 9

    View Slide

  10. Language is key
    Ladislav Prskavec - itSMF, 23. 1. 2020 10

    View Slide

  11. 6.2.1 Set SSH Protocol to 2 (Scored)
    Profile Applicability:
    - Level 1
    Description:
    SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the
    original protocol and was subject to security issues. SSH2 is more advanced and secure.
    Rationale:
    SSH v1 suffers from insecurities that do not affect SSH v2.
    Audit:
    To verify the correct SSH setting, run the following command and verify that the output is
    as shown:
    # grep "^Protocol" /etc/ssh/sshd_config
    Protocol 2
    Remediation:
    Edit the /etc/ssh/sshd_config file to set the parameter as follows:
    Protocol 2
    Ladislav Prskavec - itSMF, 23. 1. 2020 11

    View Slide

  12. control 'ssh-04' do
    impact 1.0
    title 'Client: Specify protocol version 2'
    desc "Only SSH protocol version 2 connections should be permitted..."
    describe ssh_config do
    its('Protocol') { should eq('2') }
    end
    end
    4 ssh_spec.rb
    Ladislav Prskavec - itSMF, 23. 1. 2020 12

    View Slide

  13. Compliance as Code
    4 Defining Policies Upfront
    4 Automated Gates and Checks
    4 Managing Changes in Continuous Delivery
    4 Separation of Duties in the DevOps Audit Toolkit
    4 Using the Audit Defense Toolkit
    4 Code Instead of Paperwork
    Ladislav Prskavec - itSMF, 23. 1. 2020 13

    View Slide

  14. Chef Inspec framework
    www.inspec.io - 1.0 Sep 2016
    Ladislav Prskavec - itSMF, 23. 1. 2020 14

    View Slide

  15. Ladislav Prskavec - itSMF, 23. 1. 2020 15

    View Slide

  16. Define policies
    Ladislav Prskavec - itSMF, 23. 1. 2020 16

    View Slide

  17. How to start
    Ladislav Prskavec - itSMF, 23. 1. 2020 17

    View Slide

  18. DevSec Hardening Framework Baselines
    Ladislav Prskavec - itSMF, 23. 1. 2020 18

    View Slide

  19. Ladislav Prskavec - itSMF, 23. 1. 2020 19

    View Slide

  20. Ladislav Prskavec - itSMF, 23. 1. 2020 20

    View Slide

  21. Ladislav Prskavec - itSMF, 23. 1. 2020 21

    View Slide

  22. Ladislav Prskavec - itSMF, 23. 1. 2020 22

    View Slide

  23. Ladislav Prskavec - itSMF, 23. 1. 2020 23

    View Slide

  24. Ladislav Prskavec - itSMF, 23. 1. 2020 24

    View Slide

  25. Ladislav Prskavec - itSMF, 23. 1. 2020 25

    View Slide

  26. Automate audit
    Ladislav Prskavec - itSMF, 23. 1. 2020 26

    View Slide

  27. Metrics
    # HELP inspec_checks_total Number of inspec checks
    # TYPE inspec_checks_total gauge
    inspec_checks_total{profile="ssl-baseline",status="passed"} 6
    inspec_checks_total{profile="ssl-baseline",status="failed"} 0
    inspec_checks_total{profile="ssl-baseline",status="skipped"} 0
    4 prometheus_inspec_exporter by Dave Cadwallader
    Ladislav Prskavec - itSMF, 23. 1. 2020 27

    View Slide

  28. Ladislav Prskavec - itSMF, 23. 1. 2020 28

    View Slide

  29. Summary
    4 Why Compliance?
    4 Why Compliance as code?
    4 Why Automated audit?
    Ladislav Prskavec - itSMF, 23. 1. 2020 29

    View Slide

  30. Q & A
    Or ask on twitter: @abtris
    Ladislav Prskavec - itSMF, 23. 1. 2020 30

    View Slide