Integrating Security into DevOps

© 2013 CloudPassage Inc.

Integrating Security Into DevOps

Rand WackerVP Products

@randwacker

Tatiana SlaterCommunity Manager

@Turbo_Tats


Agenda for Today• DevOps & Security – BFFs?

• Critical components of application security

• CloudPassage Halo Overview

• Halo Security API Toolbox

• FREE Developer Access


Integrating Security Into DevOps:Automation Is Your Only Hope


Why DevOps Loves Cloud


Why DevOps Hates Security

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

dmz dmz

corecore

Firewall

Firewall

Waiting for Server Provisioning…

Delays in Firewall Updates…

Typically 6 weeks to tip up a new

server


Poll: Security Concerns• What is your primary concern about securing

cloud applications and infrastructure?– Will slow down our pace of development/innovation– Will cost too much– We don’t have the expertise to do it– No concerns, we are actively working to secure them


Cloud Complicates Security


Where Do Existing Solutions Fail?

Cloud Provider A

www-4 www-5 www-6

Cloud Provider B

www-7 www-8 www-9 www-10

Private Datacenter

www-1 www-2 www-3

No Network or Hypervisor Access

Multiple CloudEnvironments

Metered Utility Usage

Cloud Provider A

www-4 www-5 www-6

Temporary & Elastic Deployments


Organizational Ostracism

QA &

Site ReliabilitySoftw

are

Engi

neer

ing

IT Operations

DevOps

SecurityOperations


Critical Components of Application and Stack Security


Shared Responsibility Model

“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”

“…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes

AWS Shared Responsibility Model

Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System


Securing Cloud Applications

Whether in a private datacenter or a public cloud, server security is your responsibility, so know your

security business drivers:

Compliance :: Continuity :: Brand

Architect your service to solve these problems in public, private, and hybrid deployments,

specifically:

Perimeter & Access Control

Server Integrity & Intrusion Detection


Virtual Machine

Secure the VM, Secure the App

FWFW

Provision host-based firewalls (inbound and

outbound)

Automate, Automate, Automate

Data

App Code

App Framework Operating System

Track sensitive data and prevent

egress

Continuously verify applications code is current and un-tampered Ensure application

stacks are up-to-date and locked

down

Secure the OS services and

configurations


Cloud Complicates Security• Cloud app architecture more different than

just being highly virtualized– Short image lifecycle, auto-scaling, “pets vs cattle”

• Traditional security approaches ill-suited to self-service, automated deployments

• Security orgs traditionally separate from Dev/Ops teams

Security must move at speed of cloud: automated, self-service,

metered


Poll: Org Responsibility• Who is in your organization is responsible for

securing cloud infrastructure?– Cloud provider– DevOps/application team– IT / central security team– We’re not securing our cloud infrastructure today


New Approach: Security-as-a-Service


Dynamic network access control

Configuration and package security

Account visibility & control

Compromise & intrusion alerting

Forensics and security analytics

Integration & automation capabilities

Systems in IaaS/PaaS clouds must be self-defending with highly automated controls like…

How To Secure Cloud Apps


Separate Security Controls

Virtual Machine

Data

App Code

App Framework

OSFWFW

DevOps

SecOps

The days of perimeter-only defenses are over!


Integrate & Automate

ComputeGrid

Clo

udPa

ssag

e H

alo

www-4

Halo

www-3www-1

HaloHalo

www-2

HaloDevOps Automation

Security Monitoring


CloudPassage Halo Overview


CloudPassage Halo Security Platform

Server Account Managements

Security Event Alerting

File Integrity Monitoring

REST API Integrations

Cloud Firewall Automation

System & Application Config Security

Multi-Factor Authentication

Vulnerability & Patch Scanning

HALO PLATFORM

Purpose-built for clouds, metered SaaS delivery, transparent operation

anywhere


Basic Halo Architecture

Halo

Halo Daemon• Ultra light-weight agent• Installed on server images• Automatically provisioned

Halo Daemon

www-1

www-1

Halo Grid• Elastic compute grid• Hosted by CloudPassage

• Diverts 95% or more of analytics cycles from VM daemons

HaloGrid


www-1

Halo Compute

Grid

UserPortal

Clo

udPa

ssag

e

Halo

Policies,Commands, Reports

https

RESTful API Gateway

https

www-1

Halo

Web UI + REST API

Light-weight agent

Grid performs analytics

SaaS delivery

mysql-1

Halo

bigdata-1

Cloud or Data Center

Halo


private cloud virtualized or bare metal center

Single pane of glass across cloud deployments• Scales and bursts with dynamic cloud environments• Not dependent on chokepoints, static networks or fixed IPs• Agnostic to location, hypervisor or hardware

Designed for Portability

public cloud

Consistent Security Controls

Consistent Security Controls


Quick Halo Demo


We all love integration, right?

Introducing: Halo Security API Toolbox


Open Source Security Tools

Security auditing / reporting

Firewall management

Forensic analysis

Management / Orchestration (Chef, Puppet, RightScale)

SIEM Integration (Splunk, SumoLogic, etc)

Security dev+test

Find us now on GitHub:

cloudpassage.com/toolbox


Imports Halo events into Splunk, Sumo Logic,or other logging / SIEM tools

ComputeGrid

Clo

udPa

ssag

e H

alo

www-4

Halo

www-3www-1

HaloHalo

www-2

Halo


Imports Halo events into Splunk, Sumo Logic,or other logging / SIEM tools


Adds or removes IP addresses via API toan IP zone that is used in a Halo firewall policy


Adds or removes IP addresses via API toan IP zone that is used in a Halo firewall policy

Load Balancer

Halo

FW

App Server

Halo

FW

App Server

Halo

FW

DB Master

Halo

FW

public cloud


Easily sends the cryptographic checksum of asuspected compromised file to Virus Total for comparison

with other reported cases of known malware.


Want to contribute?

github.com/cloudpassage

Six-month free developer account


Free Developer Access

Halo Professional Developer Account

Server integrity & Intrusion detection

Firewall management & two-factor access

Full API access

6 months free service for developer accounts

Available now: cloudpassage.com/OSCON


Wrapping Up


Summary• Real application security is more than just

firewalls, patches, and SSH

• In the new DevOps and cloud world, security responsibility is shared

• Security automation to maintain agility and self-service

These days, everyone is a target and security is everyone’s responsibility

Thank You!

Open Source Security Tools:

cloudpassage.com/Toolbox

6 Months Free Halo Service:

cloudpassage.com/OSCON

Discuss more: @cloudpassage #CloudSec

Integrating Security into DevOps

Technology

Transcript of Integrating Security into DevOps