Copyright © 2020 HashiCorp August 12, 2021 Automate to Approach Zero Trust Security Cloud Computing San Antonio | Rosemary Wang

“DevOps” Wishlist Things we want when we do “DevOps” 1. Use cloud 2. Use software as a service (SaaS) 3. Use new software architectures (i.e., microservices) 4. Reduce time to value 5. Reduce mean time to recovery

ALLOW ALL INBOUND TCP ALLOW OUTBOUND TCP TO 10.0.0.0/16 Security?

Developer Advocate, HashiCorp 
 she/her 
 @joatmon08 
 joatmon08.github.io mng.bz/J6D0 (Code: mtpclcosatx21) Rosemary 
 Wang

Zero Trust Security Never trust, always verify.

3 Goals For Zero Trust Security Authentication Who are you? Authorization Can you do this? Audit Who did what?

Identity No unified model, Hard to attest Person Service Machine

Zero trust is asymptotic. It can approach zero but never reach it.

Automate identity for ephemerality to achieve (almost) zero trust.

Infrastructure as Code Policy as Code Static Identity Configuration Dynamic Identity Management Secrets Management Identity Management

01 Infrastructure as Code Static Identity / Trust Nothing

Person User access model changes across clouds data "azurerm_subscription" "primary" { } data "azuread_service_principal" "user" { display_name = var.user.azur e } resource "azurerm_role_assignment" "editor" { scope = data.azurerm_subscription.primary.i d role_definition_name = "Contributor " principal_id = data.azuread_service_principal.user.object_i d } data "aws_iam_policy" "editor" { name = "SystemAdministrator " } resource "aws_iam_user_policy_attachment" "attach" { user = var.user.aw s policy_arn = data.aws_iam_policy.editor.ar n } resource "google_project_iam_member" "project" { project = var.project.gc p role = "roles/editor " member = var.user.gc p }

Person …and across platforms. apiVersion: rbac.authorization.k8s.io/v 1 kind: Rol e metadata : name: edito r namespace: de v rules : - apiGroups : - " " resources: ["*" ] verbs : - ge t - lis t - watc h - creat e - updat e - patc h - delete

Prototype pattern! Add a layer to map identity to platform.

variable "access_mappings" { type = object( { owner = object( { gcp = strin g aws = strin g azure = strin g } ) editor = object( { gcp = strin g aws = strin g azure = strin g } ) reader = object( { gcp = strin g aws = strin g azure = strin g } ) }) default = { owner = { gcp = "owner " aws = "AdministratorAccess " azure = "Owner " } editor = { gcp = "editor " aws = "SystemAdministrator " azure = "Contributor " } reader = { gcp = "reader " aws = "ReadOnlyAccess " azure = "Reader " } } } users = { owner = ["operations" ] editor = ["appdev" ] editor = ["manager" ] }

Immutability for security Change or isolate the old environment, recreate a new one.

Example: Secure Access Management with Infrastructure as Code

What to include? Trust nothing, verify everything. Authentication Infrastructure, applications, and users Authorization Networking, identity and access management Audit Logging and monitoring

02 Policy as Code Static Identity / Verify Everything

Infrastructure as Code Identity & access management Static Analysis unit testing or code scanning Deploy Live infrastructure Dynamic Analysis Live infrastructure scanning Shift-left security testing Vulnerability management

Tools Static Analysis ▪ Programming Languages (testing frameworks) ▪ Terraform (HashiCorp Sentinel, terrascan, tfsec) ▪ Inspec ▪ Platform extensible – Open Policy Agent – kics – Fugue

Tools Dynamic Analysis ▪ Cloud provider identity analysis ▪ GCP Forseti ▪ AWS Inspector ▪ Azure Security Center (sort of) ▪ CloudCheckr

Benchmarks Security Standards by Target ▪ https://ncp.nist.gov/repository

Example: Checking policies in secure access management

What to include? Trust nothing, verify everything. Authentication Password/MFA policies, machine access to services Authorization Networking, identity and access management, libraries Audit Hard mandatory, soft mandatory, and advisory policy types

Infrastructure as Code Policy as Code Static Identity Configuration Dynamic Identity Management Dynamic Identity Management Secrets Management Identity Management

03 Secrets management Dynamic Identity / Trust Nothing

Secrets They’re everywhere! ▪ Machine: SSH or password ▪ API / UI Endpoints: password or token ▪ Services: token ▪ Machine to API endpoints: token ▪ Data in-transit: SSL certificate ▪ Data at-rest: encryption key

Updating Secrets Introduces Friction

Plan R For Secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace

Plan R For changing secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace Secrets Management

Secrets Management Securely introduce and update for machines and services.

Example: Managing database secrets for machines

What to include? Trust nothing, verify everything. Authentication Secure introduction to secrets manager Authorization Provide least-privilege and temporal access to specific secrets Audit Identify when a secrets has been used

04 Identity Management Dynamic Identity / Configuration

Kubernetes Node PUBLIC-API FRONTEND Node PRODUCT-API PRODUCT-API PRODUCT-DB SINGLE SIGN-ON HUMAN IDENTITY SERVICE IDENTITY

Human Identity Many vendor tools ▪ Okta, Auth0, Active Directory, etc. ▪ Add an infrastructure layer – Workforce identity – Customer identity – Secure access management

Example: Secure access to a database

A service’s IP address 
 is not its identity. (Neither is DNS.)

Service Identity Maps to many types of entities ▪ Containers ▪ Services ▪ Virtual machines ▪ Managed services ▪ Datacenter / other clouds

Service Mesh Infrastructure layer for service identity

Example: Network policy across workloads

LAYER 7 LAYER 4 … LAYER 3 LAYER 2 SERVICE MESH (ENVOY FILTERS) CONTAINER NETWORK 
 INTERFACE (CNI) FIREWALL RULES / SECURITY GROUPS CALICO (BGP) (EBPF) (OPEN VSWITCH) AUTOMATION FROM SERVICE TO INFRASTRUCTURE

What to include? Trust nothing, verify everything. Authentication One platform for human and service identities Authorization Multiple layers for policy control Audit Track human logins and service-to-service communication

Infrastructure as Code Policy as Code Static Identity Configuration Dynamic Identity Management Dynamic Identity Management Secrets Management Identity Management

Summary ▪ Zero trust security is asymptotic. ▪ It’s limited by the operational challenge of identity. ▪ Automate identity for ephemerality. – Add identity abstraction layer. – Automate abstraction.

References joatmon08.github.io ▪ cloud.google.com/blog/topics/developers- practitioners/what-zero-trust-identity-security ▪ github.com/joatmon08/hashicorp-stack-demoapp ▪ github.com/joatmon08/policy-as-code/tree/main/ 05_zero_trust ▪ techfieldday.com/appearance/hashicorp-presents- at-security-field-day-5/