© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

SEC312 | November 13, 2014 | Las Vegas, NV

SEC312

Taking a DevOps Approach to Security

Paul Fisher – Alert Logic

Guest Speaker: George Miranda – Chef Software

Speaker Introduction

George MirandaEngineer & Evangelist

Chef Software, Inc.

@gmiranda23

www.linkedin.com/in/gmiranda23

Paul FisherVP Technology Operations

Alert Logic, Inc.

@fisherpk

www.linkedin.com/in/fisherpk/

Session Overview

More organizations are embracing DevOps to realize compelling

business benefits such as faster yet safer feature release cadence,

increased application stability, and rapid response to shifting market

conditions. However, security and compliance monitoring tools have not

kept up and often represent the single largest remaining hurdle to

Continuous Delivery.

Topics covered in this session:

•How DevOps Improves your Security Posture

•Overcoming Challenges in DevOps Environments

DevOps Improves Security Posture

Configuration Management

“We suffer sometimes from the hubris of

believing that control is a matter of applying

sufficient force, or a sufficiently detailed set of

instructions.”

Mark Burgess, Father of Configuration Management

Author of “In Search of Certainty”

Automation and Convergent Infrastructure

“A system’s desired configuration state can be said to be

defined by fixed points. Most configuration management

systems (e.g.: CFEngine, Chef, Puppet, PowerShell DSC) are

based on this idea: they provide means to declare what must

happen instead of requiring imperative workflows that

prescribe what to do.”

Mark Burgess, Father of Configuration Management

Author of “In Search of Certainty”

Emergence of DevOps

“You got your Dev in my Ops!”

“You got your Ops in my Dev!”

Driving Toward Immutable Infrastructure

“This is what I call disposable computing. Throw away a

broken process rather than trying to fix it. Machines can be

made expendable as long as the total software is designed for

it. Not much of it is today, but we’re getting there. Nature

shows that this is a good way of scaling services.”

Mark Burgess, Father of Configuration Management

Author of “In Search of Certainty”

Infrastructure as Code

• Converge on a regular interval

• Configuration management is idempotent

• All persistent changes must be in source control

• Manual intervention discouraged

• Out-of-band changes will be lost

Security & Compliance Implications

Continuous Delivery Patterns

Test Driven Infrastructure

Continuous Security

Security

Posture

Auditing &

Compliance

End-to-End

Visibility

Disaster

Recovery &

Business

Continuity

Remediation

& Fast

Resolution

Continuous

Detection/

Protection

Automated

Configuration

& Scaling

Overcoming Security Challenges

Overcoming Security Challenges

• Challenges for security technology and practice today

– AWS Shared Responsibility Model

– Challenges remain for customers

• Leveraging DevOps for security

– Best practices for blending DevOps with security

• Toward software-defined security

– Embracing new reality of AWS cloud infrastructure

AWS Shared Responsibility Model

Customer

Responsibility

Foundation

Services

Hosts

• Logical network segmentation

• Perimeter security services

• External DDoS, spoofing, and scanning prevented

• Hardened hypervisor

• System image library

• Root access for customer

• Access management

• Patch management

• Configuration hardening

• Security monitoring

• Log analysis

Apps

• Secure coding and best practices

• Software and virtual patching

• Configuration management

• Access management

• Application level attack monitoring

• Network threat

detection

• Security monitoring

Networks

Cloud

Service

Provider

Responsibility

Compute Storage DB Network

2014: Security Top Cloud Pain Point

31%

17%

12%

11%

11%

10%

9%

8%

7.4%

7%

7%

7%

5%

5%

4%

Security

Pricing/Budget/Cost

Human Change Management

Security of Data, Control of Data Locality, Sovereignty

Compliance

Migration/Integration

Internal Resources/Expertise

Management

Lack of Internal Process

Vendor/Provider Issues

Organizational Challenges

Contractual/Legal Issues

Service Reliability/Availability

Network

Lack of Standards

Application Security Technology Challenges

Network Changes Host Identity Auto Scaling

Security at Odds with DevOps Velocity

Traditional security/compliance is slow

Mature DevOps velocity is fast

Security practice does not keep up

InfoSec Ends Up Being Marginalized

“The problem for the security person who is used to

turning around security reviews in a month or two

weeks is they're just being shoved out of the game.

There's no way with how Infosec is currently configured

that they can keep up with that. So, Infosec gets all the

complaints about being marginalized and getting in the

way of doing what needs getting done.”

Gene Kim, former CTO of Tripwire

Author of “The Phoenix Project: A Novel About IT, DevOps”

& “Helping Your Business Win”

Integrating Security with DevOps

• Leveraging DevOps practice for better security

– Prevent attack vectors with immutable systems

– Adopt strategy of phoenix upgrades

– Robust auditing and centralized log collection

– Embrace end-to-end continuous deployment

– Manage vulnerabilities with base images and

configuration management

Prevent Attacks with Immutable Systems

Build secure base images that are representative of your infrastructure

system base.

Design file system layout to separate code from data, and lock down to minimum required permissions. Should expand to network as well.

Leverage SANS Checklist and CIS Benchmark resources for system level security best practices and

guidance.

Leverage configuration management tools to standardize all software

versions and configurations.

Design Secure

Immutable Infrastructure

Adopt Strategy of Phoenix Upgrades

Embrace phoenix upgrades

• Stand up new instances, don’t upgrade

• Route traffic between old and new instances

• Rich service metrics and automate rollback

• Advanced routing can enable selective rollout

Results

• Creates evergreen systems, avoiding

configuration drift and technical debt

• Enforces refresh of all system components as

complete artifact, tested as a holistic system

• Greatly reduces security risks when combine

with immutable instances and configuration

management

Centralize Robust Auditing & Logging

# This file contains the auditctl rules that are loaded# whenever the audit daemon is started via the initscripts.# The rules are simply the parameters that would be passed# to auditctl.

# First rule - delete all-D

# Increase the buffers to survive stress events.# Make this bigger for busy systems-b 1024

-a exit,always -S unlink -S rmdir-a exit,always -S stime.*……

Implement Local Auditing

#Sample syslog-ng configuration#Lots of configuration required

........

# Send *ALL* System Logs to Log Appliancedestination df_log_appliance_forward {

tcp("my-log-appliance" port(514));};

log {source(s_all);destination(df_log_appliance_forward);

};

Collect Important Logs

Centralize Log Collection for Search and Filtering

Embrace Complete Continuous Deployment

End-to-end continuous deployment

• Configuration management (Chef)

• Standardized environment images (Packer)

• Environment/subsystem orchestration layer

• Production-like environments in Dev & Test

must include

–Secure immutable systems

–Phoenix upgrades

–Complete logging, metrics, & monitoring

Results

• Holistic system validation & testing

• Continuous validation of secure configuration

#Sample Alert Logic Chef NodeDef{

"name": "cloud-api-node","versions": {

"1.6.0": {"vm_type": "squeeze64",],"install_phase": {

"run_list": ["app-version-install@4.1.0",

]},

….

Leverage Configuration

Management

Leverage Standardized

Environment Images

Build an Orchestration Layer

#Sample Packer Configuration{"builders": [{

"type": "amazon-ebs","access_key": "{{user `aws_access`}}"

,"secret_key": "{{user `aws_secret`}}"

,"region": "us-east-1","source_ami": "ami-de0d9eb7","instance_type": "t1.micro","ssh_username": "ubuntu","ami_name": "packer-ex {{timestamp}}"

}]

Manage Vulnerabilities with Base Images

Manage Vulnerabilities

• Conduct normal vulnerability scanning

• Identify vulnerabilities that exist in base

images versus application-specific packages

• Remediate at appropriate level as part of

continuous delivery process

Results

• Less work, done more reliably

• Patching fits naturally into phoenix upgrades

• Continuous delivery allows frequent scanning

in test environments to have real value

• Fixes potential vulnerabilities systematically

Moving to Software Defined Security

• Significant opportunity remains in front of us

• AWS ready to accelerate security technology

– Leverage end-to-end visibility available

– Transform periodic assessment into real-time

automated responses

– Protect automatically with real-time reconfiguration

Leverage End-to-End Visibility

• Use APIs and AWS CloudTrail logs to see everything

• Automatically track and react to every deploy

Transform Assessment to be Real-Time

• Shrink assessment-remediation cycle from weeks to

minutes

Protect with Automatic Reconfiguration

• React in Real-Time to As-Deployed systems

• Automatic reconfigure security infrastructure

Contact Us

Paul Fisher

VP Technology Operations

Alert Logic

pfisher@alertlogic.com

@fisherpk

George Miranda

Engineer & Evangelist

Chef Software, Inc.

gmiranda@getchef.com

@gmiranda23

http://bit.ly/awsevals