Slide 1

Slide 1 text

Copyright © 2020 HashiCorp August 12, 2021 Automate to Approach Zero Trust Security Cloud Computing San Antonio | Rosemary Wang

Slide 2

Slide 2 text

“DevOps” Wishlist Things we want when we do “DevOps” 1. Use cloud 2. Use software as a service (SaaS) 3. Use new software architectures (i.e., microservices) 4. Reduce time to value 5. Reduce mean time to recovery

Slide 3

Slide 3 text

ALLOW ALL INBOUND TCP ALLOW OUTBOUND TCP TO 10.0.0.0/16 Security?

Slide 4

Slide 4 text

Developer Advocate, HashiCorp 
 she/her 
 @joatmon08 
 joatmon08.github.io mng.bz/J6D0 (Code: mtpclcosatx21) Rosemary 
 Wang

Slide 5

Slide 5 text

Zero Trust Security Never trust, always verify.

Slide 6

Slide 6 text

3 Goals For Zero Trust Security Authentication Who are you? Authorization Can you do this? Audit Who did what?

Slide 7

Slide 7 text

Identity No unified model, Hard to attest Person Service Machine

Slide 8

Slide 8 text

Zero trust is asymptotic. It can approach zero but never reach it.

Slide 9

Slide 9 text

Automate identity for ephemerality to achieve (almost) zero trust.

Slide 10

Slide 10 text

Infrastructure as Code Policy as Code Static Identity Configuration Dynamic Identity Management Secrets Management Identity Management

Slide 11

Slide 11 text

01 Infrastructure as Code Static Identity / Trust Nothing

Slide 12

Slide 12 text

Person User access model changes across clouds data "azurerm_subscription" "primary" { } data "azuread_service_principal" "user" { display_name = var.user.azur e } resource "azurerm_role_assignment" "editor" { scope = data.azurerm_subscription.primary.i d role_definition_name = "Contributor " principal_id = data.azuread_service_principal.user.object_i d } data "aws_iam_policy" "editor" { name = "SystemAdministrator " } resource "aws_iam_user_policy_attachment" "attach" { user = var.user.aw s policy_arn = data.aws_iam_policy.editor.ar n } resource "google_project_iam_member" "project" { project = var.project.gc p role = "roles/editor " member = var.user.gc p }

Slide 13

Slide 13 text

Person …and across platforms. apiVersion: rbac.authorization.k8s.io/v 1 kind: Rol e metadata : name: edito r namespace: de v rules : - apiGroups : - " " resources: ["*" ] verbs : - ge t - lis t - watc h - creat e - updat e - patc h - delete

Slide 14

Slide 14 text

Prototype pattern! Add a layer to map identity to platform.

Slide 15

Slide 15 text

variable "access_mappings" { type = object( { owner = object( { gcp = strin g aws = strin g azure = strin g } ) editor = object( { gcp = strin g aws = strin g azure = strin g } ) reader = object( { gcp = strin g aws = strin g azure = strin g } ) }) default = { owner = { gcp = "owner " aws = "AdministratorAccess " azure = "Owner " } editor = { gcp = "editor " aws = "SystemAdministrator " azure = "Contributor " } reader = { gcp = "reader " aws = "ReadOnlyAccess " azure = "Reader " } } } users = { owner = ["operations" ] editor = ["appdev" ] editor = ["manager" ] }

Slide 16

Slide 16 text

Immutability for security Change or isolate the old environment, recreate a new one.

Slide 17

Slide 17 text

Example: Secure Access Management with Infrastructure as Code

Slide 18

Slide 18 text

What to include? Trust nothing, verify everything. Authentication Infrastructure, applications, and users Authorization Networking, identity and access management Audit Logging and monitoring

Slide 19

Slide 19 text

02 Policy as Code Static Identity / Verify Everything

Slide 20

Slide 20 text

Infrastructure as Code Identity & access management Static Analysis unit testing or code scanning Deploy Live infrastructure Dynamic Analysis Live infrastructure scanning Shift-left security testing Vulnerability management

Slide 21

Slide 21 text

Tools Static Analysis ▪ Programming Languages (testing frameworks) ▪ Terraform (HashiCorp Sentinel, terrascan, tfsec) ▪ Inspec ▪ Platform extensible – Open Policy Agent – kics – Fugue

Slide 22

Slide 22 text

Tools Dynamic Analysis ▪ Cloud provider identity analysis ▪ GCP Forseti ▪ AWS Inspector ▪ Azure Security Center (sort of) ▪ CloudCheckr

Slide 23

Slide 23 text

Benchmarks Security Standards by Target ▪ https://ncp.nist.gov/repository

Slide 24

Slide 24 text

Example: Checking policies in secure access management

Slide 25

Slide 25 text

What to include? Trust nothing, verify everything. Authentication Password/MFA policies, machine access to services Authorization Networking, identity and access management, libraries Audit Hard mandatory, soft mandatory, and advisory policy types

Slide 26

Slide 26 text

Infrastructure as Code Policy as Code Static Identity Configuration Dynamic Identity Management Dynamic Identity Management Secrets Management Identity Management

Slide 27

Slide 27 text

03 Secrets management Dynamic Identity / Trust Nothing

Slide 28

Slide 28 text

Secrets They’re everywhere! ▪ Machine: SSH or password ▪ API / UI Endpoints: password or token ▪ Services: token ▪ Machine to API endpoints: token ▪ Data in-transit: SSL certificate ▪ Data at-rest: encryption key

Slide 29

Slide 29 text

Updating Secrets Introduces Friction

Slide 30

Slide 30 text

Plan R For Secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace

Slide 31

Slide 31 text

Plan R For changing secrets 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace Secrets Management

Slide 32

Slide 32 text

Secrets Management Securely introduce and update for machines and services.

Slide 33

Slide 33 text

Example: Managing database secrets for machines

Slide 34

Slide 34 text

What to include? Trust nothing, verify everything. Authentication Secure introduction to secrets manager Authorization Provide least-privilege and temporal access to specific secrets Audit Identify when a secrets has been used

Slide 35

Slide 35 text

04 Identity Management Dynamic Identity / Configuration

Slide 36

Slide 36 text

Kubernetes Node PUBLIC-API FRONTEND Node PRODUCT-API PRODUCT-API PRODUCT-DB SINGLE SIGN-ON HUMAN IDENTITY SERVICE IDENTITY

Slide 37

Slide 37 text

Human Identity Many vendor tools ▪ Okta, Auth0, Active Directory, etc. ▪ Add an infrastructure layer – Workforce identity – Customer identity – Secure access management

Slide 38

Slide 38 text

Example: Secure access to a database

Slide 39

Slide 39 text

A service’s IP address 
 is not its identity. (Neither is DNS.)

Slide 40

Slide 40 text

Service Identity Maps to many types of entities ▪ Containers ▪ Services ▪ Virtual machines ▪ Managed services ▪ Datacenter / other clouds

Slide 41

Slide 41 text

Service Mesh Infrastructure layer for service identity

Slide 42

Slide 42 text

Example: Network policy across workloads

Slide 43

Slide 43 text

LAYER 7 LAYER 4 … LAYER 3 LAYER 2 SERVICE MESH (ENVOY FILTERS) CONTAINER NETWORK 
 INTERFACE (CNI) FIREWALL RULES / SECURITY GROUPS CALICO (BGP) (EBPF) (OPEN VSWITCH) AUTOMATION FROM SERVICE TO INFRASTRUCTURE

Slide 44

Slide 44 text

What to include? Trust nothing, verify everything. Authentication One platform for human and service identities Authorization Multiple layers for policy control Audit Track human logins and service-to-service communication

Slide 45

Slide 45 text

Infrastructure as Code Policy as Code Static Identity Configuration Dynamic Identity Management Dynamic Identity Management Secrets Management Identity Management

Slide 46

Slide 46 text

Summary ▪ Zero trust security is asymptotic. ▪ It’s limited by the operational challenge of identity. ▪ Automate identity for ephemerality. – Add identity abstraction layer. – Automate abstraction.

Slide 47

Slide 47 text

References joatmon08.github.io ▪ cloud.google.com/blog/topics/developers- practitioners/what-zero-trust-identity-security ▪ github.com/joatmon08/hashicorp-stack-demoapp ▪ github.com/joatmon08/policy-as-code/tree/main/ 05_zero_trust ▪ techfieldday.com/appearance/hashicorp-presents- at-security-field-day-5/