integrating security into devops
TRANSCRIPT
© 2013 CloudPassage Inc.
Integrating Security Into DevOps
Rand WackerVP Products
@randwacker
Tatiana SlaterCommunity Manager
@Turbo_Tats
© 2013 CloudPassage Inc.
Agenda for Today• DevOps & Security – BFFs?
• Critical components of application security
• CloudPassage Halo Overview
• Halo Security API Toolbox
• FREE Developer Access
© 2013 CloudPassage Inc.
Integrating Security Into DevOps:Automation Is Your Only Hope
© 2013 CloudPassage Inc.
Why DevOps Loves Cloud
© 2013 CloudPassage Inc.
Why DevOps Hates Security
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
dmz dmz
corecore
Firewall
Firewall
Waiting for Server Provisioning…
Delays in Firewall Updates…
Typically 6 weeks to tip up a new
server
© 2013 CloudPassage Inc.
Poll: Security Concerns• What is your primary concern about securing
cloud applications and infrastructure?– Will slow down our pace of development/innovation– Will cost too much– We don’t have the expertise to do it– No concerns, we are actively working to secure them
© 2013 CloudPassage Inc.
Cloud Complicates Security
© 2013 CloudPassage Inc.
Where Do Existing Solutions Fail?
Cloud Provider A
www-4 www-5 www-6
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
No Network or Hypervisor Access
Multiple CloudEnvironments
Metered Utility Usage
Cloud Provider A
www-4 www-5 www-6
Temporary & Elastic Deployments
© 2013 CloudPassage Inc.
Organizational Ostracism
QA &
Site ReliabilitySoftw
are
Engi
neer
ing
IT Operations
DevOps
SecurityOperations
© 2013 CloudPassage Inc.
Critical Components of Application and Stack Security
© 2013 CloudPassage Inc.
Shared Responsibility Model
“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”
“…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
AWS Shared Responsibility Model
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
© 2013 CloudPassage Inc.
Securing Cloud Applications
Whether in a private datacenter or a public cloud, server security is your responsibility, so know your
security business drivers:
Compliance :: Continuity :: Brand
Architect your service to solve these problems in public, private, and hybrid deployments,
specifically:
Perimeter & Access Control
Server Integrity & Intrusion Detection
© 2013 CloudPassage Inc.
Virtual Machine
Secure the VM, Secure the App
FWFW
Provision host-based firewalls (inbound and
outbound)
Automate, Automate, Automate
Data
App Code
App Framework Operating System
Track sensitive data and prevent
egress
Continuously verify applications code is current and un-tampered Ensure application
stacks are up-to-date and locked
down
Secure the OS services and
configurations
© 2013 CloudPassage Inc.
Cloud Complicates Security• Cloud app architecture more different than
just being highly virtualized– Short image lifecycle, auto-scaling, “pets vs cattle”
• Traditional security approaches ill-suited to self-service, automated deployments
• Security orgs traditionally separate from Dev/Ops teams
Security must move at speed of cloud: automated, self-service,
metered
© 2013 CloudPassage Inc.
Poll: Org Responsibility• Who is in your organization is responsible for
securing cloud infrastructure?– Cloud provider– DevOps/application team– IT / central security team– We’re not securing our cloud infrastructure today
© 2013 CloudPassage Inc.
New Approach: Security-as-a-Service
© 2013 CloudPassage Inc.
Dynamic network access control
Configuration and package security
Account visibility & control
Compromise & intrusion alerting
Forensics and security analytics
Integration & automation capabilities
Systems in IaaS/PaaS clouds must be self-defending with highly automated controls like…
How To Secure Cloud Apps
© 2013 CloudPassage Inc.
Separate Security Controls
Virtual Machine
Data
App Code
App Framework
OSFWFW
DevOps
SecOps
The days of perimeter-only defenses are over!
© 2013 CloudPassage Inc.
Integrate & Automate
ComputeGrid
Clo
udPa
ssag
e H
alo
www-4
Halo
www-3www-1
HaloHalo
www-2
HaloDevOps Automation
Security Monitoring
© 2013 CloudPassage Inc.
CloudPassage Halo Overview
© 2013 CloudPassage Inc.
CloudPassage Halo Security Platform
Server Account Managements
Security Event Alerting
File Integrity Monitoring
REST API Integrations
Cloud Firewall Automation
System & Application Config Security
Multi-Factor Authentication
Vulnerability & Patch Scanning
HALO PLATFORM
Purpose-built for clouds, metered SaaS delivery, transparent operation
anywhere
© 2013 CloudPassage Inc.
Basic Halo Architecture
Halo
Halo Daemon• Ultra light-weight agent• Installed on server images• Automatically provisioned
Halo Daemon
www-1
www-1
Halo Grid• Elastic compute grid• Hosted by CloudPassage
• Diverts 95% or more of analytics cycles from VM daemons
HaloGrid
© 2013 CloudPassage Inc.
www-1
Halo Compute
Grid
UserPortal
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
https
RESTful API Gateway
https
www-1
Halo
Web UI + REST API
Light-weight agent
Grid performs analytics
SaaS delivery
mysql-1
Halo
bigdata-1
Cloud or Data Center
Halo
© 2013 CloudPassage Inc.
private cloud virtualized or bare metal center
Single pane of glass across cloud deployments• Scales and bursts with dynamic cloud environments• Not dependent on chokepoints, static networks or fixed IPs• Agnostic to location, hypervisor or hardware
Designed for Portability
public cloud
Consistent Security Controls
Consistent Security Controls
© 2013 CloudPassage Inc.
Quick Halo Demo
© 2013 CloudPassage Inc.
We all love integration, right?
Introducing: Halo Security API Toolbox
© 2013 CloudPassage Inc.
Open Source Security Tools
Security auditing / reporting
Firewall management
Forensic analysis
Management / Orchestration (Chef, Puppet, RightScale)
SIEM Integration (Splunk, SumoLogic, etc)
Security dev+test
Find us now on GitHub:
cloudpassage.com/toolbox
© 2013 CloudPassage Inc.
Imports Halo events into Splunk, Sumo Logic,or other logging / SIEM tools
ComputeGrid
Clo
udPa
ssag
e H
alo
www-4
Halo
www-3www-1
HaloHalo
www-2
Halo
© 2013 CloudPassage Inc.
Imports Halo events into Splunk, Sumo Logic,or other logging / SIEM tools
© 2013 CloudPassage Inc.
Adds or removes IP addresses via API toan IP zone that is used in a Halo firewall policy
© 2013 CloudPassage Inc.
Adds or removes IP addresses via API toan IP zone that is used in a Halo firewall policy
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
DB Master
Halo
FW
public cloud
© 2013 CloudPassage Inc.
© 2013 CloudPassage Inc.
Easily sends the cryptographic checksum of asuspected compromised file to Virus Total for comparison
with other reported cases of known malware.
© 2013 CloudPassage Inc.
Want to contribute?
github.com/cloudpassage
Six-month free developer account
© 2013 CloudPassage Inc.
Free Developer Access
Halo Professional Developer Account
Server integrity & Intrusion detection
Firewall management & two-factor access
Full API access
6 months free service for developer accounts
Available now: cloudpassage.com/OSCON
© 2013 CloudPassage Inc.
Wrapping Up
© 2013 CloudPassage Inc.
Summary• Real application security is more than just
firewalls, patches, and SSH
• In the new DevOps and cloud world, security responsibility is shared
• Security automation to maintain agility and self-service
These days, everyone is a target and security is everyone’s responsibility
Thank You!
Open Source Security Tools:
cloudpassage.com/Toolbox
6 Months Free Halo Service:
cloudpassage.com/OSCON
Discuss more: @cloudpassage #CloudSec