Security Roadmap: How we are helping you when everything is burningVerne Lindner and Beth Cornils, PuppetConf 2016

Who are we?● @vernelindner @bethpdx● Sr. UX Architect at Puppet● Sr. Product Manager at Puppet

2

3

Why are we here?(This room specifically, listening to this talk…)

We want you to have fewer of these

5

Why is Puppet good for security?

Infrastructure as code

RBAC Auditing Enforcement

6

How is PE helping DevOps and Security teams?

Is it a tire fire or a campfire?

Multi-pronged approach to Security

8

Audience participationLet’s take the temperature of security here

9

Why do things burn: key terms● White Hat - Security and compliance vendors● Black Hat - Nation states, mafia, ransomware, DDoS

10

Existing terminology● Vulnerability - Common Vulnerabilities and Exposures (CVEs)● Unmanaged - Nodes that have an agent but the resource does not have a manifest● Events - The Events tab, aka Event Inspector, in the PE console

New terms● Intentional Change - Change driven by an update to Puppet code● Corrective Change - Change made by Puppet to return a system to the desired

state, as defined by Puppet code

White Hat stuff● Secret management (Conjur)● Visibility into intentional vs. corrective change● Whole infrastructure view (long-term)● Security company integration (CloudPassage)

Let's start with secrets...

14

How do we avoid exposing secrets in Puppet?

Easiest to hardest

● Avoid exposing secrets in

Logs

PDB

Console

15

https://flic.kr/p/aCJZrf

Conjur and Puppet

16

$planet = conjur_variable('planet')

file { '/etc/hello.txt':

content => "Hello ${planet}!\n"

}

conjurize_file { '/etc/hello.txt':

variable_map => {

planet => ‘!var puppetdemo/planet’

}

}

Conjur, Vault, Keywhiz, Amazon KMS, Confidant

17

Visibility into Intentional vs. Corrective ChangeHow to narrow down what might be burning

18

When your infrastructure is burning, how can PE help?

● Intentional change reporting● Corrective change reporting

19

Corrective change: v1

20

Corrective change workflow 1: by node

21

23

Select report

24

view details

Corrective change workflow 2: across time

25

Event Inspector, Node Graph, resource reporting, andreporting on nodes not under active Puppet management

Corrective change: Future

27

Full view of your infrastructureReducing the clutter in your head via a single view

28

Managed & unmanaged change

Tying in vulnerability scanning How many fucks do I need to give about a given corrective change?

30

Security vendor integration

What vendor integration gets you● Security company integration (CloudPassage)● Vulnerability comparison to your PE infrastructure.● Easier compliance tracking

Summary

33

What have we learned?

Random cat slide

34

Q&A

Other Security talks● Bill Weiss from Puppet http://sched.co/6fkD● Peter Souter from Puppet http://sched.co/6fjZ● Seth Vargo from Hashicorp http://sched.co/6fjv● Ben Hughes from Etsy http://sched.co/6fkM

Where to find out moreMore on Conjur https://www.conjur.net/puppet-secret-server

Module on Forge https://forge.puppet.com/conjur/conjur

Agile Security and Compliance with CloudPassage and Puppet

Application Lifecycle Management with Security using Halo and Puppet

Continuous Security Assessment and Compliance

Role based server group for your environments

Current security and compliance posture of your environments

Critical, Non-Critical Security Incident

Automated Security & Compliance Assessment

Monitor and protect workloads using,● Firewall Automation● Workload Vulnerability

Assessment● File Integrity Monitoring● Log-based IDS● Multi-factor Authentication

● Install & manage Halo agent on workloads

● Change workload configuration and provide remediation based on security & compliance report provided by Halo

Workload Security Assessment Report

Workload Security Assessment Report

● Easy to deploy Halo using Puppet● Agent is in “Read-only” mode and does

not change state of workload● Collect security & compliance issues● Provide full report in few minutes● The report provides visibility on:

○ Servers with Critical / Non-critical issues

○ User accounts○ SW Vulnerability with CVE

information○ Compliance against CIS Benchmark ○ Running processes

● Easily integrate these findings with Puppet to start the remediation process.

App. Lifecycle Mgmt with Security using Halo and Puppet