Policy Engines

Transcript

1. Automated rulesets: The essence of policy engines Denis Rybin/ December

   8, 2022

2. Whoami • Denis ttffdd Rybin • 9 years of security

   experience • A fan of security conferences • Currently working as a tech lead at InDrive (3 million deals per day)

3. Agenda 1. What do we want to achieve as a

   security team? 2. What is the concept of a policy engine? 3. What has already been done in this direction?

4. 01. The main objective of security

5. The main objective of security Any ideas?

6. The main objective of security A lot of people would

   say Confidentiality, Integrity And Availability – The CIA Triad

7. The main objective of security Confidentiality, Integrity And Availability –

   The CIA Triad Maybe? Generally yes, but let's discuss something more tangible)

8. The main objective of security Let's keep it simple and

   choose an easier thesis Allow what is necessary, forbid what is not.

9. The main objective of security Yeah, it’s Principle of least

   privilege If we could comply with it, we wouldn't have to do anything else

10. The main objective of security But we failed very badly

11. The main objective of security But we failed very badly

    Need some proof?

12. The main objective of security Just look at AppSec trends:

    • Bug Bounty program • Defence in depth • SOC

13. The main objective of security Just look at AppSec trends:

    • Bug Bounty program • Defence in depth • SOC We don't believe our policies work

14. The main objective of security Why?

15. The main objective of security Why? Сlap who thinks that

    IT department is to blame. Their systems are too unstructured, too volatile, too dependent on people etc

16. The main objective of security Why? Сlap who thinks that

    IT department is to blame. Their systems are too unstructured, too volatile, too dependent on people etc

17. The main objective of security But they are constantly evolving:

    - Infrastructure as code - Modern CI/CD (gitops, devops, etc) - Automated QA testing - Scrum and Kanban And now we have a lot more opportunities

18. 02. What is the concept of a policy engine?

19. What is the concept of a policy engine? • Policy

    Decoupling • Policy as Code • Not just a single-purpose tool, but a new big trend

20. Policy Decoupling What are we used to? • Iptables rules

    • Windows ACL • Jira/gitlab roles and permissions

21. Policy Decoupling What Policy Decoupling offers us? • Universal rule

    language • A single point of decision-making Policy Engine

22. Policy as Code Everything we love about code: • Version

    Control • High flexibility • Programmer friendly • Declarative • Easy to test • Etc

23. Policy as Code A couple of quick examples

24. Policy as Code A couple of quick examples

25. Not just a single-purpose tool, a new big trend

26. 03. What has already been done in this direction?

27. Let's start with the reference architecture

28. Reference architecture

29. OPA is the most powerful representative of the policy engine

30. OPA != Kubernetes security Let's end this quickly! OPA is

    not about Kubernetes, OPA gatekeeper is. You could (and even maybe should) use policy engine like OPA gatekeeper/kyverno/kubeWarden in K8S. But OPA is much more than that.

31. BTW the reference architecture can be seen in the OPA

    gatekeeper architecture PEP PDP Polices + PAP Part of PIP

32. Some examples of interesting uses of OPA. Conftest Write tests

    against structured configuration data using the Open Policy Agent Rego query language

33. Some examples of interesting uses of OPA. OPAL

34. Some examples of interesting uses of OPA. OPToggles It enables

    you to create user targeted feature flags/toggles based on Open Policy managed authorization rules.

35. Some examples of interesting uses of OPA. Opa-iptables opa-iptables extension

    provides the management of IPTables rules with Rego policy. Here OPA is used as a centralized location for storing rules and write a context-aware policy to insert/delete rules to Linux host.

36. Automated rulesets: The essence of policy engines Thank you!

37. 37 37 37 37 37 3d icons