Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Puppet as security tooling - presented at PuppetConf 2016

Bill Weiss
October 21, 2016

Puppet as security tooling - presented at PuppetConf 2016

If you're already running Puppet, why not get the most out of it? This outlines some easy security and compliance wins for your environment.

Bill Weiss

October 21, 2016
Tweet

More Decks by Bill Weiss

Other Decks in Technology

Transcript

  1. Puppet as Security Tooling Agenda Housekeeping Definitions Building security in

    Controlling access Show that you did the thing Patch management Compromises happen 3
  2. Almost all of you know some of this But I

    bet most won’t be doing all of it 7
  3. Get security + compliance involved early Call your security friends

    and have them tell you what they need. Invite compliance to the party as well. Input early >> input at the end 13
  4. Build a baseline I’m not saying you have to use

    this module, but they’ve put a bunch of thought into it 15
  5. NSA STIG with SIMP I know, that’s a lot of

    acronym. NSA: National Security Agency STIG: Secure Technical Implementation Guide SIMP: System Integrity Management Platform 18 WHITE PAPER Continuous STIG Enforcement with Puppet Enterprise & the NSA Modules
  6. NSA STIG with SIMP Covers NIST 800-53 and DISA STIG

    Optionally enforces FIPS 140-2 mode 19 WHITE PAPER Continuous STIG Enforcement with Puppet Enterprise & the NSA Modules
  7. “Here are the machines in PCI scope” And here’s how

    you know that’s the total list 33
  8. Get fast at triaging and rolling out ID machines that

    are behind, get them up to date 36
  9. The closer prod and test are, the faster you can

    move You still want to test those patches, I assure you 37
  10. Assessing impact If only you had a way to detect

    changes across machines… 42
  11. Burn it all down and start over I take your

    persistence measure and raise it scorched earth 43
  12. 1. Build more robust systems from the beginning. 2. Maintain

    tighter access controls. 3. Keep compliance happy by being able to show your work. 4. Keep on top of your patches. 5. Gain visibility into your running system. 6. Be able to rebuild quickly without breaking things. 46 Recap
  13. 47 I can’t drop the mic, but I’ll close my

    Hello Kitty phone. Thank you