Auditing Your Automation's Access... Using More Automation

Slide 1

Slide 1 text

…with More Automation DASH | October 2022 Auditing Access in Automation

Slide 2

Slide 2 text

Automation Cycle Recognize and remediate. Implement automation. Identify functional issue.

Slide 3

Slide 3 text

We deploy and operate quickly, securely, and reliably…

Slide 4

Slide 4 text

until we find some anomalous activity.

Slide 5

Slide 5 text

⚠ What? ⚠ Who? ⚠ Where?

Slide 6

Slide 6 text

Observability of Automation datadoghq.com/case-studies/hashicorp/

Slide 7

Slide 7 text

Developer Advocate HashiCorp   she/her     @joatmon08 | joatmon08.github.io Rosemary Wang

Slide 8

Slide 8 text

Automation Cycle (with Security) Recognize and remediate. Fix automation. Identify security issue.

Slide 9

Slide 9 text

How do you speed up the automation cycle with security?

Slide 10

Slide 10 text

Time to Resolution Reduce time for these stages. Fix automation. Identify security issue. Recognize and remediate.

Slide 11

Slide 11 text

What should you observe in automation for security?

Slide 12

Slide 12 text

Automation requires access.

Slide 13

Slide 13 text

Automation need lots of access. Example - Deployment Pipelines •Check out code •Build infrastructure •Deploy application •Test application •Check code quality Need access to… •Version control •Infrastructure provider •Platform/release repository •Data/other services •Quality assurance tool

Slide 14

Slide 14 text

Why audit access? Observe service interactions Maintain least privilege Identify and mitigate blast radius Standardize event information

Slide 15

Slide 15 text

Application Deployment Local Testing Integration Testing Production

Slide 16

Slide 16 text

Local Testing Auditing Engineering Access

Slide 17

Slide 17 text

Engineers need access to build. Engineers… •Test •Debug •Deploy Needs access to… •Production Applications •Databases •Managed Services •Infrastructure APIs •Platform APIs

Slide 18

Slide 18 text

Track human interactions Audit logs from cloud providers Audit logs from managed services Audit logs from secure access management tools

Slide 19

Slide 19 text

Database Automation. Audit local connection to database.

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Is this fine? Identify unauthorized access to target.

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Integration Testing Auditing Service Access

Slide 24

Slide 24 text

Services need access to other services. Services… •Test •Debug •Deploy Need access to… •Production Applications •Databases •Managed Services •Infrastructure APIs •Platform APIs

Slide 25

Slide 25 text

Track service interactions Access logs Traces Authentication requests Network flow logs

Slide 26

Slide 26 text

Service Automation. Tracing requests between services using APM.

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Is this fine? Anomalous access between services.

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Secrets provide access.

Slide 31

Slide 31 text

Database Access. Tracking authentication requests.

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

Production Auditing Even More Automation

Slide 34

Slide 34 text

Production access involves… Local Temporary operational user access Integration Dynamic service access

Slide 35

Slide 35 text

Track production interactions Audit logs from secrets manager Audit logs from providers Audit logs from secure access management tools

Slide 36

Slide 36 text

Event-Driven Access Control WEBHOOK DATADOG Declare incident. status: active BOUNDARY Authorizes engineers to open sessions. Create temporary role with access to production.

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Event-Driven Access Control WEBHOOK DATADOG Resolve incident. status: resolved BOUNDARY Revokes access and terminates sessions. Delete temporary role with access to production.

Slide 40

Slide 40 text

Secrets provide access.

Slide 41

Slide 41 text

Audit usage of secrets.

Slide 42

Slide 42 text

Infrastructure Automation. Audit static secret use for automation.

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Service Automation. Issuing certificates.

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

Is this fine? Identify root access to a static secret.

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

Automation requires access.

Slide 50

Slide 50 text

Other Use Cases Infrastructure as Code Controllers GitOps Managed Services

Slide 51

Slide 51 text

Why audit access? Observe service interactions Maintain least privilege Identify and mitigate blast radius Standardize event information

Slide 52

Slide 52 text

Datadog Cloud SIEM Define Custom Rules datadoghq.com/blog/hashicorp-vault-security-datadog

Slide 53

Slide 53 text

Time to Resolution Reduce time for these stages. Fix automation. Identify security issue. Recognize and remediate.

Slide 54

Slide 54 text

Learn more Datadog & HashiCorp datadoghq.com/blog/tag/hashicorp/ Learn More Example at   joatmon08/hashicorp-stack-demoapp

Slide 55

Slide 55 text

Rosemary Wang @joatmon08 joatmon08.github.io Thank you!