Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance-Driven Infrastructure

Compliance-Driven Infrastructure

Christoph Hartmann

November 15, 2016
Tweet

More Decks by Christoph Hartmann

Other Decks in Technology

Transcript

  1. COMPLIANCE-DRIVEN INFRASTRUCTURE
    the quest to make testing and security part of devops
    Christoph Hartmann
    @chri_hartmann | [email protected]

    View Slide

  2. @chri_hartmann
    $> whoami
    Christoph Hartmann
    • 8 years in industry
    • Deutsche Telekom and SAP
    • Co-Founded startup VulcanoSec
    • need for missing compliance solutions
    • close collaboration with auditors
    • Acquired by Chef Software
    • heading engineering for compliance
    • InSpec Creator

    View Slide

  3. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  4. Source: http://content.time.com/time/covers/europe/0,16641,20020708,00.html

    View Slide

  5. View Slide

  6. View Slide

  7. Regulatory Compliance
    PCI-DSS Gramm-Leach-Bliley Act HIPAA
    Dodd-Frank ISO Sarbanes-Oxley
    HITECH Grundschutz
    European Central Bank
    Regulations

    View Slide

  8. COMPLIANCE AND SECURITY
    Compliance
    Security

    View Slide

  9. State of Security in 2014
    • In 60% of cases, attackers can compromise organizations
    within minutes.
    • 99.9% of the exploited vulnerabilities were compromised
    more than a year after the vulnerability was published.
    • Ten vulnerabilities account for 97% of the exploits
    observed.
    Verizon Data Breach Report

    View Slide

  10. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  11. Deployment
    Compliance
    DevOps

    View Slide

  12. compliance
    is perceived as blocker

    View Slide

  13. View Slide

  14. View Slide

  15. Language
    Compliance DevOps
    Security

    View Slide

  16. Scale

    View Slide

  17. Scale

    View Slide

  18. Scale

    View Slide

  19. QUALITY
    VELOCITY
    Innovation
    Quality/
    Security/
    Compliance
    The tradeoff myth

    View Slide

  20. Book: The High Velocity Edge - Steven J. Spears
    Competitive advantage

    View Slide

  21. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  22. Security meets operations
    Compliance DevOps
    Security

    View Slide

  23. Common Language
    Language
    Compliance DevOps
    Security

    View Slide

  24. InSpec turns infrastructure testing, compliance
    and security requirements into code

    View Slide

  25. Documentation
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  26. Scripting tools

    View Slide

  27. The better way
    TESTING A REQUIREMENT

    View Slide

  28. Compliance Language

    View Slide

  29. Standalone Usage
    $ inspec exec test.rb
    $ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    $ inspec exec test.rb -t winrm://[email protected] --password super
    $ inspec exec test.rb -t docker://3cc8837bb6a8
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  30. Supported Operating Sysyems

    View Slide

  31. apache, apache_conf, apt, audit_policy, auditd_conf, auditd_rules, bash, bond, bridge,
    bsd_service, command, csv, directory, etc_group, file, gem, group, groups, grub_conf, host,
    iis_site, inetd_conf, ini, interface, iptables, json, kernel_module, kernel_parameter,
    launchd_service, limits_conf, login_defs, mount, mssql_session, mysql, mysql_conf,
    mysql_session, npm, ntp_conf, oneget, os, os_env, package, parse_config, parse_config_file,
    passwd, pip, port, postgres, postgres_conf, postgres_session, powershell, ppa, processes,
    registry_key, runit_service, script, security_policy, service, shadow, ssh_config,
    sshd_config, ssl, sys_info, systemd_service, sysv_service, upstart_service, user, users, vbscript,
    windows_feature, wmi, xinetd_conf, yaml, yum
    Built-in resources

    View Slide

  32. Works with all DevOps tools e.g.

    View Slide

  33. Silo Breaking
    • Build foundation for communication
    • Share knowledge and code
    • Codify agreements after audits

    View Slide

  34. Mapping of Compliance Document to InSpec

    View Slide

  35. Make Adjustments
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  36. Optimize for specific environments
    Dev
    Production
    Test
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (xml base profile)

    View Slide

  37. InSpec Profiles
    Windows Patch
    Profile
    OS Hardening
    Profile
    SSH Hardening
    Profile
    Linux Patch
    Profile
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile

    View Slide

  38. InSpec Profiles
    Windows Patch
    Profile
    OS Hardening
    Profile
    SSH Hardening
    Profile
    Linux Patch
    Profile
    github.com/dev-sec
    github.com/chris-rock/acme-inspec-profile

    View Slide

  39. InSpec Profiles

    View Slide

  40. Continuous Compliance
    Compliance
    DevOps

    View Slide

  41. Continuous Compliance

    View Slide

  42. Continuous Compliance
    Scan for
    Compliance
    Build &
    Test Locally
    Build &
    Test CI/CD Remediate Verify

    View Slide

  43. Continuous Compliance
    DevOps Compliance Security

    View Slide

  44. The changing role of the compliance officer

    View Slide

  45. Continuous Compliance

    View Slide

  46. Why do we need compliance?
    Is compliance preventing innovation?
    Compliance-Driven Infrastructure

    View Slide

  47. Further Resources
    inspec.io
    • Hands on tutorials
    • Extensive documentation
    • Code examples
    learn.chef.io
    • More tutorials about
    Compliance and Inspec

    View Slide

  48. Further Resources
    Save Your Crash Dummies!
    A Test-driven Infrastructure Solution
    http://bit.ly/crash_dummies
    dev-sec.io
    github.com/dev-sec/tests-os-hardening
    github.com/dev-sec/tests-ssh-hardening
    github.com/dev-sec/windows-patch-benchmark
    github.com/dev-sec/linux-patch-benchmark

    View Slide

  49. @chri_hartmann
    Christoph Hartmann
    Join
    [email protected]

    View Slide

  50. Chef vs InSpec

    View Slide