Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Aptible Update Webinar Series - April 2017

7ee78ba49eaf26113318ac3597887cc5?s=47 Aptible
April 18, 2017
92

Aptible Update Webinar Series - April 2017

The Aptible Update Webinar Series is a quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.

We hosted our third Update Webinar on April 18, 2017. In it, we covered:

- Security and compliance improvements to Enclave, such as Endpoint IP Address Filtering and U2F Security Key Authentication
- More control over Enclave database containers, including self-service reload and (soon) resizing operations
- Improvement to existing Enclave features, such as easier logging setup, automated cleanup of orphaned SSH sessions, and faster/configurable health check timeouts
- An update of the Gridiron AWS private beta

Recap: https://www.aptible.com/blog/recap-aptible-april-2017-quarterly-product-update/

Recording & Transcript: https://www.aptible.com/resources/update-webinar-april-2017/

7ee78ba49eaf26113318ac3597887cc5?s=128

Aptible

April 18, 2017
Tweet

Transcript

  1. Ap#ble'Update'Webinar April&2017

  2. Agenda • Enclave)features)and)updates • Gridiron)updates)and)availability • Open)Q&A

  3. Logis&cs • Use%Zoom%Q&A%for%ques0ons • Recording%will%be%posted%at%www.ap0ble.com/resources

  4. What's'new'on'Enclave? April&18,&2017

  5. Before&we&start... The$Enclave$team$is$looking$for$feedback! We'd%like%to%schedule%301minute%customer%interviews%to%talk% through%how%you're%using%Enclave,%and%discuss%how%we%can%make%it% be=er. If#you're#interested,#please&send&a&direct&message&to&Frank.

  6. Overview Our$vision$is$unchanged:$we$want$Enclave$to$be$the$best$place$to$ deploy$regulated$and$sensi8ve$projects. To#that#end,#this#quarter#we#invested#in: • Security*and*Compliance • Database*Self7Service • Usability*Improvements

  7. >"Security"and"Compliance"< Database'Self+Service Usability)Improvements

  8. Security)and)Compliance 3"main"direc+ons"here: • We're&making&it&easier&for&you&to&secure&your&apps. • We're&helping&you&meet&your&compliance&goals. • We're&improving&the&security&of&Enclave&itself.

  9. App#Security 3"new"features"make"it"easier"to"secure"your"apps"on"Enclave: • IP$Filtering • Managed$HTTPS$for$Internal$Endpoints • Docker$Image$Security$Scanning$(Private$Beta)

  10. App#Security IP#Filtering

  11. IP#Filtering IP#Filtering#lets#you#firewall#app#Endpoints;#i.e.#restrict#traffic#to#a# set#of#allowed#IP#sources. Typical(use(cases(include: • Internal)apps)(e.g.)Kibana,)admin)dashboards). • Private)External)APIs)(e.g.)restricted)to)a)set)of)high?value) customers). •

    Pre?release)apps.
  12. None
  13. App#Security Managed'HTTPS'for'Internal' Endpoints

  14. Internal(Endpoints Internal(Endpoints(are(great(for(isola1ng(apps(that(should(only(be( accessed(from(within(your(dedicated(Ap1ble(VPC. Typical(use(cases(include: • Microservices*consumed*by*other*apps*deployed*on*Ap7ble. • Internal*apps*/*dashboards*(e.g.*Kibana),*if*you*have*a*VPN* connec7on*set*up*to*tunnel*into*your*Ap7ble*VPC.

  15. Managed'HTTPS Managed'HTTPS'makes'it'easier'to'create'Endpoints'on'Ap7ble'by' provisioning'and'renewing'SSL'/'TLS'cer7ficates'on'your'behalf. Using&Managed&HTTPS,&all&you&need&to&deploy&your&app&with& HTTPS&support&on&Ap:ble&is&a&domain&name. Under&the&hood,&Managed&HTTPS&relies&on&Let's&Encrypt.

  16. Managed'HTTPS To#provision#a#cer-ficate#with#Let's#Encrypt,#Enclave#needs#to#verify# control#of#said#domain#first. Let's&Encrypt&offers&mul2ple&op2ons&to&do&so: • HTTP:#Let's#Encrypt#needs#to#make#a#HTTP#request#to#the#Endpoint • DNS:#Let's#Encrypt#needs#to#read#a#TXT#record#via#DNS. • TLS(SNI:#Let's#Encrypt#needs#to#complete#a#TLS#handshake#with#

    the#Endpoint.
  17. Managed'HTTPS'for'Internal'Endpoints Enclave(historically(used(HTTP(verifica6on,(but(that(method(does( not(work(for(Internal(Endpoints:(Let's(Encrypt(can't(connect(to( them!(So,(Enclave(now(uses(DNS$verifica,on(as(well. Verifica(on+Method External+Endpoints Internal+Endpoints HTTP Supported Not-Supported

    DNS-(new!) Supported Supported!
  18. App#Security IP#Filtering#vs.#Internal#Endpoints

  19. IP#Filtering#vs.#Internal#Endpoints IP#Filtering#(new!) Internal#Endpoints Accessible(from A(set(of(IPs(you(allow All(clients(in(your( Ap6ble(VPC Managed(HTTPS Supported Supported((new!)

    Recommended(for Private(External(APIs,( Internal(tools Microservices, Internal(tools((if(VPN)
  20. App#Security Docker'Image'Security'Scanning

  21. Docker'Image'Security'Scanning We're%running%a%private(beta%of%Docker%Image%Security%Scanning. This%is%an%integra,on%of%Appcanary%(appcanary.com)%with%Ap,ble.%It% can%help%you%meet%compliance%requirements%for%security%scanning.

  22. Docker'Image'Security'Scanning Here's&how&this&works: • You%sign%up%for%Appcanary • You%provide%your%Appcanary%API%key,%and%apps%to%monitor • We%no;fy%Appcanary%whenever%you%deploy • Appcanary(no*fies(you(of(security(vulnerabili*es

  23. Docker'Image'Security'Scanning This%security%scanning%is%for%system&packages%installed%in%your% Docker%image.%It%supports%images%based%on: • Ubuntu • Debian • CentOS To#request#access#to#the#private#beta,#contact&Ap)ble&support,&or&

    send&a&message&to&Frank&if&you're&watching&this&live.
  24. Compliance

  25. Compliance We#introduced#2#changes#to#make#it#easier#for#you#to#meet# compliance#requirements: • ALB%Endpoints%now%let%you%customize%their%HTTPS%protocol%list • Databases%now%use%AES?256%encrypCon%by%default

  26. Compliance Customizable-HTTPS-Protocols-on- ALB-Endpoints

  27. Customizable-HTTPS-Protocols-on-ALB- Endpoints ALB$Endpoints$default$to$accep3ng$traffic$on$TLSv1.0,$TLSv1.1,$and$TLSv1.2. Unlike'SSLv3'(TLSv1.0's'predecessor),'these'protocols'are'all'secure,'but'your' auditors'may'restrict'you'to'a'subset'of'them:'oCen'TLSv1.1'or'greater1. You$can$now$easily$meet$their$requirements$using$the$SSL_PROTOCOLS_OVERRIDE$ variable$(note:$this$variable$was$already$supported$on$legacy$ELB$Endpoints). 1"A"number"of"implementa)ons"of"TLSv1.0"are"vulnerable"to"e.g."POODLE"(unlike"SSLv3,"where"the"protocol"itself"is" vulnerable),"so"while"the"protocol"itself"isn't"vulnerable,"it's"a"good"idea"to"disable"it"if"you"don't"need"it.

  28. Using&SSL_PROTOCOLS_OVERRIDE $ curl --tlsv1.0 https://high-compliance.example.com Hello from high-compliance! $ aptible

    config:set "SSL_PROTOCOLS_OVERRIDE=TLSv1.1 TLSv1.2" INFO -- : App configure successful. $ curl --tlsv1.0 https://high-compliance.example.com curl: (35) Server aborted the SSL handshake $ curl --tlsv1.1 https://high-compliance.example.com Hello from high-compliance!
  29. Compliance AES$256(Database(Disk(Encryp6on

  30. AES$256(disk(encryp3on(for(databases New$Databases$on$Ap.ble$now$use$AES$256$for$disk$encryp.on$(it$ used$to$be$AES;192). There%is%no%security%concern%surrounding%AES3192,%but%if%you%have% a%compliance%requirement%to%use%AES3256,%Enclave%has%your%back!

  31. Exis%ng(databases Older&databases&are&not&upgraded:&that&would&require&re5 encryp8ng&all&data&and&cause&significant&down8me.&You$can$dump$ and$restore$to$upgrade. You$can$find$out$which$encryp2on$algorithm$is$used$by$a$database$ through$the$Dashboard.

  32. None
  33. Enclave(Security

  34. Enclave(Security 2"direc(ons"to"improve"the"security"of"Enclave"itself: • U2F%Authen,ca,on • Internal%Architectural%Changes

  35. Enclave(Security U2F$Authen+ca+on

  36. U2F$Authen+ca+on You$can$now$use$FIDO$U2F$Security$Keys$as$a$second$factor$to$log$ in$to$your$Ap=ble$account! U2F$Security$Keys$take$the$form$of$a$USB$key;$they... • ...#are#more#convenient#than#token0based#2FA • ...#protect#you#against#phishing We're%using%them%to%protect%the%accounts%of%Ap4ble%team% members,%but$they're$also$available$to$you!

  37. U2F$Authen+ca+on To#get#started#with#U2F#authen3ca3on,#you'll#need#to: • Procure(a(U2F(Security(Key(from(a(trusted(vendor2 • Use(a(browser(that(supports(U2F(Security(Keys((Chrome) • Navigate(to(your(account(seAngs(in(the(Dashboard • Follow(the(instrucDons

    2"The"Ap(ble"team"uses"Yubikeys,"but"any"key"conforming"to"the"FIDO"U2F"specifica(on"is"usable"with"Ap(ble.
  38. Enclave(Security Internal(Architectural(Changes

  39. Internal(Architectural(Changes We're%con)nuously%working%to%improve%the%security%of%Enclave.% This%quarter,%we%focused%on%locking%down%access%to%AWS%APIs: • We're&now&using&short&term,*per&opera-on*AWS*creden-als3& for&~85%&of&AWS&API&calls&made&by&Enclave. • Long>term&creden@als&used&by&remaining&API&calls&have&very& narrow&permissions. 3"These"creden+als"are"valid"for"3"hours,"and"provide"a"strong"audit"trail:"AWS"API"Calls"made"by"Enclave"can"be"

    traced"back"to"the"specific"opera+on"that"required"them.
  40. Creden&al)Comparison)(examples) Long%Term*Creden-als Short%Term*Creden-als Write&only+S3+access+for+ telemetry+and+logs Full+S3+access+to+a+per&customer+ bucket+for+Docker+images+ Configure+specific+internal+DNS+ records Provision,+aAach,+detach,+backup,+

    modify,+delete+database+volumes+ Provision,+configure,+and+delete+ load+balancers+ Configure+customer+app+and+ database+DNS+records
  41. Security)and)Compliance Q&A

  42. Security)and)Compliance >"Database"Self,Service Usability)Improvements

  43. Database'Self+Service Feature'wise,,we,focused,our,efforts,this,quarter,towards,enabling, self'service,modifica;ons,for,databases. We're%ge'ng%very%close: • The%Ap(ble%CLI%now%supports%aptible db:reload. • Disk%resizes%are%now%predictably%fast. •

    Self@service%database%scaling%is%coming%very%soon.
  44. Database'Self+Service aptible db:reload

  45. aptible db:reload You$can$now$reload$your$database$on0demand.$This$restarts$your$ database$container$in0place. Use$cases: • Apply&changes&that&require&a&restart&(e.g.&a5er&using&ALTER SYSTEM SET&with&Postgres). •

    Restart&a&database&that&appears&to&be&misbehaving. This%opera+on%is%fast:%expect%~10%seconds%of%down+me.
  46. Database'Self+Service Faster'disk'resizes

  47. Faster'disk'resizes Un#l%recently,%resizing%your%database's%disk%meant%snapsho:ng%the% underlying%EBS%volume,%then%recrea#ng%it.%This%implied: • Occasionally+long+and+o.en+unpredictable+down%me:+it+could+ take+hours+to+resize+a+very+large+disk,+during+which+the+database+ must+be+offline. • A+nega@ve+performance-impact:+a.er+a+snapshot+restore,+EBS+ volumes+are+temporarily+slower.

  48. Faster'disk'resizes Fortunately,,AWS,now,lets,us,resize&EBS&volumes&without& recrea4ng&them,,and,we,updated,Enclave,accordingly. • Resizing)consistently)takes)a"few"seconds. • Resizing)no)longer)impacts)the)performance)of)the)volume.

  49. None
  50. None
  51. Database'Self+Service Coming'soon

  52. Coming'soon:'self-service'database'scaling Probably(one(of(the(longest(standing(feature(requests(for(Enclave( (currently,(these(requests(must(go(through(support). It's%almost%here.!You'll!soon!be!able!to: • Resize'your'database'disks'(and'as'men4oned:'this'will'be'fast) • Resize'your'database'containers'(i.e.'memory'footprint)

  53. Database'Self+Service Q&A

  54. Security)and)Compliance Database'Self+Service >"Usability"Improvements"<

  55. Usability)Improvements A"diverse"set"of"small"improvements"to"make"your"life"using"Enclave" be8er: • SSH$sessions$now$terminate$quickly$if$you$get$disconnected. • Memory$Management$no$longer$requires$coopera;ve$apps. • Log$Drains$now$offer$firstAclass$support$for$Sumo$Logic$and$ Logentries.

  56. SSH#Sessions#terminate#quickly If#your#SSH#client#gets#disconnected#(e.g.#you#changed#networks,#or# lost#internet#connec:vity),#your#Ap:ble#SSH#sessions#now# terminate#within#2#minutes4. This%ensures%you're%never%le/%with%runaway%SSH%sessions%you% don't%have%access%to! 4"This"hasn't"shipped"just"yet"as"of"this"webinar;"it"will"be"live"this"week.

  57. Memory'Management'no'longer'requires' coopera3ve'apps When%we%introduced%Memory%Management5%(6%months%ago!),%it%restarted%Docker% containers%in<place. Some%apps%were%incompa.ble%with%it:%they%would%fail%to%restart%because%they%e.g.%le:%a% stale%PID%file%behind! Memory'Management'now'restarts'your'app'in'a'pris1ne'container,'so'all#apps#are#now# compa-ble. 5"Memory"Management"automa.cally"restarts"your"apps"when"they"exceed"their"memory"limits;"this"ensures"your" apps"don't"go"down"due"to"e.g."a"memory"leak.

  58. First&class*support*for*Sumo*Logic*and* Logentries Enclave(Log(Drains(now(support(Sumo(Logic(and(Logentries(with( minimal(set(up(required:(just(copy(paste(a(few(values! Both%these%providers%sign%BAAs.%If%your%logs%contain%PHI,%they%are%a% good%alterna;ve%to%a%self<hosted%ELK%stack%on%Ap;ble.

  59. Usability)Improvements Q&A

  60. Gridiron'Update April&2017

  61. What%is%Gridiron? Gridiron'is'a'suite'of'tools'to'help'so1ware'engineers'build'and' maintain'industrial6strength'security'management'programs.

  62. Why$Use$Gridiron? • Makes'the'administra/ve'side'of'protec/ng'data'easy • Helps'prep'for'regulatory'audits • Helps'prep'for'customer'security'reviews Quickbooks)helps)with)accoun2ng,)Gridiron)helps)with)security) management

  63. None
  64. None
  65. Gridiron'Implementa/on • Ap$ble(guided-setup-process-with-hands(on-support-and-training • Decide-on-baseline-set-of-controls • Generate-all-repor$ng-and-documenta$on

  66. None
  67. None
  68. None
  69. None
  70. None
  71. None
  72. None
  73. How$is$This$Be+er? • Focused)on)so+ware)developers • It's)fast.)We)ask)smart)ques;ons)to)get)results)fast.)Onboarding) complete)in)<)10)hours. • It's)easy.)Gridiron)speaks)your)language.)No)obscure) ques;onnaires.

  74. New$This$Quarter • Infrastructure,&,SaaS,Services • HIPAA,Security,Rule,Report • Security,Reviews,Tool • Incident,Response,Training

  75. Pricing Gridiron'Baseline'-'First'Protocol • $2,499/month-paid-annually • Addi6onal-protocols-star6ng-at-$499/protocol/mo • Addi6onal-training-star6ng-at-$49/cer6fica6on/year

  76. AWS$Private$Beta$Program • Customers*deployed*directly*on*AWS • Pricing:*early*access*+*50%*permanent*discount Interested(in(a(demo(or(learning(more?( Contact(Shah(Kader:(shah@ap8ble.com

  77. Gridiron Q&A

  78. Wrap%up • Recording+will+be+posted+at+www.ap4ble.com/resources • Next+webinar:+July+25,+11am+PDT/2pm+EDT