Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Openshift Compliance & Security Operators

Openshift Compliance & Security Operators

How Red Hat is automating security and regulatory compliance

A61fc58218907d6778a6cbf0fe7611da?s=128

Red Hat OpenShift

October 12, 2020
Tweet

Transcript

  1. OpenShift Security & Compliance Operators How Red Hat is automating

    security and regulatory compliance Kirsten Newcomer Director, Cloud and DevSecOps Strategy OpenShift Product Management October 2020
  2. DEVELOPER EXPERIENCE & ON-DEMAND STANDARDS, PORTABILITY & INTEROPERABILITY BROAD ECOSYSTEM

    AUTOMATED OPERATIONS BROADEST APPLICATION SUPPORT SECURITY & COMPLIANCE Edge Datacenter Multi-Cloud Public Cloud What makes an effective hybrid cloud platform?
  3. OpenShift 4 Security: Dramatically simplified for The Hybrid Cloud 3

    Machines are complex for ops Make machines easy (like containers) Machines Config change is risky Make config management and config change easy and safe Configuration Software lifecycle is hard Automate software lifecycle on Kube Lifecycle
  4. Developer Productivity Cluster Services Automated Ops ⠇Over-The-Air Updates ⠇Monitoring ⠇Registry

    ⠇Networking ⠇Router ⠇OpenShift Virtualization ⠇OLM ⠇Helm 4 Kubernetes Developer CLI ⠇VS Code extensions ⠇IDE Plugins Code Ready Workspaces CodeReady Containers Service Mesh ⠇Serverless Builds ⠇CI/CD Pipelines Full Stack Logging Chargeback Databases ⠇Languages Runtimes ⠇Integration Business Automation 100+ ISV Services Platform Services Application Services Developer Services OpenShift Kubernetes Engine Build Cloud-Native Apps Manage Workloads Multi-cluster Management Discovery ⠇Policy ⠇Compliance ⠇Configuration ⠇Workloads Advanced Cluster Management OpenShift Container Platform Red Hat Enterprise Linux & RHEL CoreOS Red Hat OpenShift Container Platform Physical Virtual Private cloud Public cloud Managed cloud (Azure, AWS, GCP, IBM, Red Hat) Edge cloud
  5. Openshift Machine Config Operator: Monitor for Configuration Drift = Install,

    upgrade, reconcile, config Describe intent with declarative config Monitor, scale, troubleshoot, backup Maintain Observe apiVersion: machineconfiguration.openshift.io/v1 kind: ContainerRuntimeConfig metadata: name: set-log-and-pid spec: machineConfigPoolSelector: matchLabels: debug-crio: config-log-and-pid containerRuntimeConfig: pidsLimit: 2048 logLevel: debug 2 Red Hat curates MachineConfigs to meet security best practices 1 A user requests a new cluster 3 The Machine Config Operator delivers the secure machine config you need Metrics are sent to Red Hat Insights for analysis via secured HTTPS. 4
  6. Container Security Operator: Proactive Vulnerability Monitoring = Install, upgrade, reconcile,

    config Describe intent with declarative config Monitor, scale, troubleshoot, backup Summarize Observe Red Hat Consolidated Vulnerability Feed 2 1 User adds the Container Security Operator to watch containers for vulnerabilities Continuous Quay and Claire Scans 3
  7. 7 MANAGING COMPLIANCE COMPLEXITY

  8. A Complex Set of Compliance Regulations and Recommendations 8 A

    lot of rules to create for risk-based policy and cost effective security strategy ▸ PCI-DSS ▸ ISO 27001 ▸ HIPAA ▸ FISMA / FedRAMP ▸ NIST 800-53 ▸ NIST 800-190 ▸ CIS benchmarks ▸ ANSSI ▸ Essential 8 ▸ Need specific expertise to understand the jargon and translate the requirements to implementation
  9. A Complex Process 9 Determining compliance is a multi step,

    custom process for everyone IMPLEMENT CONTROLS ASSESS CONTROLS Security control assessors carrying 400+ page three ring binders. Manual control assessment. AUTHORIZE SYSTEM Disagreement over which controls apply to which system components. How many ways are there to configure password policies? Which one is best? Differing interpretations between DoD, Intel, Civ, SLED. Given variance of prior processes, no deterministic way to make risk assessment. SELECT CONTROLS CATEGORIZE SYSTEM MONITOR CONTROLS IT shifting towards DevOps, need to continuously monitor security.
  10. OPENSHIFT IS SECURITY AUTOMATION Red Hat Compliance Content Automation 10

    Red Hat builds the pieces needed to drive the process, executed by the Compliance Operator IMPLEMENT CONTROLS ASSESS CONTROLS AUTHORIZE SYSTEM (US Gov) SELECT CONTROLS CATEGORIZE SYSTEM MONITOR CONTROLS
  11. Compliance operator The compliance operator runs in the OpenShift cluster

    to scan the cluster nodes and the OpenShift platform itself Builds on existing and proven technologies that are accepted by the industry and used in the RHEL world. The operator lets the administrator describe the desired compliance state of a cluster and provides them with an overview of gaps and ways to remediate the gaps. The operator itself NIST-certified tool to scan and enforce security policies provided by the content. OpenSCAP The compliance checks themselves are delivered through SCAP content, with a lifecycle independent from the operator or the OpenSCAP scanner Compliance Profile Content Declarative Security Compliance
  12. Openshift Compliance Operator: Declarative Security Compliance = Install, upgrade, reconcile,

    config Describe intent with declarative config Monitor, scale, troubleshoot, backup Summarize Observe ComplianceSuite Scan (results) 1 A compliance profile is selected 2 The operator runs the scan for the profile against nodes, collect results, and (optionally) performs remeditations 3 Accreditors or Auditors can examine the scan results for compliance status, After review, if desired, remediations can be manually applied by the cluster-admin. ComplianceCheckResult ComplianceRemediations OCP 4.6 With 4.6, a limited set of RHCOS checks will be implemented. Additional compliance checks will be delivered roughly every 2 months.
  13. Compliance operator The high level workflow 13 Scan Remediate Rescan

  14. IMPLEMENTING COMPLIANCE CONTROLS Implementing controls with OCP 15 Red Hat

    building best practices into SCAP content, with technical implementations for assessment and remediation where possible ▸ Within Red Hat, our goal is to look across relevant security frameworks and codify compliance for the common controls. ▸ Provide as much technical and system level compliance as possible -- minimize manual effort PODS_JSON=$(oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -ojson) REVISION=$(echo $PODS_JSON | jq -r .items[0].metadata.labels.revision) for i in $(echo $PODS_JSON | jq -r .items[].metadata.name); do oc exec -n openshift-kube-apiserver -c kube-apiserver-$REVISION $i -- stat -c %a /etc/kubernetes/static-pod-resources/kube-a piserver-pod.yaml ; done
  15. Under the hood 16 How the Compliance Operator does its

    work ComplianceRemediations ComplianceSuite ComplianceScan MachinePool ComplianceScan Scan Scan Scan Results Scan Results ComplianceRemediations ComplianceCheckResult ComplianceCheckResult
  16. How OpenSCAP Works 17 NIST 800-53 Compliance as Code Project

    SCAP Datastream Content DISA SRG XML (profile dependent) Mitre CVE Program National Vulnerability Database Red Hat Security Team Red Hat CVE Feed COMPLIANCE SCANNING VULNERABILITY SCANNING Compliance Report Vulnerability Report Roadmap OCP 4.6
  17. 18 ## CHOOSE THE PROFILE TO SCAN $ sudo oscap

    info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Document type: Source Data Stream Imported: 2020-02-06T09:36:38 ... Checklists: ... Generated: 2020-02-06 Resolved: true Profiles: Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_stig ... Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml ## PERFORM AN INITIAL SCAN AND SAVE THE REPORT AS scan.html $ oscap xccdf eval --report scan.html \ --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ... Title Uninstall nfs-utils Package Rule xccdf_org.ssgproject.content_rule_package_nfs-utils_removed Ident CCE-82932-5 Result fail Title Enable the Hardware RNG Entropy Gatherer Service Rule xccdf_org.ssgproject.content_rule_service_rngd_enabled Ident CCE-82831-9 Result pass ## SCAN WITH THE REMEDIATE OPTION AND SAVE A REPORT AS remediated.html $ oscap xccdf eval --report remediated.html --remediate \ --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ... Title Uninstall nfs-utils Package Rule xccdf_org.ssgproject.content_rule_package_nfs-utils_removed Ident CCE-82932-5 Result fixed
  18. Openshift File Integrity Operator = Notify Enable FileIntegrity Checking Monitor

    Summarize Observe AIDE AIDE Configuration Scan Nodes 1 The operator scans the selected nodes to populate the AIDE database 2 Repeat scans collect results, and check against the AIDE database. 3 Admins can examine the scan results for status Deploy AIDE Pods Notification (fileIntegrityNodeStatus) OCP 4.6
  19. Roadmap 20

  20. RH ACM and Compliance = Install, upgrade, reconcile, config Describe

    intent with declarative config Monitor, scale, troubleshoot, backup Maintain Observe apiVersion: machineconfiguration.openshift.io/v1 kind: ContainerRuntimeConfig metadata: name: set-log-and-pid spec: machineConfigPoolSelector: matchLabels: debug-crio: config-log-and-pid containerRuntimeConfig: pidsLimit: 2048 logLevel: debug 2 Red Hat curates cluster configs, including RHCOS configs to meet security profiles, like CIS or NIST-800-53 1 A user requests a new cluster 3 OpenShift operators apply updates; he Machine Config Operator applies the selected secure machine config for RHCOS updates Metrics are sent to Red Hat Insights for analysis via secured HTTPS. 4 Roadmap
  21. What's next in OpenShift Q3CY2020 Security and Compliance Product Manager:

    Kirsten Newcomer Compliance Profiles Roadmap Near Term (4.6+) Mid Term (1H 2021) Long Term (2H 2021) AUTOMATION POLICIES PORTFOLIO AUTOMATION POLICIES ` PORTFOLIO AUTOMATION POLICIES PORTFOLIO Integration • TBD Operators • Compliance Operator (4.6) • File Integrity Operator (4.6) Policy Content • RH CoreOS controls (STIG) • CIS OpenShift benchmark • FISMA Moderate (partial) Integration • RH ACM deploys Compliance operator • RH ACM policies consumed by Compliance operator Policy Content • Customize policy sets • PCI-DSS • ISO 27001 • HIPAA • FISMA Moderate (more) • Australian Essential 8 Operators • Compliance operator improvements Integration • TBD Policy Content • TBD Operators • SELinux policy operator and helper operator
  22. CONFIDENTIAL Designator linkedin.com/company/red-hat youtube.com/user/RedHatVideo s facebook.com/redhatinc twitter.com/RedHat Red Hat is

    the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you 23
  23. The compliance-operator uses several custom resources to allow you to

    configure what you need to comply with and how in a declarative manner. 24 compliance-operator Custom Resources Profiles TailoredProfiles ProfileBundle ScanSettings ScanSetting Binding Compliance Suite Compliance Scan(s) Compliance Remediation(s) Compliance Check Result(s) Raw results
  24. The compliance-operator uses several custom resources to allow you to

    configure what do you need to comply with and how in a declarative manner. 25 compliance-operator Custom Resources Profiles TailoredProfiles ScanSettings ScanSetting Binding Compliance Suite Compliance Remediation(s) Compliance Check Result(s) Raw results
  25. What do you need to comply with? Select a policy

    or create a tailored one that fits your needs. What’s the organization’s policy on scanning and monitoring systems? 26 compliance-operator Figure out your policies Profiles TailoredProfiles ScanSettings ScanSetting Binding Compliance Suite Compliance Remediation(s) Compliance Check Result(s) Raw results
  26. Pressures and costs 27 Increase Pressures Preserve Capital Support Federal

    Programs Cloud Infrastructure Accelerate Digital Delivery Costs Development Security and Compliance Decrease Maintain Lending Ability Maintain Regulatory Requirements
  27. CONFIDENTIAL Designator 43% of Cybercrimes attacks target the financial industry1

    • Overall Cybercrime cost $600 Billion Annually 0.8% of Global GDP2 • Cost to the Global financial industry $270B3 28 1 Celent, Neil Katkov, PHD - Mitigating Cyber Threats on Banking with Next Generation Platforms. 2 Celent, Joan McGowan - Combating Financial Crime at Scale, October 2018 3 International Banker Cost of Compliance Nov 7 2018 - https://internationalbanker.com/technology/the-cost-of-compliance/
  28. 1. International Banker Cost of Compliance Nov 7 2018 -

    https://internationalbanker.com/technology/the-cost-of-compliance/ 2. Cost of Compliance with the Dodd-Frank Act, Rice University Baker Institute for Public Policy Issue Brief 09-06-1029 - https://www.bakerinstitute.org/media/files/files/0febf883/bi-brief-090619-cpf-doddfrank.pdf • Compliance cost is 10% of Operating Budget1 • Legal fees, data processing and staff2 • 26% increase of full time compliance and audit employees since Dodd-Frank was introduced in 20102 29 Annual Compliance Cost impact to the financial industry $270 Billion1
  29. The OpenShift Security Guide is Available • OpenShift Security Guide

    is released on Amazon (Kindle format) • Also available to our customers via the customer portal - here • We are working on a page not requiring Red Hat login for download • Amazon Print On Demand option coming soon Product Manager: Kirsten Newcomer
  30. More details 31

  31. Optional section marker or title Workflow from the admin’s point

    of view 32 In order to check the cluster, an administrator creates a Kubernetes object of type ComplianceSuite. The operator then schedules scans and creates a ComplianceRemediation per found issue. • The ComplianceSuite is a collection of scans, typically one scan per machine config pool • Each scan defines what machines to check, with what content and what profile • ComplianceRemediations are created per issue, the admin then has the chance to review and apply them apiVersion: complianceoperator.compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: example-compliancesuite spec: scans: - name: workers-scan profile: xccdf_org.ssgproject.content_profile_coreos-ncp content: ssg-ocp4-ds.xml contentImage: quay.io/jhrozek/ocp4-openscap-content:remediation_demo nodeSelector: node-role.kubernetes.io/worker: ""
  32. Compliance operator Current state 33 Compliance-operator is a fairly new

    project. While many features already work, some are still under development. Here’s what currently works: • The operator can be installed with the usual OLM workflow • The scans can be defined, they can scan the CoreOS nodes, gather remediations and the remediations can be applied • Results are available either in XCCDF results format or as an ARF report • A lot of work has been done on actually triaging and assessing the compliance controls in order to create the actual content
  33. Compliance operator Future work 34 We still need to add

    some features before the operator would be feature complete: • Scanning and checking the k8s cluster as opposed to the cluster nodes (requires OpenSCAP enhancements) • Better content coverage • Continuous scans to alert the administrator if the cluster diverges from the compliant state • UI/UX enhancements
  34. Compliance operator Demo recording 35

  35. 36 Operators

  36. WHY OPERATORS Why Operator Framework? 37 Automate Operations, of course

    DEVELOPER DEPLOY STATEFUL APP A WHILE LATER APP SERVICES OPERATIONS UPDATE PATCH BACKUP REBALANCE SCALE DEPLOY STATEFUL APP UPDATE PATCH BACKUP REBALANCE SCALE APP OPERATOR DEVELOPER ▸ Difficult and error prone to manage at scale ▸ Inconsistent security controls across environments ▸ Overwhelming to verify components, configurations, policies, and compliance ▸ Easy to manage ▸ Consistent everywhere ▸ Automated compliance
  37. WHY OPERATORS Why? Let’s Compare Approaches 38 Helm Chart Operator

    Packaging ✓ ✓ App Installation ✓ ✓ App Update (kubernetes manifests) ✓ ✓ App Upgrade (data migration, adaption, etc) - ✓ Backup & Recovery - ✓ Workload & Log Analysis - ✓ Intelligent Scaling - ✓ Auto tuning - ✓
  38. ALL ABOUT OPERATORS Kubernetes Operator Framework 39 A way manage

    application instances on Kubernetes in an effective, automated and scalable way. Installation Upgrade Backup Failure recovery Metrics & insights Tuning AUTOMATED LIFECYCLE MANAGEMENT
  39. What is an Operator = Install, upgrade, reconcile, config Monitor,

    scale, troubleshoot, backup Maintain Observe A method of packaging, deploying and managing a Kubernetes application. A Kubernetes application is an application that is both deployed on Kubernetes and managed using the Kubernetes APIs and kubectl tooling. To be able to make the most of Kubernetes, you need a set of cohesives APIs to extend in order to service and manage your applications that run on Kubernetes. A runtime that manages a specific type of application on Kubernetes. ALL ABOUT OPERATORS
  40. Openshift Operators: A Fully managed lifecycle 42 Operator Deployment Custom

    Resource Definitions RBAC API Dependencies Update Path Metadata YourOperator v1.1.2 Bundle OPERATOR LIFECYCLE MANAGER Deployment Role ClusterRole RoleBinding ClusterRoleBinding ServiceAccount CustomResourceDefinition Subscription for YourOperator YourOperator v1.1.2 YourOperator v1.1.3 YourOperator v1.2.0 Time Version Operator Catalog requires Jaeger Operator jaeger.jaegertracing.io/v1 CockroachDB Operator cockroachdb.charts.helm.k8s.io/v1alpha1 resolves to installed by resolves to OPERATORS OPERATING OPERATORS
  41. NAPS 43

  42. A Complex Compliance Regime to achieve ATO 44 A lot

    of rules to create for risk-based policy and cost effective security strategy ▸ Applicable laws authored in 2002 ▸ Multi-year development/production cycles were common & acceptable ▸ Pre GovCloud, C2S, MilCloud ▸ Waterfall dominant ▸ Infrastructure focus ▸ Need specific expertise to understand the jargon, processes, and tools
  43. DoD STIG. Criminal Justice. HIPAA. .... .... AC-2: Account Management

    AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance SELECTING YOUR COMPLIANCE PROFILE 45