A journey from Configuration Management to Security of IT systems

Transcript

1. A journey from Configuration Management to Security of IT systems

2. All rights reserved Outline This talk is a feedback from

   what we did at Rudder. It presents the journey from an Automation and Configuration Management software to Security • The history of Rudder • The turning point(s) • The challenges • The next steps

3. All rights reserved Outline This talk is a feedback from

   what we did at Rudder. It presents the journey from an Automation and Configuration Management software to Security • The history of Rudder • The turning point(s) • The challenges • The next steps There’s no monster here, except maybe a strong French accent

4. All rights reserved Some history Rudder is an open source

   configuration management software created in 2011 Its main focuses were: • Management Web UI: Improve ease of use, and make configuration management inclusive

5. All rights reserved Some history Rudder is an open source

   configuration management software created in 2011 Its main focuses were: • Management Web UI: Improve ease of use, and make configuration management inclusive • Compliance: measure the difference between actual state and desired state

6. All rights reserved Some history Rudder is an open source

   configuration management software created in 2011 Its main focuses were: • Management Web UI: Improve ease of use, and make configuration management inclusive • Compliance: measure the difference between actual state and desired state • Tight feedback loop: Get the results of policy and see what was changed easily

7. All rights reserved Some history

8. All rights reserved What users did with Rudder Rudder was

   chosen for: • Compliance, • Ease of use

9. All rights reserved What users did with Rudder Rudder was

   chosen for: • Compliance, • Ease of use And used for • Configuring systems, • Inventories, • System audits, • Hardening, • Making visible what was not visible.

10. All rights reserved What users asked with Rudder Users asked

    for specific features within Rudder: • Audit mode • Built-in hardening rules (like CIS) • OpenSCAP integration • CVE detection • Patch management

11. Meanwhile in the configuration management landscape ….

12. All rights reserved Consolidation in Configuration Management

13. All rights reserved Difficult market fit for Rudder How should

    we present Rudder? • Infra as Code ◦ But there’s little code written from user • No-code ◦ But there’s still things to implement

14. All rights reserved Difficult market fit for Rudder Users typically

    didn’t benefit from Rudder signature features • System administrators usually didn’t have to prove what they did ◦ Especially not with PDF • System administrators usually don’t like to click their way through configuration ◦ Except Windows admins

15. All rights reserved Context changed Security became more and more

    important • International norms (CIS, ANSSI, …) • Malwares and ransomwares ◦ It’s not a question of “if” but “when” • A lot of pedagogy around security in France by ANSSI

16. All rights reserved Time for a change What is the

    future and purpose of Rudder? • New CEO with a cybersecurity mindset • Rudder had some very strong points for security ◦ Visibility ◦ Continuous approach ◦ Compliance

17. All rights reserved Time for a change What is the

    future and purpose of Rudder? • New CEO with a cybersecurity mindset • Rudder had some very strong points for security ◦ Visibility ◦ Continuous approach ◦ Compliance “Rudder users can prove their compliance and improve their security posture”

18. All rights reserved Time for a change How to change

    a product? • Without messing with existing users UX • Without destroying the product • Without making it like with put a sticker on it

19. All rights reserved Product led growth Steady change in the

    product • No big bang • New entries in menu ◦ Discoverable by users

20. All rights reserved Change in product presentation System administrators, cloud

    users and also security teams in charge of hardening will excel thanks to Rudder. Continuous hardening, control and audit of the Security Posture, application of security standard recommendations, patch management application can be fulfilled by Rudder.

21. All rights reserved Change in product presentation

22. All rights reserved Change in product presentation https://www.puppet.com/blog/security-automation-tools

23. All rights reserved How did the users react? Most existing

    users warmly welcomed the change: • Aligned with their needs • Allow them to reduce the number of softwares in their stack, or • Tightly integrate softwares of their stack

24. All rights reserved How did the users react? Some new

    users are confused: • We are not a pure security software, or pure patch management software • Expectations are not always met • Configuration management is sometimes badly understood by people from security

25. What do we do now?

26. All rights reserved What’s now? Use Rudder as a Single

    Source of Compliance Compliance Resource Compliance Resource Legacy agent Compatible Linux agent Compatible Win. agent API

27. All rights reserved What’s now? Improve the value of configuration

    management through data

28. All rights reserved What’s now? Improve the value of configuration

    management through data Put data into perspective and add context to it Gather data from external sources Change our “configuration-first” approach for compliance

29. All rights reserved What’s now? Improve the value of configuration

    management through data “Which nodes are impacted by this specific vulnerability?” “Find nodes with specific SLAs that have poor compliance?” “Be notified when nodes in this datacenter with these properties have compliance issues”

30. All rights reserved What’s now? Improve the value of configuration

    management through data We have full nodes inventories We have logical grouping of nodes We have policies applied We have compliance We have external datas

31. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder Nodes Groups Parameters Techniques Directives Rules Compliance System updates Patch management campaign Vulnerabilities External resources …

32. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder • Pluggable and extensible

33. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder • Pluggable and extensible • Fast enough

34. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder • Pluggable and extensible • Fast enough • Easy to maintain

35. All rights reserved Solution GraphQL is a query language based

    on graphs with: • Strict description of resources available • Queries/Mutations/Subscriptions • Aggregation over different backends

36. All rights reserved Solution Compliance data Compliance browser GraphQL base

37. Side topics

38. All rights reserved Security as part of the product development

    process There are two great talks about it Securing the software supply chain for Infra management tools 2023-02-07, 14:00–14:50, B.3.037 (50 minutes ago) How do we make Rudder secure? 2023-02-06, 15:55–16:20, B.2.009 (yesterday) https://commons.wikimedia.org/wiki/File:Backward_Clock_-_geograph.org.uk_-_1077661.jpg

39. All rights reserved Security as part of the product development

    process Rudder has a significant impact on the infrastructure: • Runs with admin rights on every systems • Talks on the network • Expose data on multiple interfaces and users

40. All rights reserved Security as part of the product development

    process Rudder is a complex software: • Many components in different languages • Several level of abstractions and interfaces

41. All rights reserved Security as part of the product development

    process Security is now a first class citizen in the product roadmap: • Frontend side ◦ Proper session expiration ◦ XSS hardening (CSP, etc.) ◦ CSRF hardening (SameSite) ◦ HSTS (built-in setting) ◦ Package manager for JS/CSS dependencies (npm)

42. All rights reserved Security as part of the product development

    process Security is a first class citizen in the product roadmap: • Frontend side • Building pipeline ◦ Compilation hardening options ◦ Vulnerability detection in libraries (automated when possible) ◦ Code signature

43. All rights reserved Security as part of the product development

    process Security is a first class citizen in the product roadmap: • Frontend side • Building pipeline • Backend side ◦ Sandboxing policies ◦ TODO: Stop using root for services listening on the network ◦ TODO: Built-in 2FA ◦ TODO: TLS 1.3

44. All rights reserved Security as part of the product development

    process Regular training for development team on best practices Systematic security assessment of new features/changes

45. All rights reserved Pentests Our customers pentest Rudder, and share

    the result with us

46. All rights reserved Evolution from configuration management to security

47. All rights reserved Evolution from configuration management to security This

    is the logical evolution of Rudder - continuous compliance and configuration are the building blocks for adding values to the teams using Rudder

48. Questions?