Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A journey from Configuration Management to Security of IT systems

Rudder
February 07, 2023
Technology
0
18

A journey from Configuration Management to Security of IT systems

🎥 https://youtu.be/t0oRQ0EFo9E
🧑 Nicolas Charles
📅 Configuration Management Camp 2023

Configuration Management is nearly ubiquituous and a solved problem. It allows system administrator and developpers to excel at their job and many uses cases which would hardly be feasible without it.
Most notably, the main features of configuration management, continuous configuration and compliance are enabler for hardening of systems by security team, and to reach and maintain an improved Security Posture.

This talk will present how and why Rudder is evolving to incorporate operational security into its core features while strenghtening the fundamentals of configuration management. We'll show the impacts on the product, mainly on the compliance aspect with integration of compliance information from other sources and making the compliance queryable using GraphQL, and what it changes on the software principle.

Rudder

February 07, 2023
Tweet

More Decks by Rudder

See All by Rudder
Securing the software supply chain for infra management software
rudder
0
67
Rudder: what is it and what makes it different?
rudder
0
49
How do we make Rudder secure?
rudder
0
34
Rudder users and uses: Tales from a survey
rudder
0
2
Configuration compliance in 2022
rudder
0
64
DevSecOps: Sécurisez en continu vos infrastructures hybrides
rudder
0
44
Zabbix Meetup - Rudder integration for devops teams
rudder
0
30
CVE : accélérez la remédiation des vulnérabilités pour sécuriser vos systèmes
rudder
0
68
Feedback on scalability and load testing of a configuration management software
rudder
0
77

Other Decks in Technology

See All in Technology
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
340
Modern Testing Tools for Java Developers
eliasnogueira
1
140
CloudWatchでバレる 「君、仕事中にyo〇tube観てたよね?」
kadogen_0527
1
300
金融系子会社でレガシーシステムしか作ったことないけど、モダン開発に挑戦してみた
marikashiotsuki
1
110
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
26k
Web API development in Visual Studio 2022
tsubakimoto_s
0
140
バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset
yuya4
1
500
Large Language Models: From Prototype to Production
inesmontani
PRO
9
2.9k
組織の立ち上げと体制変更の1年
tarappo
2
880
推薦によるプロダクト改善とマイクロサービスが噛み合った話
hazumirr
1
140
アクセシビリティへの取り組みにおいての内発的動機付け
junkifurukawa
0
110
Riverpodに機能追加したときの話
k9i
4
270

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
118
7.8k
Designing for Performance
lara
601
65k
Building Your Own Lightsaber
phodgson
96
5k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
What's new in Ruby 2.0
geeforr
336
30k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Documentation Writing (for coders)
carmenintech
53
3.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Side Projects
sachag
450
39k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
4 Signs Your Business is Dying
shpigford
171
21k

Transcript

  1. A journey from Configuration Management to
    Security of IT systems

    View Slide

  2. All rights reserved
    Outline
    This talk is a feedback from what we did at Rudder.
    It presents the journey from an Automation and Configuration Management software
    to Security
    ● The history of Rudder
    ● The turning point(s)
    ● The challenges
    ● The next steps

    View Slide

  3. All rights reserved
    Outline
    This talk is a feedback from what we did at Rudder.
    It presents the journey from an Automation and Configuration Management software
    to Security
    ● The history of Rudder
    ● The turning point(s)
    ● The challenges
    ● The next steps
    There’s no monster here, except maybe a strong French accent

    View Slide

  4. All rights reserved
    Some history
    Rudder is an open source configuration management software created in 2011
    Its main focuses were:
    ● Management Web UI: Improve ease of use, and make configuration management
    inclusive

    View Slide

  5. All rights reserved
    Some history
    Rudder is an open source configuration management software created in 2011
    Its main focuses were:
    ● Management Web UI: Improve ease of use, and make configuration management
    inclusive
    ● Compliance: measure the difference between actual state and desired state

    View Slide

  6. All rights reserved
    Some history
    Rudder is an open source configuration management software created in 2011
    Its main focuses were:
    ● Management Web UI: Improve ease of use, and make configuration management
    inclusive
    ● Compliance: measure the difference between actual state and desired state
    ● Tight feedback loop: Get the results of policy and see what was changed easily

    View Slide

  7. All rights reserved
    Some history

    View Slide

  8. All rights reserved
    What users did with Rudder
    Rudder was chosen for:
    ● Compliance,
    ● Ease of use

    View Slide

  9. All rights reserved
    What users did with Rudder
    Rudder was chosen for:
    ● Compliance,
    ● Ease of use
    And used for
    ● Configuring systems,
    ● Inventories,
    ● System audits,
    ● Hardening,
    ● Making visible what was not visible.

    View Slide

  10. All rights reserved
    What users asked with Rudder
    Users asked for specific features within Rudder:
    ● Audit mode
    ● Built-in hardening rules (like CIS)
    ● OpenSCAP integration
    ● CVE detection
    ● Patch management

    View Slide

  11. Meanwhile in the configuration management
    landscape ….

    View Slide

  12. All rights reserved
    Consolidation in Configuration Management

    View Slide

  13. All rights reserved
    Difficult market fit for Rudder
    How should we present Rudder?
    ● Infra as Code
    ○ But there’s little code written from user
    ● No-code
    ○ But there’s still things to implement

    View Slide

  14. All rights reserved
    Difficult market fit for Rudder
    Users typically didn’t benefit from Rudder signature features
    ● System administrators usually didn’t have to prove what they did
    ○ Especially not with PDF
    ● System administrators usually don’t like to click their way through configuration
    ○ Except Windows admins

    View Slide

  15. All rights reserved
    Context changed
    Security became more and more important
    ● International norms (CIS, ANSSI, …)
    ● Malwares and ransomwares
    ○ It’s not a question of “if” but “when”
    ● A lot of pedagogy around security in France by ANSSI

    View Slide

  16. All rights reserved
    Time for a change
    What is the future and purpose of Rudder?
    ● New CEO with a cybersecurity mindset
    ● Rudder had some very strong points for security
    ○ Visibility
    ○ Continuous approach
    ○ Compliance

    View Slide

  17. All rights reserved
    Time for a change
    What is the future and purpose of Rudder?
    ● New CEO with a cybersecurity mindset
    ● Rudder had some very strong points for security
    ○ Visibility
    ○ Continuous approach
    ○ Compliance
    “Rudder users can prove their compliance and improve their security posture”

    View Slide

  18. All rights reserved
    Time for a change
    How to change a product?
    ● Without messing with existing users UX
    ● Without destroying the product
    ● Without making it like with put a sticker on it

    View Slide

  19. All rights reserved
    Product led growth
    Steady change in the product
    ● No big bang
    ● New entries in menu
    ○ Discoverable by users

    View Slide

  20. All rights reserved
    Change in product presentation
    System administrators, cloud users and also security teams in charge of hardening will
    excel thanks to Rudder.
    Continuous hardening, control and audit of the Security Posture, application of
    security standard recommendations, patch management application can be fulfilled by
    Rudder.

    View Slide

  21. All rights reserved
    Change in product presentation

    View Slide

  22. All rights reserved
    Change in product presentation
    https://www.puppet.com/blog/security-automation-tools

    View Slide

  23. All rights reserved
    How did the users react?
    Most existing users warmly welcomed the change:
    ● Aligned with their needs
    ● Allow them to reduce the number of softwares in their stack, or
    ● Tightly integrate softwares of their stack

    View Slide

  24. All rights reserved
    How did the users react?
    Some new users are confused:
    ● We are not a pure security software, or pure patch management software
    ● Expectations are not always met
    ● Configuration management is sometimes badly understood by people from
    security

    View Slide

  25. What do we do now?

    View Slide

  26. All rights reserved
    What’s now?
    Use Rudder as a Single Source of Compliance
    Compliance
    Resource
    Compliance
    Resource
    Legacy
    agent
    Compatible
    Linux agent
    Compatible
    Win. agent
    API

    View Slide

  27. All rights reserved
    What’s now?
    Improve the value of configuration management through data

    View Slide

  28. All rights reserved
    What’s now?
    Improve the value of configuration management through data
    Put data into perspective and add context to it
    Gather data from external sources
    Change our “configuration-first” approach for compliance

    View Slide

  29. All rights reserved
    What’s now?
    Improve the value of configuration management through data
    “Which nodes are impacted by this specific vulnerability?”
    “Find nodes with specific SLAs that have poor compliance?”
    “Be notified when nodes in this datacenter with these properties have compliance
    issues”

    View Slide

  30. All rights reserved
    What’s now?
    Improve the value of configuration management through data
    We have full nodes inventories
    We have logical grouping of nodes
    We have policies applied
    We have compliance
    We have external datas

    View Slide

  31. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    Nodes
    Groups
    Parameters
    Techniques
    Directives
    Rules
    Compliance
    System updates
    Patch management campaign
    Vulnerabilities
    External resources

    View Slide

  32. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    ● Pluggable and extensible

    View Slide

  33. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    ● Pluggable and extensible
    ● Fast enough

    View Slide

  34. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    ● Pluggable and extensible
    ● Fast enough
    ● Easy to maintain

    View Slide

  35. All rights reserved
    Solution
    GraphQL is a query language based on graphs with:
    ● Strict description of resources available
    ● Queries/Mutations/Subscriptions
    ● Aggregation over different backends

    View Slide

  36. All rights reserved
    Solution
    Compliance
    data
    Compliance
    browser
    GraphQL base

    View Slide

  37. Side topics

    View Slide

  38. All rights reserved
    Security as part of the product development process
    There are two great talks about it
    Securing the software supply chain for Infra management tools
    2023-02-07, 14:00–14:50, B.3.037 (50 minutes ago)
    How do we make Rudder secure?
    2023-02-06, 15:55–16:20, B.2.009 (yesterday)
    https://commons.wikimedia.org/wiki/File:Backward_Clock_-_geograph.org.uk_-_1077661.jpg

    View Slide

  39. All rights reserved
    Security as part of the product development process
    Rudder has a significant impact on the infrastructure:
    ● Runs with admin rights on every systems
    ● Talks on the network
    ● Expose data on multiple interfaces and users

    View Slide

  40. All rights reserved
    Security as part of the product development process
    Rudder is a complex software:
    ● Many components in different languages
    ● Several level of abstractions and interfaces

    View Slide

  41. All rights reserved
    Security as part of the product development process
    Security is now a first class citizen in the product roadmap:
    ● Frontend side
    ○ Proper session expiration
    ○ XSS hardening (CSP, etc.)
    ○ CSRF hardening (SameSite)
    ○ HSTS (built-in setting)
    ○ Package manager for JS/CSS dependencies (npm)

    View Slide

  42. All rights reserved
    Security as part of the product development process
    Security is a first class citizen in the product roadmap:
    ● Frontend side
    ● Building pipeline
    ○ Compilation hardening options
    ○ Vulnerability detection in libraries (automated when possible)
    ○ Code signature

    View Slide

  43. All rights reserved
    Security as part of the product development process
    Security is a first class citizen in the product roadmap:
    ● Frontend side
    ● Building pipeline
    ● Backend side
    ○ Sandboxing policies
    ○ TODO: Stop using root for services listening on the network
    ○ TODO: Built-in 2FA
    ○ TODO: TLS 1.3

    View Slide

  44. All rights reserved
    Security as part of the product development process
    Regular training for development team on best practices
    Systematic security assessment of new features/changes

    View Slide

  45. All rights reserved
    Pentests
    Our customers pentest Rudder, and share the result with us

    View Slide

  46. All rights reserved
    Evolution from configuration management to security

    View Slide

  47. All rights reserved
    Evolution from configuration management to security
    This is the logical evolution of Rudder - continuous compliance and configuration are
    the building blocks for adding values to the teams using Rudder

    View Slide

  48. Questions?

    View Slide