Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A journey from Configuration Management to Security of IT systems

Rudder
February 07, 2023

A journey from Configuration Management to Security of IT systems

🎥 https://youtu.be/t0oRQ0EFo9E
🧑 Nicolas Charles
📅 Configuration Management Camp 2023

Configuration Management is nearly ubiquituous and a solved problem. It allows system administrator and developpers to excel at their job and many uses cases which would hardly be feasible without it.
Most notably, the main features of configuration management, continuous configuration and compliance are enabler for hardening of systems by security team, and to reach and maintain an improved Security Posture.

This talk will present how and why Rudder is evolving to incorporate operational security into its core features while strenghtening the fundamentals of configuration management. We'll show the impacts on the product, mainly on the compliance aspect with integration of compliance information from other sources and making the compliance queryable using GraphQL, and what it changes on the software principle.

Rudder

February 07, 2023
Tweet

More Decks by Rudder

Other Decks in Technology

Transcript

  1. A journey from Configuration Management to
    Security of IT systems

    View full-size slide

  2. All rights reserved
    Outline
    This talk is a feedback from what we did at Rudder.
    It presents the journey from an Automation and Configuration Management software
    to Security
    ● The history of Rudder
    ● The turning point(s)
    ● The challenges
    ● The next steps

    View full-size slide

  3. All rights reserved
    Outline
    This talk is a feedback from what we did at Rudder.
    It presents the journey from an Automation and Configuration Management software
    to Security
    ● The history of Rudder
    ● The turning point(s)
    ● The challenges
    ● The next steps
    There’s no monster here, except maybe a strong French accent

    View full-size slide

  4. All rights reserved
    Some history
    Rudder is an open source configuration management software created in 2011
    Its main focuses were:
    ● Management Web UI: Improve ease of use, and make configuration management
    inclusive

    View full-size slide

  5. All rights reserved
    Some history
    Rudder is an open source configuration management software created in 2011
    Its main focuses were:
    ● Management Web UI: Improve ease of use, and make configuration management
    inclusive
    ● Compliance: measure the difference between actual state and desired state

    View full-size slide

  6. All rights reserved
    Some history
    Rudder is an open source configuration management software created in 2011
    Its main focuses were:
    ● Management Web UI: Improve ease of use, and make configuration management
    inclusive
    ● Compliance: measure the difference between actual state and desired state
    ● Tight feedback loop: Get the results of policy and see what was changed easily

    View full-size slide

  7. All rights reserved
    Some history

    View full-size slide

  8. All rights reserved
    What users did with Rudder
    Rudder was chosen for:
    ● Compliance,
    ● Ease of use

    View full-size slide

  9. All rights reserved
    What users did with Rudder
    Rudder was chosen for:
    ● Compliance,
    ● Ease of use
    And used for
    ● Configuring systems,
    ● Inventories,
    ● System audits,
    ● Hardening,
    ● Making visible what was not visible.

    View full-size slide

  10. All rights reserved
    What users asked with Rudder
    Users asked for specific features within Rudder:
    ● Audit mode
    ● Built-in hardening rules (like CIS)
    ● OpenSCAP integration
    ● CVE detection
    ● Patch management

    View full-size slide

  11. Meanwhile in the configuration management
    landscape ….

    View full-size slide

  12. All rights reserved
    Consolidation in Configuration Management

    View full-size slide

  13. All rights reserved
    Difficult market fit for Rudder
    How should we present Rudder?
    ● Infra as Code
    ○ But there’s little code written from user
    ● No-code
    ○ But there’s still things to implement

    View full-size slide

  14. All rights reserved
    Difficult market fit for Rudder
    Users typically didn’t benefit from Rudder signature features
    ● System administrators usually didn’t have to prove what they did
    ○ Especially not with PDF
    ● System administrators usually don’t like to click their way through configuration
    ○ Except Windows admins

    View full-size slide

  15. All rights reserved
    Context changed
    Security became more and more important
    ● International norms (CIS, ANSSI, …)
    ● Malwares and ransomwares
    ○ It’s not a question of “if” but “when”
    ● A lot of pedagogy around security in France by ANSSI

    View full-size slide

  16. All rights reserved
    Time for a change
    What is the future and purpose of Rudder?
    ● New CEO with a cybersecurity mindset
    ● Rudder had some very strong points for security
    ○ Visibility
    ○ Continuous approach
    ○ Compliance

    View full-size slide

  17. All rights reserved
    Time for a change
    What is the future and purpose of Rudder?
    ● New CEO with a cybersecurity mindset
    ● Rudder had some very strong points for security
    ○ Visibility
    ○ Continuous approach
    ○ Compliance
    “Rudder users can prove their compliance and improve their security posture”

    View full-size slide

  18. All rights reserved
    Time for a change
    How to change a product?
    ● Without messing with existing users UX
    ● Without destroying the product
    ● Without making it like with put a sticker on it

    View full-size slide

  19. All rights reserved
    Product led growth
    Steady change in the product
    ● No big bang
    ● New entries in menu
    ○ Discoverable by users

    View full-size slide

  20. All rights reserved
    Change in product presentation
    System administrators, cloud users and also security teams in charge of hardening will
    excel thanks to Rudder.
    Continuous hardening, control and audit of the Security Posture, application of
    security standard recommendations, patch management application can be fulfilled by
    Rudder.

    View full-size slide

  21. All rights reserved
    Change in product presentation

    View full-size slide

  22. All rights reserved
    Change in product presentation
    https://www.puppet.com/blog/security-automation-tools

    View full-size slide

  23. All rights reserved
    How did the users react?
    Most existing users warmly welcomed the change:
    ● Aligned with their needs
    ● Allow them to reduce the number of softwares in their stack, or
    ● Tightly integrate softwares of their stack

    View full-size slide

  24. All rights reserved
    How did the users react?
    Some new users are confused:
    ● We are not a pure security software, or pure patch management software
    ● Expectations are not always met
    ● Configuration management is sometimes badly understood by people from
    security

    View full-size slide

  25. What do we do now?

    View full-size slide

  26. All rights reserved
    What’s now?
    Use Rudder as a Single Source of Compliance
    Compliance
    Resource
    Compliance
    Resource
    Legacy
    agent
    Compatible
    Linux agent
    Compatible
    Win. agent
    API

    View full-size slide

  27. All rights reserved
    What’s now?
    Improve the value of configuration management through data

    View full-size slide

  28. All rights reserved
    What’s now?
    Improve the value of configuration management through data
    Put data into perspective and add context to it
    Gather data from external sources
    Change our “configuration-first” approach for compliance

    View full-size slide

  29. All rights reserved
    What’s now?
    Improve the value of configuration management through data
    “Which nodes are impacted by this specific vulnerability?”
    “Find nodes with specific SLAs that have poor compliance?”
    “Be notified when nodes in this datacenter with these properties have compliance
    issues”

    View full-size slide

  30. All rights reserved
    What’s now?
    Improve the value of configuration management through data
    We have full nodes inventories
    We have logical grouping of nodes
    We have policies applied
    We have compliance
    We have external datas

    View full-size slide

  31. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    Nodes
    Groups
    Parameters
    Techniques
    Directives
    Rules
    Compliance
    System updates
    Patch management campaign
    Vulnerabilities
    External resources

    View full-size slide

  32. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    ● Pluggable and extensible

    View full-size slide

  33. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    ● Pluggable and extensible
    ● Fast enough

    View full-size slide

  34. All rights reserved
    Solution
    Make compliance explorable
    ● Unified structured API to query in a similar way all aspects of Rudder
    ● Pluggable and extensible
    ● Fast enough
    ● Easy to maintain

    View full-size slide

  35. All rights reserved
    Solution
    GraphQL is a query language based on graphs with:
    ● Strict description of resources available
    ● Queries/Mutations/Subscriptions
    ● Aggregation over different backends

    View full-size slide

  36. All rights reserved
    Solution
    Compliance
    data
    Compliance
    browser
    GraphQL base

    View full-size slide

  37. All rights reserved
    Security as part of the product development process
    There are two great talks about it
    Securing the software supply chain for Infra management tools
    2023-02-07, 14:00–14:50, B.3.037 (50 minutes ago)
    How do we make Rudder secure?
    2023-02-06, 15:55–16:20, B.2.009 (yesterday)
    https://commons.wikimedia.org/wiki/File:Backward_Clock_-_geograph.org.uk_-_1077661.jpg

    View full-size slide

  38. All rights reserved
    Security as part of the product development process
    Rudder has a significant impact on the infrastructure:
    ● Runs with admin rights on every systems
    ● Talks on the network
    ● Expose data on multiple interfaces and users

    View full-size slide

  39. All rights reserved
    Security as part of the product development process
    Rudder is a complex software:
    ● Many components in different languages
    ● Several level of abstractions and interfaces

    View full-size slide

  40. All rights reserved
    Security as part of the product development process
    Security is now a first class citizen in the product roadmap:
    ● Frontend side
    ○ Proper session expiration
    ○ XSS hardening (CSP, etc.)
    ○ CSRF hardening (SameSite)
    ○ HSTS (built-in setting)
    ○ Package manager for JS/CSS dependencies (npm)

    View full-size slide

  41. All rights reserved
    Security as part of the product development process
    Security is a first class citizen in the product roadmap:
    ● Frontend side
    ● Building pipeline
    ○ Compilation hardening options
    ○ Vulnerability detection in libraries (automated when possible)
    ○ Code signature

    View full-size slide

  42. All rights reserved
    Security as part of the product development process
    Security is a first class citizen in the product roadmap:
    ● Frontend side
    ● Building pipeline
    ● Backend side
    ○ Sandboxing policies
    ○ TODO: Stop using root for services listening on the network
    ○ TODO: Built-in 2FA
    ○ TODO: TLS 1.3

    View full-size slide

  43. All rights reserved
    Security as part of the product development process
    Regular training for development team on best practices
    Systematic security assessment of new features/changes

    View full-size slide

  44. All rights reserved
    Pentests
    Our customers pentest Rudder, and share the result with us

    View full-size slide

  45. All rights reserved
    Evolution from configuration management to security

    View full-size slide

  46. All rights reserved
    Evolution from configuration management to security
    This is the logical evolution of Rudder - continuous compliance and configuration are
    the building blocks for adding values to the teams using Rudder

    View full-size slide