Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A journey from Configuration Management to Security of IT systems

Rudder
February 07, 2023

A journey from Configuration Management to Security of IT systems

🎥 https://youtu.be/t0oRQ0EFo9E
🧑 Nicolas Charles
📅 Configuration Management Camp 2023

Configuration Management is nearly ubiquituous and a solved problem. It allows system administrator and developpers to excel at their job and many uses cases which would hardly be feasible without it.
Most notably, the main features of configuration management, continuous configuration and compliance are enabler for hardening of systems by security team, and to reach and maintain an improved Security Posture.

This talk will present how and why Rudder is evolving to incorporate operational security into its core features while strenghtening the fundamentals of configuration management. We'll show the impacts on the product, mainly on the compliance aspect with integration of compliance information from other sources and making the compliance queryable using GraphQL, and what it changes on the software principle.

Rudder

February 07, 2023
Tweet

More Decks by Rudder

Other Decks in Technology

Transcript

  1. All rights reserved Outline This talk is a feedback from

    what we did at Rudder. It presents the journey from an Automation and Configuration Management software to Security • The history of Rudder • The turning point(s) • The challenges • The next steps
  2. All rights reserved Outline This talk is a feedback from

    what we did at Rudder. It presents the journey from an Automation and Configuration Management software to Security • The history of Rudder • The turning point(s) • The challenges • The next steps There’s no monster here, except maybe a strong French accent
  3. All rights reserved Some history Rudder is an open source

    configuration management software created in 2011 Its main focuses were: • Management Web UI: Improve ease of use, and make configuration management inclusive
  4. All rights reserved Some history Rudder is an open source

    configuration management software created in 2011 Its main focuses were: • Management Web UI: Improve ease of use, and make configuration management inclusive • Compliance: measure the difference between actual state and desired state
  5. All rights reserved Some history Rudder is an open source

    configuration management software created in 2011 Its main focuses were: • Management Web UI: Improve ease of use, and make configuration management inclusive • Compliance: measure the difference between actual state and desired state • Tight feedback loop: Get the results of policy and see what was changed easily
  6. All rights reserved What users did with Rudder Rudder was

    chosen for: • Compliance, • Ease of use
  7. All rights reserved What users did with Rudder Rudder was

    chosen for: • Compliance, • Ease of use And used for • Configuring systems, • Inventories, • System audits, • Hardening, • Making visible what was not visible.
  8. All rights reserved What users asked with Rudder Users asked

    for specific features within Rudder: • Audit mode • Built-in hardening rules (like CIS) • OpenSCAP integration • CVE detection • Patch management
  9. All rights reserved Difficult market fit for Rudder How should

    we present Rudder? • Infra as Code ◦ But there’s little code written from user • No-code ◦ But there’s still things to implement
  10. All rights reserved Difficult market fit for Rudder Users typically

    didn’t benefit from Rudder signature features • System administrators usually didn’t have to prove what they did ◦ Especially not with PDF • System administrators usually don’t like to click their way through configuration ◦ Except Windows admins
  11. All rights reserved Context changed Security became more and more

    important • International norms (CIS, ANSSI, …) • Malwares and ransomwares ◦ It’s not a question of “if” but “when” • A lot of pedagogy around security in France by ANSSI
  12. All rights reserved Time for a change What is the

    future and purpose of Rudder? • New CEO with a cybersecurity mindset • Rudder had some very strong points for security ◦ Visibility ◦ Continuous approach ◦ Compliance
  13. All rights reserved Time for a change What is the

    future and purpose of Rudder? • New CEO with a cybersecurity mindset • Rudder had some very strong points for security ◦ Visibility ◦ Continuous approach ◦ Compliance “Rudder users can prove their compliance and improve their security posture”
  14. All rights reserved Time for a change How to change

    a product? • Without messing with existing users UX • Without destroying the product • Without making it like with put a sticker on it
  15. All rights reserved Product led growth Steady change in the

    product • No big bang • New entries in menu ◦ Discoverable by users
  16. All rights reserved Change in product presentation System administrators, cloud

    users and also security teams in charge of hardening will excel thanks to Rudder. Continuous hardening, control and audit of the Security Posture, application of security standard recommendations, patch management application can be fulfilled by Rudder.
  17. All rights reserved How did the users react? Most existing

    users warmly welcomed the change: • Aligned with their needs • Allow them to reduce the number of softwares in their stack, or • Tightly integrate softwares of their stack
  18. All rights reserved How did the users react? Some new

    users are confused: • We are not a pure security software, or pure patch management software • Expectations are not always met • Configuration management is sometimes badly understood by people from security
  19. All rights reserved What’s now? Use Rudder as a Single

    Source of Compliance Compliance Resource Compliance Resource Legacy agent Compatible Linux agent Compatible Win. agent API
  20. All rights reserved What’s now? Improve the value of configuration

    management through data Put data into perspective and add context to it Gather data from external sources Change our “configuration-first” approach for compliance
  21. All rights reserved What’s now? Improve the value of configuration

    management through data “Which nodes are impacted by this specific vulnerability?” “Find nodes with specific SLAs that have poor compliance?” “Be notified when nodes in this datacenter with these properties have compliance issues”
  22. All rights reserved What’s now? Improve the value of configuration

    management through data We have full nodes inventories We have logical grouping of nodes We have policies applied We have compliance We have external datas
  23. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder Nodes Groups Parameters Techniques Directives Rules Compliance System updates Patch management campaign Vulnerabilities External resources …
  24. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder • Pluggable and extensible
  25. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder • Pluggable and extensible • Fast enough
  26. All rights reserved Solution Make compliance explorable • Unified structured

    API to query in a similar way all aspects of Rudder • Pluggable and extensible • Fast enough • Easy to maintain
  27. All rights reserved Solution GraphQL is a query language based

    on graphs with: • Strict description of resources available • Queries/Mutations/Subscriptions • Aggregation over different backends
  28. All rights reserved Security as part of the product development

    process There are two great talks about it Securing the software supply chain for Infra management tools 2023-02-07, 14:00–14:50, B.3.037 (50 minutes ago) How do we make Rudder secure? 2023-02-06, 15:55–16:20, B.2.009 (yesterday) https://commons.wikimedia.org/wiki/File:Backward_Clock_-_geograph.org.uk_-_1077661.jpg
  29. All rights reserved Security as part of the product development

    process Rudder has a significant impact on the infrastructure: • Runs with admin rights on every systems • Talks on the network • Expose data on multiple interfaces and users
  30. All rights reserved Security as part of the product development

    process Rudder is a complex software: • Many components in different languages • Several level of abstractions and interfaces
  31. All rights reserved Security as part of the product development

    process Security is now a first class citizen in the product roadmap: • Frontend side ◦ Proper session expiration ◦ XSS hardening (CSP, etc.) ◦ CSRF hardening (SameSite) ◦ HSTS (built-in setting) ◦ Package manager for JS/CSS dependencies (npm)
  32. All rights reserved Security as part of the product development

    process Security is a first class citizen in the product roadmap: • Frontend side • Building pipeline ◦ Compilation hardening options ◦ Vulnerability detection in libraries (automated when possible) ◦ Code signature
  33. All rights reserved Security as part of the product development

    process Security is a first class citizen in the product roadmap: • Frontend side • Building pipeline • Backend side ◦ Sandboxing policies ◦ TODO: Stop using root for services listening on the network ◦ TODO: Built-in 2FA ◦ TODO: TLS 1.3
  34. All rights reserved Security as part of the product development

    process Regular training for development team on best practices Systematic security assessment of new features/changes
  35. All rights reserved Evolution from configuration management to security This

    is the logical evolution of Rudder - continuous compliance and configuration are the building blocks for adding values to the teams using Rudder