Automate to Approach Zero Trust Security

Transcript

1. Copyright © 2020 HashiCorp August 12, 2021 Automate to Approach

   Zero Trust Security Cloud Computing San Antonio | Rosemary Wang

2. “DevOps” Wishlist Things we want when we do “DevOps” 1.

   Use cloud 2. Use software as a service (SaaS) 3. Use new software architectures (i.e., microservices) 4. Reduce time to value 5. Reduce mean time to recovery

3. ALLOW ALL INBOUND TCP ALLOW OUTBOUND TCP TO 10.0.0.0/16 Security?

4. Developer Advocate, HashiCorp 
 she/her 
 @joatmon08 
 joatmon08.github.io mng.bz/J6D0

   (Code: mtpclcosatx21) Rosemary 
 Wang

5. Zero Trust Security Never trust, always verify.

6. 3 Goals For Zero Trust Security Authentication Who are you?

   Authorization Can you do this? Audit Who did what?

7. Identity No unified model, Hard to attest Person Service Machine

8. Zero trust is asymptotic. It can approach zero but never

   reach it.

9. Automate identity for ephemerality to achieve (almost) zero trust.

10. Infrastructure as Code Policy as Code Static Identity Configuration Dynamic

    Identity Management Secrets Management Identity Management

11. 01 Infrastructure as Code Static Identity / Trust Nothing

12. Person User access model changes across clouds data "azurerm_subscription" "primary"

    { } data "azuread_service_principal" "user" { display_name = var.user.azur e } resource "azurerm_role_assignment" "editor" { scope = data.azurerm_subscription.primary.i d role_definition_name = "Contributor " principal_id = data.azuread_service_principal.user.object_i d } data "aws_iam_policy" "editor" { name = "SystemAdministrator " } resource "aws_iam_user_policy_attachment" "attach" { user = var.user.aw s policy_arn = data.aws_iam_policy.editor.ar n } resource "google_project_iam_member" "project" { project = var.project.gc p role = "roles/editor " member = var.user.gc p }

13. Person …and across platforms. apiVersion: rbac.authorization.k8s.io/v 1 kind: Rol e

    metadata : name: edito r namespace: de v rules : - apiGroups : - " " resources: ["*" ] verbs : - ge t - lis t - watc h - creat e - updat e - patc h - delete

14. Prototype pattern! Add a layer to map identity to platform.

15. variable "access_mappings" { type = object( { owner = object(

    { gcp = strin g aws = strin g azure = strin g } ) editor = object( { gcp = strin g aws = strin g azure = strin g } ) reader = object( { gcp = strin g aws = strin g azure = strin g } ) }) default = { owner = { gcp = "owner " aws = "AdministratorAccess " azure = "Owner " } editor = { gcp = "editor " aws = "SystemAdministrator " azure = "Contributor " } reader = { gcp = "reader " aws = "ReadOnlyAccess " azure = "Reader " } } } users = { owner = ["operations" ] editor = ["appdev" ] editor = ["manager" ] }

16. Immutability for security Change or isolate the old environment, recreate

    a new one.

17. Example: Secure Access Management with Infrastructure as Code

18. What to include? Trust nothing, verify everything. Authentication Infrastructure, applications,

    and users Authorization Networking, identity and access management Audit Logging and monitoring

19. 02 Policy as Code Static Identity / Verify Everything

20. Infrastructure as Code Identity & access management Static Analysis unit

    testing or code scanning Deploy Live infrastructure Dynamic Analysis Live infrastructure scanning Shift-left security testing Vulnerability management

21. Tools Static Analysis ▪ Programming Languages (testing frameworks) ▪ Terraform

    (HashiCorp Sentinel, terrascan, tfsec) ▪ Inspec ▪ Platform extensible – Open Policy Agent – kics – Fugue

22. Tools Dynamic Analysis ▪ Cloud provider identity analysis ▪ GCP

    Forseti ▪ AWS Inspector ▪ Azure Security Center (sort of) ▪ CloudCheckr

23. Benchmarks Security Standards by Target ▪ https://ncp.nist.gov/repository

24. Example: Checking policies in secure access management

25. What to include? Trust nothing, verify everything. Authentication Password/MFA policies,

    machine access to services Authorization Networking, identity and access management, libraries Audit Hard mandatory, soft mandatory, and advisory policy types

26. Infrastructure as Code Policy as Code Static Identity Configuration Dynamic

    Identity Management Dynamic Identity Management Secrets Management Identity Management

27. 03 Secrets management Dynamic Identity / Trust Nothing

28. Secrets They’re everywhere! ▪ Machine: SSH or password ▪ API

    / UI Endpoints: password or token ▪ Services: token ▪ Machine to API endpoints: token ▪ Data in-transit: SSL certificate ▪ Data at-rest: encryption key

29. Updating Secrets Introduces Friction

30. Plan R For Secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace

31. Plan R For changing secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace

    Secrets Management

32. Secrets Management Securely introduce and update for machines and services.

33. Example: Managing database secrets for machines

34. What to include? Trust nothing, verify everything. Authentication Secure introduction

    to secrets manager Authorization Provide least-privilege and temporal access to specific secrets Audit Identify when a secrets has been used

35. 04 Identity Management Dynamic Identity / Configuration

36. Kubernetes Node PUBLIC-API FRONTEND Node PRODUCT-API PRODUCT-API PRODUCT-DB SINGLE SIGN-ON

    HUMAN IDENTITY SERVICE IDENTITY

37. Human Identity Many vendor tools ▪ Okta, Auth0, Active Directory,

    etc. ▪ Add an infrastructure layer – Workforce identity – Customer identity – Secure access management

38. Example: Secure access to a database

39. A service’s IP address 
 is not its identity. (Neither

    is DNS.)

40. Service Identity Maps to many types of entities ▪ Containers

    ▪ Services ▪ Virtual machines ▪ Managed services ▪ Datacenter / other clouds

41. Service Mesh Infrastructure layer for service identity

42. Example: Network policy across workloads

43. LAYER 7 LAYER 4 … LAYER 3 LAYER 2 SERVICE

    MESH (ENVOY FILTERS) CONTAINER NETWORK 
 INTERFACE (CNI) FIREWALL RULES / SECURITY GROUPS CALICO (BGP) (EBPF) (OPEN VSWITCH) AUTOMATION FROM SERVICE TO INFRASTRUCTURE

44. What to include? Trust nothing, verify everything. Authentication One platform

    for human and service identities Authorization Multiple layers for policy control Audit Track human logins and service-to-service communication

45. Infrastructure as Code Policy as Code Static Identity Configuration Dynamic

    Identity Management Dynamic Identity Management Secrets Management Identity Management

46. Summary ▪ Zero trust security is asymptotic. ▪ It’s limited

    by the operational challenge of identity. ▪ Automate identity for ephemerality. – Add identity abstraction layer. – Automate abstraction.

47. References joatmon08.github.io ▪ cloud.google.com/blog/topics/developers- practitioners/what-zero-trust-identity-security ▪ github.com/joatmon08/hashicorp-stack-demoapp ▪ github.com/joatmon08/policy-as-code/tree/main/ 05_zero_trust

    ▪ techfieldday.com/appearance/hashicorp-presents- at-security-field-day-5/