DevOpsDays SV - Security the Heart of Automated Infrastructure

Transcript

1. Securing the Heart of Automated Infrastructure Why Security is DevOps

2. Why Security?

3. None
4. None

5. When really its….

6. Me: Jamesha Fisher ✴ twitter: @jamfish728 ✴ DevOps Security Pirate

   (or Viking, in this case) ✴ Work at CloudPassage ✴ Security + Tech + Collaboration = Beautiful Product ✴ Here to Discuss ✴ Why DevOps is Security ✴ Showing that through Securing Chef/Puppet

7. Why is Security DevOps?

8. Security is in the Public Eye More than Ever -

   Brand Name Vulnerabilities - Breaches of Various Industries - Digital Fraud and Crimes

9. Security Principles Match with DevOps!

10. Confidentiality Availability Integrity “For any information system to serve its

    purpose, the information must be available when it is needed.”
 “Confidentiality is the requirement that private or confidential information not be disclosed to unauthorized individuals. ” “That a system and its data are not manipulated for unauthorized functionality or alteration.” Fast Ensure Uptime Controlled, but not Silo’ed Collaborative Repeatable & Standardized Auditable/Processed

11. Why is this important for deployment of Chef/ Puppet Services?

12. Planning: Availability

13. - How many nodes do you Have (or plan to)

    - Are you cloud or bare metal? - What do you plan to do with the services? - How quickly do we need to recover?

14. Planning: Integrity

15. - How do we configure servers? - How do we

    ensure standards/security?

16. Planning: Confidentiality

17. - How do we want to structure our services? -

    How are we going to deploy? - How are users going to access?

18. Testing: The Prep and Practice Firefight

19. Prep and Practice Firefighting : Availability ๏ Build Host and

    Set Up Server(s) ๏ Ensure minimum authorized users can login ๏ Test Basic Operations/Worst Cases

20. Prep and Practice Firefighting: Integrity ๏ Check SVA and CSM

    for Consistency ๏ Verify that Firewall Rules work ๏ Make sure SSL is Valid and Setup

21. Prep and Practice Firefighting: Confidentiality ๏ Create Organizational/Non-Org Setup ๏

    Create Users and Role/Based Access ๏ Test Authentication and Basic Operations

22. Demo Slide Time!

23. None
24. None
25. None
26. None
27. None
28. None

29. Things to Keep in Mind (Chef Folks….) •Chef Cookbooks are

    your friends •chef-client and omnibus_updater •New Installs •It’s going to take some time and adjustment •Migration •Download and move from old Chef Server •Move Everything First, then Separate if Env->Org Migration

30. So In Conclusion...

31. Confidentiality Availability Integrity - Plan for Recovery - Test Setup

    and Basic Operations (at Least) - Plan for the repeatable and enforceable - Check for Security….always! - Plan out User Organization - Including Users, Roles - Test for Operability

32. Questions?

33. Sources - Images - “Fleet Street Newspaper Wallpaper”, 2012, Muriva.

    - CIA Triad, 2012, The EMail Admin, http://www.theemailadmin.com/wp-content/ uploads/2012/11/CIA.png - Others are Stock Images purchased from 123f.com - Paper Sources - NIST Special Publication 800-33, csrc.nist.gov - Information security. (2015, March 19). In Wikipedia, The Free Encyclopedia. Retrieved 21:52, March 27, 2015, from http://en.wikipedia.org/w/index.php? title=Information_security&oldid=652104012 - All about Enterprise Chef, http://docs.chef.io/enterprise/ - CloudPassage. http://www.cloudpassage.com