SlideShare uma empresa Scribd logo

Automating security policies (compliance) with Rudder

Jonathan Clarke
Jonathan Clarke
Tecnologia
1 de 23
Baixar para ler offline
Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
Context IT infrastructure Normation – CC-BY-SA normation.com 3
Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
Introducing Rudder Normation – CC-BY-SA normation.com 19
Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

Recomendados

Andy huckridge
Andy huckridgeAndy huckridge
Andy huckridgeCarl Ford
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010Jonathan Clarke
 
Volunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingVolunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingCross-Cultural Solutions
 
Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyondJonathan Clarke
 
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Cross-Cultural Solutions
 
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationWhy Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationCross-Cultural Solutions
 
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationVolunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationCross-Cultural Solutions
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservicedevopsdaysaustin
 

Recomendados

Andy huckridge
Andy huckridgeAndy huckridge
Andy huckridgeCarl Ford
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010Jonathan Clarke
 
Volunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingVolunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingCross-Cultural Solutions
 
Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyondJonathan Clarke
 
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Cross-Cultural Solutions
 
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationWhy Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationCross-Cultural Solutions
 
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationVolunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationCross-Cultural Solutions
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservicedevopsdaysaustin
 
Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersJonathan Clarke
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Bryan Borra
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSR "Ray" Wang
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformSalesforce Developers
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They MatterRay Lukas
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPAKnoldus Inc.
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Complianceimigrnt
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!ichikaway
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botomjbommar
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!VAddy
 
Bot audit
Bot auditBot audit
Bot auditAnika Mittal
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataAleksander Kowalski
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsAnton Chuvakin
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"CompTIA
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary SoftwareYun Zhi Lin
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations OpSource
 
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Jonathan Clarke
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6Jonathan Clarke
 

Mais conteúdo relacionado

Semelhante a Automating security policies (compliance) with Rudder

Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersJonathan Clarke
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Bryan Borra
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSR "Ray" Wang
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformSalesforce Developers
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They MatterRay Lukas
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPAKnoldus Inc.
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Complianceimigrnt
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!ichikaway
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botomjbommar
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!VAddy
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataAleksander Kowalski
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsAnton Chuvakin
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"CompTIA
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary SoftwareYun Zhi Lin
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations OpSource
 

Semelhante a Automating security policies (compliance) with Rudder (20)

Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert users
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaS
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They Matter
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Compliance
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
 
Bot audit
Bot auditBot audit
Bot audit
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and Data
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/Malware
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized Environments
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary Software
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations
 

Mais de Jonathan Clarke

Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Jonathan Clarke
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6Jonathan Clarke
 
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalOpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalJonathan Clarke
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Jonathan Clarke
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)Jonathan Clarke
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009Jonathan Clarke
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)Jonathan Clarke
 

Mais de Jonathan Clarke (7)

Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6
 
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalOpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)
 

Último

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Último (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

Automating security policies (compliance) with Rudder

  • 1. Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
  • 2. Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
  • 3. Context IT infrastructure Normation – CC-BY-SA normation.com 3
  • 4. Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
  • 5. Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
  • 6. Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
  • 7. What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
  • 8. What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
  • 9. What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
  • 10. What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
  • 11. What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
  • 12. How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
  • 13. How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
  • 14. How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
  • 15. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
  • 16. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
  • 17. So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
  • 18. Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
  • 19. Introducing Rudder Normation – CC-BY-SA normation.com 19
  • 20. Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
  • 21. Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
  • 22. Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
  • 23. Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com