Compliance as Code - Speaker Deck

Slide 1

Slide 1 text

Compliance as Code Nathen Harvey VP, Community Development @nathenharvey

Slide 2

Slide 2 text

INTRODUCTIONS Nathen Harvey VP, Community Development Chef Software, Inc. @nathenharvey .

Slide 3

Slide 3 text

This is a true story... Auditor: "Communication from your network devices to your authentication server must be encrypted."

Slide 4

Slide 4 text

This is a true story... Auditor: "Communication from your network devices to your authentication server must be encrypted." Me: "We use BlahBlah TACACS+ server. You can't disable encryption."

Slide 5

Slide 5 text

This is a true story... Auditor: "Okay. Please show me that encryption is enabled in your configuration."

Slide 6

Slide 6 text

This is a true story... Auditor: "Okay. Please show me that encryption is enabled in your configuration." Me: "Um… I can't. I can't disable it, so I can't show you where it's enabled. But I can show you that I'm using BlahBlah TACACS+ server."

Slide 7

Slide 7 text

This is a true story... Auditor: "Can you show me how you can't disable it?"

Slide 8

Slide 8 text

This is a true story... Auditor: "Can you show me how you can't disable it?" Me:

Slide 9

Slide 9 text

This is a true story... Me: "How about I show you where I configured the encryption key? Is that good enough?"

Slide 10

Slide 10 text

This is a true story... Me: "How about I show you where I configured the encryption key? Is that good enough?" Auditor: "Ummmm… sure."

Slide 11

Slide 11 text

Why did I tell you this? ●  How to prove "compliance" might not be obvious ●  What the auditor was looking for can be automated ●  This happened multiple times a year ●  We really need to automate

Slide 12

Slide 12 text

OMG so much compliance ●  PCI-DSS ●  Dodd-Frank ●  HITECH ●  ISO ●  HIPAA ●  Grundschutz ●  Sarbanes-Oxley ●  General Data Protection Regulation (GDPR) ●  Gramm-Leach-Bliley Act

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

ABA: Always Be Automating

Slide 15

Slide 15 text

Compliance: the everlasting roadblock...

Slide 16

Slide 16 text

Product Ideas and Features

Slide 17

Slide 17 text

Compliance: the everlasting roadblock...

Slide 18

Slide 18 text

Compliance: the everlasting roadblock...

Slide 19

Slide 19 text

The OODA Loop Observe Orient Decide Act

Slide 20

Slide 20 text

OODA: Observe ●  How do you know when it's time for a new compliance control? ●  Who is responsible?

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

An Example from Documentation 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Slide 25

Slide 25 text

OODA: Orient

Slide 26

Slide 26 text

I can totally script that... $ grep "key" /etc/tac_plus.conf | sed 's/key = //' s00persecretkey $

Slide 27

Slide 27 text

...but there's no context.

Slide 28

Slide 28 text

Install TACACS+

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

A tale of three personas...

Slide 31

Slide 31 text

… and a single language.

Slide 32

Slide 32 text

From lemons... $ grep "key" /etc/tac_plus.conf | sed 's/key = //' s00persecretkey $

Slide 33

Slide 33 text

… create lemonade! describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end

Slide 34

Slide 34 text

… create lemonade! control 'sox-404.3.5' do title 'Network Device to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end

Slide 35

Slide 35 text

Map Documentation to Controls control 'sox-404.3.5' do title 'Network Device to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Slide 36

Slide 36 text

Share Context control 'sox-404.3.5' do title 'Network Device to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Slide 37

Slide 37 text

Automate Test Execution control 'sox-404.3.5' do title 'Network Device to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Slide 38

Slide 38 text

One Language ●  Linux ●  Windows ●  BSD ●  Solaris ●  AIX ●  … and more

Slide 39

Slide 39 text

Yup, I said Windows... control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled' desc 'http://support.microsoft.com/en-us/kb/823659' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should cmp 4 } end end

Slide 40

Slide 40 text

One Language ●  Bare Metal ●  VMs ●  Containers

Slide 41

Slide 41 text

Test Locally $ inspec exec /path/to/profile

Slide 42

Slide 42 text

Test Remotely $ inspec exec /path/to/profile -i ssh.key -t ssh://me@myhost

Slide 43

Slide 43 text

Test Remotely $ inspec exec /path/to/profile -t winrm://me@myhost --password secret

Slide 44

Slide 44 text

Test Remotely $ inspec exec /path/to/profile -t docker://3cc8837bb6a8

Slide 45

Slide 45 text

Test via Chef Client Runs Chef Client Chef Server Chef Automate InSpec via "audit" cookbook

Slide 46

Slide 46 text

Test via Test Kitchen verifier: name: inspec inspec_tests: - name: company-base compliance: company/base-profile - name: app1 compliance: company/app1-profile

Slide 47

Slide 47 text

Compliance at every step

Slide 48

Slide 48 text

OODA: Decide ●  How urgent is this? ●  Where does this fall in our backlog? ●  How do we become compliant?

Slide 49

Slide 49 text

Assessing Impact and Priority control 'sox-404.3.5' do title 'Network Device to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Slide 50

Slide 50 text

Assessing Impact and Priority control 'no-telnet' do title 'telnet not installed' impact 0.5 tag 'pci' ref 'pci stage 1', url: 'https://wiki.mycompany.biz/…' desc " PCI-DSS requires all admin traffic to be encrypted. Telnet is not encrypted and is therefore not permitted." describe package('telnetd') do it { should_not be_installed } end end

Slide 51

Slide 51 text

OODA: Act ●  What does remediation look like? ●  Can I test my remediation steps?

Slide 52

Slide 52 text

Compliance at every step

Slide 53

Slide 53 text

The OODA Loop Observe Orient Decide Act

Slide 54

Slide 54 text

The OODA Loop Observe Orient Decide Act

Slide 55

Slide 55 text

Why InSpec? •  Break down silos between organizations •  Codify your compliance agreements and requirements •  Share context about your compliance requirements •  Achieve safety at velocity with compliance at every step

Slide 56

Slide 56 text

The OODA Loop Observe Orient Decide Act

Slide 57

Slide 57 text

55% Step one: Detect Gain visibility into current status to satisfy audits and drive decision-making of organizations do compliance assessments inconsistently or not at all. Apply policies and gain a complete view across the fleet ▪  Accurately assess risk ▪  Prioritize remediation actions ▪  Maintain audit readiness ▪  Create and adjust policies ” Continuous visibility means that you enter into audits knowing the outcome. Jon Williams, NIU ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Slide 58

Slide 58 text

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Step two: Correct Remediate issues to improve performance and security ▪  Prioritize actions based on impact ▪  Improve application performance ▪  Close security holes ▪  Prove policy compliance Web & Media Giant Can patch 250,000 nodes within 6 hours of a patch being made available Develop, test, and deploy remediation to address issues across the fleet ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ of organizations need days or longer to remediate issues. 58%

Slide 59

Slide 59 text

Continuous Workflow Detect Correct

Slide 60

Slide 60 text

https://supermarket.chef.io/tools?type=compliance_profile http://dev-sec.io/ https://github.com/chef-cookbooks/audit#configure-node Compliance Profiles

Slide 61

Slide 61 text

https://github.com/chef/inspec-aws https://github.com/chef/inspec-azure https://github.com/chef/inspec-vmware InSpec, meet my IaaS Provider

Slide 62

Slide 62 text

Thank You! Nathen Harvey VP, Community Development Chef Software, Inc. @nathenharvey .