Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Servers compliance: audit, remediation, proof

7d9785e3bdceb2d9e86dabcfb77b1686?s=47 Rudder
December 11, 2019

Servers compliance: audit, remediation, proof

Security is everyone's business, an exploited breach is enough. Teams are aware of this and yet it is still as difficult as ever to be able to ensure, be confident, and reassure others (prove) that at least one party is under control.

And when it comes to server infrastructure, especially at the OS / middleware level, everything gets complicated. Even with an operational security team, it is difficult to ensure that the Information System Security Policy and security recommendations are properly implemented on all servers.

How can we be sure that our security policies are properly applied on all our servers other than through a massive and costly audit? Even if they were when they were created, how do you know if they remain perfectly compliant after a few days / weeks / months?

Let's discover together RUDDER, an open-source solution for continuous compliance based on configuration management to automatically audit and/or correct our systems.

Alexandre Brianceau
Open Source Summit Paris 2019



December 11, 2019


  1. 10 & 11 DÉCEMBRE 2019 Servers compliance: audit, remediation, proof

    Alexandre BRIANCEAU
  2. Abstract > > >

  3. • Everyone has authority over their activities and carries responsibilities:

    security is a cross-cutting concern • A team dedicated to security is not enough, the attacker will know how to find weak points: it is a question of security hygiene, as for healthcare. Cybersecurity and business
  4. Cybersecurity and IT infrastructure DEV QA PRODUCTION RECOVERY DEV SEC

    OPS MGMT EXTERN Multiple teams, diluted expertise, harder reporting Heterogeneous systems, reduced visibility, ease of use and understanding
  5. • Cyber posture Security status (network, information, IT…) with mananing

    capabilities to react on any change. • Cyber Risk Management Actions and process to maintain an cyber posture • Cyber exposure Holistic and dynamic risk visibility to obtain meaningful data • Cyber Bullshit Vendors telling you that their magical software solve everything Cyber <put here what you want> Cyber Bullsh*t
  6. • Main issues: ◦ Systems complexity and heterogeneous infrastructures ◦

    Lack visibility and have blind spots ◦ Difficulties in having enough qualified people ◦ Collaboration between security and IT operational teams is difficult: ▪ non-aligned objectives ▪ different processes and technologies ▪ significant delays increasing reaction time SecOps is a collaborative effort to align needs, objectives, values and technologies to effectively support Cyber Risk Management. SecOps: team collaboration for cybersecurity
  7. 52% of organizations admit to cutting back on security measures

    to meet a business deadline or objective SecOps: easy to say, hard to do Half companies find that coordination between security and IT operations teams is challenging. Half of organizations cited that the absence of effective orchestration and automation is barrier
  8. Automation makes it possible to make SecOps goals real by

    allowing: ◦ To act quickly across all infrastructures by speeding up workflows ◦ To be 100% predictable and therefore reliable ◦ To centralize information, allow effective communication and ensure knowledge transfer ◦ To trace and log all events, report meaningful data and context to the teams with holistic and detailed informations ◦ To free up teams so that human intervention is valuable: analysis, decision-making, design, sharing Automation & SecOps
  9. • Perimeter is huge: from servers to network or IOT…

    • Two main actions: ◦ Proactive: risk identification and mitigation (incident prevention) ◦ Reactive: incident response (that limit the loss) Risk management is proactive, but mapping and identifying risks is useless if they cannot be easily addressed! IT systems & SecOps >
  10. Open-source and French continuous configuration management solution for IT compliance

    ➔ Are my systems in compliance with our security policy? ➔ Which DMZ servers are vulnerable to this CVE? ➔ How do I prove my compliance to the auditor?
  11. RUDDER & IT Ops landscape Business needs Operating System Versioned

    source code Applicative binaries Middleware App App App Server Agile methodology Continuous integration Continuous deployment Provisioning RUN DEV Installation & Configuration Updating & Patch Management Security & Risk Management Running & Incident resolution SECURITY
  12. Ensure that the rules are applied

  13. Ensure that the risks are managed

  14. Give context to your team

  15. Rudder: running principle 2. Configuration download 1. Target state definition

    3. Continuous local verification (+ Automatic fixing) 4. Continuous reporting Server App version XX.XX
  16. Collaboration to define compliance state

  17. Ensure that all your IT is compliant

  18. Fit to your workflows Sec Production Interns Ops Dev Externals

    audit - sudoers / logs validation workflow DMZ Compliance reporting
  19. IT automation & compliance for SecOps RUDDER in a nutshell

    • Automate and ensure that your IT systems are under control • Beyond auditing: act and remediate! • Give your teams quick feedbacks and contexts • Allow Sec & Ops team to collaborate in autonomy • Integrate with your workflows and your ecosystem:
  20. Manage OS, middleware and software level Team oriented (WebUI, CLI,

    API) Audit only or automatic drift remediation Continuous reporting and dashboarding IT automation & compliance for SecOps RUDDER in a nutshell
  21. Project website: Documentation: Online Chat: To contact me: More details

    on RUDDER with... www.rudder.io docs.rudder.io chat.rudder.io alexandre@rudder.io
  22. 10 & 11 DÉCEMBRE 2019 Servers compliance: audit, remediation, proof

    Alexandre BRIANCEAU