PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth...
-
Upload
puppet -
Category
Technology
-
view
87 -
download
0
Transcript of PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth...
![Page 1: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/1.jpg)
Security Roadmap: How we are helping you when everything is burningVerne Lindner and Beth Cornils, PuppetConf 2016
![Page 2: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/2.jpg)
Who are we?● @vernelindner @bethpdx● Sr. UX Architect at Puppet● Sr. Product Manager at Puppet
2
![Page 3: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/3.jpg)
3
![Page 4: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/4.jpg)
Why are we here?(This room specifically, listening to this talk…)
![Page 5: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/5.jpg)
We want you to have fewer of these
5
![Page 6: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/6.jpg)
Why is Puppet good for security?
Infrastructure as code
RBAC Auditing Enforcement
6
![Page 7: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/7.jpg)
How is PE helping DevOps and Security teams?
Is it a tire fire or a campfire?
![Page 8: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/8.jpg)
Multi-pronged approach to Security
8
![Page 9: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/9.jpg)
Audience participationLet’s take the temperature of security here
9
![Page 10: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/10.jpg)
Why do things burn: key terms● White Hat - Security and compliance vendors● Black Hat - Nation states, mafia, ransomware, DDoS
10
![Page 11: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/11.jpg)
Existing terminology● Vulnerability - Common Vulnerabilities and Exposures (CVEs)● Unmanaged - Nodes that have an agent but the resource does not have a manifest● Events - The Events tab, aka Event Inspector, in the PE console
![Page 12: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/12.jpg)
New terms● Intentional Change - Change driven by an update to Puppet code● Corrective Change - Change made by Puppet to return a system to the desired
state, as defined by Puppet code
![Page 13: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/13.jpg)
White Hat stuff● Secret management (Conjur)● Visibility into intentional vs. corrective change● Whole infrastructure view (long-term)● Security company integration (CloudPassage)
![Page 14: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/14.jpg)
Let's start with secrets...
14
![Page 15: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/15.jpg)
How do we avoid exposing secrets in Puppet?
Easiest to hardest
● Avoid exposing secrets in
Logs
PDB
Console
15
https://flic.kr/p/aCJZrf
![Page 16: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/16.jpg)
Conjur and Puppet
16
$planet = conjur_variable('planet')
file { '/etc/hello.txt':
content => "Hello ${planet}!\n"
}
conjurize_file { '/etc/hello.txt':
variable_map => {
planet => ‘!var puppetdemo/planet’
}
}
![Page 17: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/17.jpg)
Conjur, Vault, Keywhiz, Amazon KMS, Confidant
17
![Page 18: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/18.jpg)
Visibility into Intentional vs. Corrective ChangeHow to narrow down what might be burning
18
![Page 19: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/19.jpg)
When your infrastructure is burning, how can PE help?
● Intentional change reporting● Corrective change reporting
19
![Page 20: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/20.jpg)
Corrective change: v1
20
![Page 21: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/21.jpg)
Corrective change workflow 1: by node
21
![Page 22: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/22.jpg)
![Page 23: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/23.jpg)
23
Select report
![Page 24: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/24.jpg)
24
view details
![Page 25: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/25.jpg)
Corrective change workflow 2: across time
25
![Page 26: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/26.jpg)
![Page 27: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/27.jpg)
Event Inspector, Node Graph, resource reporting, andreporting on nodes not under active Puppet management
Corrective change: Future
27
![Page 28: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/28.jpg)
Full view of your infrastructureReducing the clutter in your head via a single view
28
![Page 29: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/29.jpg)
Managed & unmanaged change
![Page 30: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/30.jpg)
Tying in vulnerability scanning How many fucks do I need to give about a given corrective change?
30
![Page 31: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/31.jpg)
Security vendor integration
![Page 32: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/32.jpg)
What vendor integration gets you● Security company integration (CloudPassage)● Vulnerability comparison to your PE infrastructure.● Easier compliance tracking
![Page 33: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/33.jpg)
Summary
33
What have we learned?
![Page 34: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/34.jpg)
Random cat slide
34
![Page 35: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/35.jpg)
Q&A
![Page 36: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/36.jpg)
Other Security talks● Bill Weiss from Puppet http://sched.co/6fkD● Peter Souter from Puppet http://sched.co/6fjZ● Seth Vargo from Hashicorp http://sched.co/6fjv● Ben Hughes from Etsy http://sched.co/6fkM
![Page 37: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/37.jpg)
Where to find out moreMore on Conjur https://www.conjur.net/puppet-secret-server
Module on Forge https://forge.puppet.com/conjur/conjur
![Page 38: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/38.jpg)
Agile Security and Compliance with CloudPassage and Puppet
Application Lifecycle Management with Security using Halo and Puppet
![Page 39: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/39.jpg)
Continuous Security Assessment and Compliance
Role based server group for your environments
Current security and compliance posture of your environments
Critical, Non-Critical Security Incident
![Page 40: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/40.jpg)
Automated Security & Compliance Assessment
Monitor and protect workloads using,● Firewall Automation● Workload Vulnerability
Assessment● File Integrity Monitoring● Log-based IDS● Multi-factor Authentication
● Install & manage Halo agent on workloads
● Change workload configuration and provide remediation based on security & compliance report provided by Halo
![Page 41: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/41.jpg)
Workload Security Assessment Report
Workload Security Assessment Report
● Easy to deploy Halo using Puppet● Agent is in “Read-only” mode and does
not change state of workload● Collect security & compliance issues● Provide full report in few minutes● The report provides visibility on:
○ Servers with Critical / Non-critical issues
○ User accounts○ SW Vulnerability with CVE
information○ Compliance against CIS Benchmark ○ Running processes
● Easily integrate these findings with Puppet to start the remediation process.
![Page 42: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/42.jpg)
App. Lifecycle Mgmt with Security using Halo and Puppet
![Page 43: PuppetConf 2016: Security Roadmap: How We Are Helping You When Everything is Burning – Beth Cornils & Verne Lindner, Puppet](https://reader033.fdocuments.net/reader033/viewer/2022052706/586fb47a1a28abe57d8b71b5/html5/thumbnails/43.jpg)