Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Servers compliance: audit, remediation, proof

Rudder
December 11, 2019
Technology
0
20

Servers compliance: audit, remediation, proof

Security is everyone's business, an exploited breach is enough. Teams are aware of this and yet it is still as difficult as ever to be able to ensure, be confident, and reassure others (prove) that at least one party is under control.

And when it comes to server infrastructure, especially at the OS / middleware level, everything gets complicated. Even with an operational security team, it is difficult to ensure that the Information System Security Policy and security recommendations are properly implemented on all servers.

How can we be sure that our security policies are properly applied on all our servers other than through a massive and costly audit? Even if they were when they were created, how do you know if they remain perfectly compliant after a few days / weeks / months?

Let's discover together RUDDER, an open-source solution for continuous compliance based on configuration management to automatically audit and/or correct our systems.

Alexandre Brianceau
Open Source Summit Paris 2019

Rudder

December 11, 2019
Tweet

More Decks by Rudder

See All by Rudder
Adoptez une stratégie de patch management efficace adaptée à votre système d’information
rudder
0
15
Comment sécuriser son SI pour ne plus subir les attaques ?
rudder
0
16
Hardening systems: from a benchmark guide to meaningful compliance
rudder
0
11
Implementing configuration management primitives in 2024
rudder
0
8
Supply Chain Security in the Rust Ecosystem
rudder
0
6
Securing the software supply chain for infra management software
rudder
0
140
A journey from Configuration Management to Security of IT systems
rudder
0
49
Rudder: what is it and what makes it different?
rudder
0
110
How do we make Rudder secure?
rudder
0
77

Other Decks in Technology

See All in Technology
NgRx Signal Store
rainerhahnekamp
0
110
株式会社EventHub・エンジニア採用資料
eventhub
0
1.9k
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
5
2.6k
Janus
bkuhlmann
0
490
Databricks におけるデータエンジニアリング
databricksjapan
0
370
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
小さな開発会社がWebサービスを作る理由
polidog
PRO
0
150
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
220
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
1
2.9k
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
1
290
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
190

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.3k
Clear Off the Table
cherdarchuk
82
310k
Side Projects
sachag
451
41k
Facilitating Awesome Meetings
lara
40
5.6k
Product Roadmaps are Hard
iamctodd
43
9.7k
RailsConf 2023
tenderlove
1
530
Automating Front-end Workflow
addyosmani
1354
200k
Web development in the modern age
philhawksworth
201
10k
Optimizing for Happiness
mojombo
369
69k
Designing for Performance
lara
601
67k
Stop Working from a Prison Cell
hatefulcrawdad
265
19k
Robots, Beer and Maslow
schacon
PRO
154
7.9k

Transcript

  1. 10 & 11 DÉCEMBRE 2019 Servers compliance: audit, remediation, proof

    Alexandre BRIANCEAU

  2. Abstract > > >

  3. • Everyone has authority over their activities and carries responsibilities:

    security is a cross-cutting concern • A team dedicated to security is not enough, the attacker will know how to find weak points: it is a question of security hygiene, as for healthcare. Cybersecurity and business

  4. Cybersecurity and IT infrastructure DEV QA PRODUCTION RECOVERY DEV SEC

    OPS MGMT EXTERN Multiple teams, diluted expertise, harder reporting Heterogeneous systems, reduced visibility, ease of use and understanding

  5. • Cyber posture Security status (network, information, IT…) with mananing

    capabilities to react on any change. • Cyber Risk Management Actions and process to maintain an cyber posture • Cyber exposure Holistic and dynamic risk visibility to obtain meaningful data • Cyber Bullshit Vendors telling you that their magical software solve everything Cyber <put here what you want> Cyber Bullsh*t

  6. • Main issues: ◦ Systems complexity and heterogeneous infrastructures ◦

    Lack visibility and have blind spots ◦ Difficulties in having enough qualified people ◦ Collaboration between security and IT operational teams is difficult: ▪ non-aligned objectives ▪ different processes and technologies ▪ significant delays increasing reaction time SecOps is a collaborative effort to align needs, objectives, values and technologies to effectively support Cyber Risk Management. SecOps: team collaboration for cybersecurity

  7. 52% of organizations admit to cutting back on security measures

    to meet a business deadline or objective SecOps: easy to say, hard to do Half companies find that coordination between security and IT operations teams is challenging. Half of organizations cited that the absence of effective orchestration and automation is barrier

  8. Automation makes it possible to make SecOps goals real by

    allowing: ◦ To act quickly across all infrastructures by speeding up workflows ◦ To be 100% predictable and therefore reliable ◦ To centralize information, allow effective communication and ensure knowledge transfer ◦ To trace and log all events, report meaningful data and context to the teams with holistic and detailed informations ◦ To free up teams so that human intervention is valuable: analysis, decision-making, design, sharing Automation & SecOps

  9. • Perimeter is huge: from servers to network or IOT…

    • Two main actions: ◦ Proactive: risk identification and mitigation (incident prevention) ◦ Reactive: incident response (that limit the loss) Risk management is proactive, but mapping and identifying risks is useless if they cannot be easily addressed! IT systems & SecOps >

  10. Open-source and French continuous configuration management solution for IT compliance

    ➔ Are my systems in compliance with our security policy? ➔ Which DMZ servers are vulnerable to this CVE? ➔ How do I prove my compliance to the auditor?

  11. RUDDER & IT Ops landscape Business needs Operating System Versioned

    source code Applicative binaries Middleware App App App Server Agile methodology Continuous integration Continuous deployment Provisioning RUN DEV Installation & Configuration Updating & Patch Management Security & Risk Management Running & Incident resolution SECURITY

  12. Ensure that the rules are applied

  13. Ensure that the risks are managed

  14. Give context to your team

  15. Rudder: running principle 2. Configuration download 1. Target state definition

    3. Continuous local verification (+ Automatic fixing) 4. Continuous reporting Server App version XX.XX

  16. Collaboration to define compliance state

  17. Ensure that all your IT is compliant

  18. Fit to your workflows Sec Production Interns Ops Dev Externals

    audit - sudoers / logs validation workflow DMZ Compliance reporting

  19. IT automation & compliance for SecOps RUDDER in a nutshell

    • Automate and ensure that your IT systems are under control • Beyond auditing: act and remediate! • Give your teams quick feedbacks and contexts • Allow Sec & Ops team to collaborate in autonomy • Integrate with your workflows and your ecosystem:

  20. Manage OS, middleware and software level Team oriented (WebUI, CLI,

    API) Audit only or automatic drift remediation Continuous reporting and dashboarding IT automation & compliance for SecOps RUDDER in a nutshell

  21. Project website: Documentation: Online Chat: To contact me: More details

    on RUDDER with... www.rudder.io docs.rudder.io chat.rudder.io [email protected]

  22. 10 & 11 DÉCEMBRE 2019 Servers compliance: audit, remediation, proof

    Alexandre BRIANCEAU