Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automate to Approach Zero Trust Security

Automate to Approach Zero Trust Security

Presented at Cloud Computing San Antonio, August 12, 2021.

We've heard the buzzword of "zero trust" - trust nothing, verify everything - but how close can we really get? I'll dive into how you can automate your infrastructure and applications to approach zero trust security. I'll survey some of the important tools and ecosystems to consider and demonstrate how to consolidate some of the automation with infrastructure as code, service mesh, secrets management, and secure access management tools. By the end of this session, you'll be able to identify ways to approach zero trust in your infrastructure and applications. Note: This session uses technologies like Kubernetes, AWS, Terraform, Consul, Vault, and Boundary but they are not required as prerequisites!

Be8b596c46f4c9a1aec6a7586af33134?s=128

Rosemary Wang

August 12, 2021
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. Copyright © 2020 HashiCorp August 12, 2021 Automate to Approach

    Zero Trust Security Cloud Computing San Antonio | Rosemary Wang
  2. “DevOps” Wishlist Things we want when we do “DevOps” 1.

    Use cloud 2. Use software as a service (SaaS) 3. Use new software architectures (i.e., microservices) 4. Reduce time to value 5. Reduce mean time to recovery
  3. ALLOW ALL INBOUND TCP ALLOW OUTBOUND TCP TO 10.0.0.0/16 Security?

  4. Developer Advocate, HashiCorp 
 she/her 
 @joatmon08 
 joatmon08.github.io mng.bz/J6D0

    (Code: mtpclcosatx21) Rosemary 
 Wang
  5. Zero Trust Security Never trust, always verify.

  6. 3 Goals For Zero Trust Security Authentication Who are you?

    Authorization Can you do this? Audit Who did what?
  7. Identity No unified model, Hard to attest Person Service Machine

  8. Zero trust is asymptotic. It can approach zero but never

    reach it.
  9. Automate identity for ephemerality to achieve (almost) zero trust.

  10. Infrastructure as Code Policy as Code Static Identity Configuration Dynamic

    Identity Management Secrets Management Identity Management
  11. 01 Infrastructure as Code Static Identity / Trust Nothing

  12. Person User access model changes across clouds data "azurerm_subscription" "primary"

    { } data "azuread_service_principal" "user" { display_name = var.user.azur e } resource "azurerm_role_assignment" "editor" { scope = data.azurerm_subscription.primary.i d role_definition_name = "Contributor " principal_id = data.azuread_service_principal.user.object_i d } data "aws_iam_policy" "editor" { name = "SystemAdministrator " } resource "aws_iam_user_policy_attachment" "attach" { user = var.user.aw s policy_arn = data.aws_iam_policy.editor.ar n } resource "google_project_iam_member" "project" { project = var.project.gc p role = "roles/editor " member = var.user.gc p }
  13. Person …and across platforms. apiVersion: rbac.authorization.k8s.io/v 1 kind: Rol e

    metadata : name: edito r namespace: de v rules : - apiGroups : - " " resources: ["*" ] verbs : - ge t - lis t - watc h - creat e - updat e - patc h - delete
  14. Prototype pattern! Add a layer to map identity to platform.

  15. variable "access_mappings" { type = object( { owner = object(

    { gcp = strin g aws = strin g azure = strin g } ) editor = object( { gcp = strin g aws = strin g azure = strin g } ) reader = object( { gcp = strin g aws = strin g azure = strin g } ) }) default = { owner = { gcp = "owner " aws = "AdministratorAccess " azure = "Owner " } editor = { gcp = "editor " aws = "SystemAdministrator " azure = "Contributor " } reader = { gcp = "reader " aws = "ReadOnlyAccess " azure = "Reader " } } } users = { owner = ["operations" ] editor = ["appdev" ] editor = ["manager" ] }
  16. Immutability for security Change or isolate the old environment, recreate

    a new one.
  17. Example: Secure Access Management with Infrastructure as Code

  18. What to include? Trust nothing, verify everything. Authentication Infrastructure, applications,

    and users Authorization Networking, identity and access management Audit Logging and monitoring
  19. 02 Policy as Code Static Identity / Verify Everything

  20. Infrastructure as Code Identity & access management Static Analysis unit

    testing or code scanning Deploy Live infrastructure Dynamic Analysis Live infrastructure scanning Shift-left security testing Vulnerability management
  21. Tools Static Analysis ▪ Programming Languages (testing frameworks) ▪ Terraform

    (HashiCorp Sentinel, terrascan, tfsec) ▪ Inspec ▪ Platform extensible – Open Policy Agent – kics – Fugue
  22. Tools Dynamic Analysis ▪ Cloud provider identity analysis ▪ GCP

    Forseti ▪ AWS Inspector ▪ Azure Security Center (sort of) ▪ CloudCheckr
  23. Benchmarks Security Standards by Target ▪ https://ncp.nist.gov/repository

  24. Example: Checking policies in secure access management

  25. What to include? Trust nothing, verify everything. Authentication Password/MFA policies,

    machine access to services Authorization Networking, identity and access management, libraries Audit Hard mandatory, soft mandatory, and advisory policy types
  26. Infrastructure as Code Policy as Code Static Identity Configuration Dynamic

    Identity Management Dynamic Identity Management Secrets Management Identity Management
  27. 03 Secrets management Dynamic Identity / Trust Nothing

  28. Secrets They’re everywhere! ▪ Machine: SSH or password ▪ API

    / UI Endpoints: password or token ▪ Services: token ▪ Machine to API endpoints: token ▪ Data in-transit: SSL certificate ▪ Data at-rest: encryption key
  29. Updating Secrets Introduces Friction

  30. Plan R For Secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace

  31. Plan R For changing secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace

    Secrets Management
  32. Secrets Management Securely introduce and update for machines and services.

  33. Example: Managing database secrets for machines

  34. What to include? Trust nothing, verify everything. Authentication Secure introduction

    to secrets manager Authorization Provide least-privilege and temporal access to specific secrets Audit Identify when a secrets has been used
  35. 04 Identity Management Dynamic Identity / Configuration

  36. Kubernetes Node PUBLIC-API FRONTEND Node PRODUCT-API PRODUCT-API PRODUCT-DB SINGLE SIGN-ON

    HUMAN IDENTITY SERVICE IDENTITY
  37. Human Identity Many vendor tools ▪ Okta, Auth0, Active Directory,

    etc. ▪ Add an infrastructure layer – Workforce identity – Customer identity – Secure access management
  38. Example: Secure access to a database

  39. A service’s IP address 
 is not its identity. (Neither

    is DNS.)
  40. Service Identity Maps to many types of entities ▪ Containers

    ▪ Services ▪ Virtual machines ▪ Managed services ▪ Datacenter / other clouds
  41. Service Mesh Infrastructure layer for service identity

  42. Example: Network policy across workloads

  43. LAYER 7 LAYER 4 … LAYER 3 LAYER 2 SERVICE

    MESH (ENVOY FILTERS) CONTAINER NETWORK 
 INTERFACE (CNI) FIREWALL RULES / SECURITY GROUPS CALICO (BGP) (EBPF) (OPEN VSWITCH) AUTOMATION FROM SERVICE TO INFRASTRUCTURE
  44. What to include? Trust nothing, verify everything. Authentication One platform

    for human and service identities Authorization Multiple layers for policy control Audit Track human logins and service-to-service communication
  45. Infrastructure as Code Policy as Code Static Identity Configuration Dynamic

    Identity Management Dynamic Identity Management Secrets Management Identity Management
  46. Summary ▪ Zero trust security is asymptotic. ▪ It’s limited

    by the operational challenge of identity. ▪ Automate identity for ephemerality. – Add identity abstraction layer. – Automate abstraction.
  47. References joatmon08.github.io ▪ cloud.google.com/blog/topics/developers- practitioners/what-zero-trust-identity-security ▪ github.com/joatmon08/hashicorp-stack-demoapp ▪ github.com/joatmon08/policy-as-code/tree/main/ 05_zero_trust

    ▪ techfieldday.com/appearance/hashicorp-presents- at-security-field-day-5/