Cloud Security AutomationEdward Luna - Senior Solution ArchitectChris Lohret – Senior Solution ArchitectJune 5, 2019
What are we covering today?
1. Cloud Security Challenges Today
2. Progression, FedRAMP, and Responsibilities
3. Best practices to automate & secure the cloud today
and well into the future?
4. Q&A
3
Challenges
#SecuritySymposium
Welcome to the Vast World of Cybersecurity Tools
4
“I want to modernize my infrastructure, adopt DevOps, and develop apps
faster...BUT I need to make sure I do all of this securely AND still pass all of my
security compliance audits. ”
(Quote from ANY security-conscious Red Hat customer looking to adopt OpenShift, OpenStack, etc)
68% of breaches took months or longer to discover2
99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident3
2018 speech by David Hogue, a National Security Agency official, who said the NSA had not responded to an intrusion that exploited a zero-day vulnerability in over two years.
81% of hacking-related breaches leveraged either stolen and/or weak passwords1
1 2017 Verizon Data Breach Investigations Report22018 Verizon Data Breach Investigations Report3Gartner, “Focus on the Biggest Security Threats, Not the Most Publicized,” November, 2017
BIGGEST BLOCKERS TO TRANSFORMINGINCLUDE TALENT GAPS, SECURITY & TECHNICAL DEBT
Source: Global IT Trends & Priorities Research, November 2018, Qualtrics and Red Hat (Over 1,052 valid respondents)
7
blog.cloudflare.com/rate-limiting-delivering-more-rules-and-greater-control/
DEVELOPERS AREN’T SECURITY EXPERTSL7 ATTACKS ON THE RISE
“In the last 6 months we have seen a large upward trend of Layer 7 based DDoS attacks… On average seeing around 160 attacks a day, with some days spiking up to over 1000 attacks.”
9
Progression
Progression
Security Network Governance
FedRAMPThe Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.
Security• It’s FedRAMP so it’s secure?•Do I go GOV or Commercial cloud?•How do I? (Island syndrome)•Evaluate product sets and functions (Prescriptive)
SA-11 Developer Security Testing and Evaluation (M) (H)The organization requires the developer of the information system, system component, or information system service to:(a) Create and implement a security assessment plan;(b) Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];(c) Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;(d) Implement a verifiable flaw remediation process; and(e) Correct flaws identified during security testing/evaluation.This is where
Automation can help
Shared Responsibility
14
Securing the cloud today and well into the future…
“Security is a process, NOT a product.” – Bruce Schneier
(American cryptographer, security blogger, and author)
● Security must be built-in from the start , not bolted on○ Security must be continuous throughout the stack
using a defense-in-depth approach to protect all layers of the stack holistically
Built-in, Continuous, Defense-in-Depth, Holistic,Long-Term vs ‘Band-Aid’ approach to security
RED HAT’S APPROACH TO SECURITY
Let Red Hat be your voice in community, government, & professional groups that focus on security standards & implementations.
Rely on Red Hat to partner with security teams from other vendors, agencies, & working groups.This includes access to vulnerability information before it is public.
ADVOCACY FOR SECURITY NEEDSRED HAT IS TRUSTED BY SECURITY STANDARDS BODIES
17
Service Mesh
API Management
Runtime Framework Security Features
RBAC across Middleware
APP RUNTIMESecuring Business
Code
APP BUILDFoundational App
Elements
FOUNDATIONTrusted & Secure
Platform
Enterprise Container Registry with Vulnerability Scan
Trusted Content
OpenShift CI/CD Pipelines Security-focused Application Templates
RED HAT PORTFOLIO DEFENSE IN DEPTH SECURITY
Application Services (Messaging, Integration, BPM, SSO)
Developer Tools & Best PracticesApplication Business Logic
AUTOMATE, MANAGE, ADAPT
SECURITY MUST BE CONTINUOUS + HOLISTICAND INTEGRATED THROUGHOUT THE I.T. LIFE CYCLE
Security policy,
process, & procedures
DESIGNBUILD
RUN
MANAGE & AUTOMATE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted-on
Deploy to trusted platforms with enhanced security capabilities
Automate systems for security & compliance
Revise, update, remediate as the landscape changes
RED HAT SUPPLY CHAIN SECURITYReducing Risk and Making Open Source Consumable by the Enterprise
UPSTREAM FIRST!Community Leadership
Red Hat BugzillaPackage Review
Track packages for release in Fedora
Some packages are selected for RHEL
Static Code Analysis
Compiler Flags set for hardening and security
Extensive QE testing per release
All packages are digitally signed
Secure DistributionContinuous security updates
SECURITY THROUGHOUT THE STACK + LIFECYCLE
TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFTWARE
RED HAT SECURITY ADVISORIES
DESIGN BUILD RUNMANAGE & AUTOMA
TEADAPT
Vulnerability and Compliance Scanning on Hosts
Example Approach to Holistic Cloud Automation in Baby StepsAUTOMATION IS KEY! More and More automation in small incremental improvements to improve security &
reduce risk wherever you are in the Automation journey
Security at Scale with Predictive Analytics
Automated Compliance with Security Policies
Host Hardening
Provisioning Hardened Hosts
Automated Patching of Hosts and Applications
Infrastructure and Application Hardening Improvements with Automation
Enabling Faster & Scalable Automation
Automated OperationsContinuous Built-in SecurityAutomated Builds
23
Customer Example
‘DevSecOps in a Box’: DHS @ Red Hat Innovation Labs
All DevSecOps Red Hat Innovation Labs Residencies:
● Push button infrastructure with recommendations on how to get started○ Integrating security tooling into CI/CD DevOps pipelines○ Building takes place during residency○ Customers transfer what they learned in the residency to their own environment to evaluate
impacts to their current processes
DHS documented their entire Innovation Labs & DevSecOps journey on Github:
● Quote from DHS: ○ ‘Successful adoption of DevSecOps Best Practices through Red Hat Labs Residency’
THANK YOU