SlideShare uma empresa Scribd logo

Automating security policies (compliance) with Rudder

Jonathan Clarke
Jonathan Clarke
Tecnologia
1 de 23
Baixar para ler offline
Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
Context IT infrastructure Normation – CC-BY-SA normation.com 3
Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
Introducing Rudder Normation – CC-BY-SA normation.com 19
Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

Recomendados

Andy huckridge
Andy huckridgeAndy huckridge
Andy huckridgeCarl Ford
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010Jonathan Clarke
 
Volunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingVolunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingCross-Cultural Solutions
 
Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyondJonathan Clarke
 
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Cross-Cultural Solutions
 
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationWhy Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationCross-Cultural Solutions
 
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationVolunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationCross-Cultural Solutions
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservicedevopsdaysaustin
 

Recomendados

Andy huckridge
Andy huckridgeAndy huckridge
Andy huckridgeCarl Ford
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010Jonathan Clarke
 
Volunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingVolunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingCross-Cultural Solutions
 
Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyondJonathan Clarke
 
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Cross-Cultural Solutions
 
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationWhy Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationCross-Cultural Solutions
 
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationVolunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationCross-Cultural Solutions
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservicedevopsdaysaustin
 
Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersJonathan Clarke
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Bryan Borra
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSR "Ray" Wang
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformSalesforce Developers
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They MatterRay Lukas
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPAKnoldus Inc.
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Complianceimigrnt
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!ichikaway
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botomjbommar
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!VAddy
 
Bot audit
Bot auditBot audit
Bot auditAnika Mittal
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataAleksander Kowalski
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsAnton Chuvakin
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"CompTIA
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary SoftwareYun Zhi Lin
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations OpSource
 
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Jonathan Clarke
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6Jonathan Clarke
 

Mais conteúdo relacionado

Semelhante a Automating security policies (compliance) with Rudder

Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersJonathan Clarke
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Bryan Borra
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSR "Ray" Wang
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformSalesforce Developers
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They MatterRay Lukas
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPAKnoldus Inc.
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Complianceimigrnt
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!ichikaway
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botomjbommar
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!VAddy
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataAleksander Kowalski
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsAnton Chuvakin
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"CompTIA
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary SoftwareYun Zhi Lin
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations OpSource
 

Semelhante a Automating security policies (compliance) with Rudder (20)

Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert users
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaS
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They Matter
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Compliance
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
 
Bot audit
Bot auditBot audit
Bot audit
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and Data
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/Malware
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized Environments
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary Software
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations
 

Mais de Jonathan Clarke

Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Jonathan Clarke
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6Jonathan Clarke
 
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalOpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalJonathan Clarke
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Jonathan Clarke
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)Jonathan Clarke
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009Jonathan Clarke
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)Jonathan Clarke
 

Mais de Jonathan Clarke (7)

Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6
 
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalOpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)
 

Último

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Último (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Automating security policies (compliance) with Rudder

  • 1. Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
  • 2. Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
  • 3. Context IT infrastructure Normation – CC-BY-SA normation.com 3
  • 4. Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
  • 5. Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
  • 6. Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
  • 7. What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
  • 8. What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
  • 9. What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
  • 10. What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
  • 11. What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
  • 12. How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
  • 13. How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
  • 14. How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
  • 15. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
  • 16. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
  • 17. So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
  • 18. Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
  • 19. Introducing Rudder Normation – CC-BY-SA normation.com 19
  • 20. Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
  • 21. Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
  • 22. Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
  • 23. Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com