cloud security automation - new york state office of ... · cloud security automation. edward. luna...

Cloud Security AutomationEdward Luna - Senior Solution ArchitectChris Lohret – Senior Solution ArchitectJune 5, 2019

What are we covering today?

1. Cloud Security Challenges Today

2. Progression, FedRAMP, and Responsibilities

3. Best practices to automate & secure the cloud today

and well into the future?

4. Q&A

3

Challenges

#SecuritySymposium

Welcome to the Vast World of Cybersecurity Tools

4

“I want to modernize my infrastructure, adopt DevOps, and develop apps

faster...BUT I need to make sure I do all of this securely AND still pass all of my

security compliance audits. ”

(Quote from ANY security-conscious Red Hat customer looking to adopt OpenShift, OpenStack, etc)

68% of breaches took months or longer to discover2

99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident3

2018 speech by David Hogue, a National Security Agency official, who said the NSA had not responded to an intrusion that exploited a zero-day vulnerability in over two years.

81% of hacking-related breaches leveraged either stolen and/or weak passwords1

1 2017 Verizon Data Breach Investigations Report22018 Verizon Data Breach Investigations Report3Gartner, “Focus on the Biggest Security Threats, Not the Most Publicized,” November, 2017

BIGGEST BLOCKERS TO TRANSFORMINGINCLUDE TALENT GAPS, SECURITY & TECHNICAL DEBT

Source: Global IT Trends & Priorities Research, November 2018, Qualtrics and Red Hat (Over 1,052 valid respondents)

7

blog.cloudflare.com/rate-limiting-delivering-more-rules-and-greater-control/

DEVELOPERS AREN’T SECURITY EXPERTSL7 ATTACKS ON THE RISE

“In the last 6 months we have seen a large upward trend of Layer 7 based DDoS attacks… On average seeing around 160 attacks a day, with some days spiking up to over 1000 attacks.”

9

Progression

Progression

Security Network Governance

FedRAMPThe Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.

Security• It’s FedRAMP so it’s secure?•Do I go GOV or Commercial cloud?•How do I? (Island syndrome)•Evaluate product sets and functions (Prescriptive)

SA-11 Developer Security Testing and Evaluation (M) (H)The organization requires the developer of the information system, system component, or information system service to:(a) Create and implement a security assessment plan;(b) Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];(c) Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;(d) Implement a verifiable flaw remediation process; and(e) Correct flaws identified during security testing/evaluation.This is where

Automation can help

Shared Responsibility

14

Securing the cloud today and well into the future…

“Security is a process, NOT a product.” – Bruce Schneier

(American cryptographer, security blogger, and author)

● Security must be built-in from the start , not bolted on○ Security must be continuous throughout the stack

using a defense-in-depth approach to protect all layers of the stack holistically

Built-in, Continuous, Defense-in-Depth, Holistic,Long-Term vs ‘Band-Aid’ approach to security

RED HAT’S APPROACH TO SECURITY

Let Red Hat be your voice in community, government, & professional groups that focus on security standards & implementations.

Rely on Red Hat to partner with security teams from other vendors, agencies, & working groups.This includes access to vulnerability information before it is public.

ADVOCACY FOR SECURITY NEEDSRED HAT IS TRUSTED BY SECURITY STANDARDS BODIES

17

Service Mesh

API Management

Runtime Framework Security Features

RBAC across Middleware

APP RUNTIMESecuring Business

Code

APP BUILDFoundational App

Elements

FOUNDATIONTrusted & Secure

Platform

Enterprise Container Registry with Vulnerability Scan

Trusted Content

OpenShift CI/CD Pipelines Security-focused Application Templates

RED HAT PORTFOLIO DEFENSE IN DEPTH SECURITY

Application Services (Messaging, Integration, BPM, SSO)

Developer Tools & Best PracticesApplication Business Logic

AUTOMATE, MANAGE, ADAPT

SECURITY MUST BE CONTINUOUS + HOLISTICAND INTEGRATED THROUGHOUT THE I.T. LIFE CYCLE

Security policy,

process, & procedures

DESIGNBUILD

RUN

MANAGE & AUTOMATE

ADAPT

Identify security requirements & governance models

Built-in from the start; not bolted-on

Deploy to trusted platforms with enhanced security capabilities

Automate systems for security & compliance

Revise, update, remediate as the landscape changes

RED HAT SUPPLY CHAIN SECURITYReducing Risk and Making Open Source Consumable by the Enterprise

UPSTREAM FIRST!Community Leadership

Red Hat BugzillaPackage Review

Track packages for release in Fedora

Some packages are selected for RHEL

Static Code Analysis

Compiler Flags set for hardening and security

Extensive QE testing per release

All packages are digitally signed

Secure DistributionContinuous security updates

SECURITY THROUGHOUT THE STACK + LIFECYCLE

TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFTWARE

RED HAT SECURITY ADVISORIES

DESIGN BUILD RUNMANAGE & AUTOMA

TEADAPT

Vulnerability and Compliance Scanning on Hosts

Example Approach to Holistic Cloud Automation in Baby StepsAUTOMATION IS KEY! More and More automation in small incremental improvements to improve security &

reduce risk wherever you are in the Automation journey

Security at Scale with Predictive Analytics

Automated Compliance with Security Policies

Host Hardening

Provisioning Hardened Hosts

Automated Patching of Hosts and Applications

Infrastructure and Application Hardening Improvements with Automation

Enabling Faster & Scalable Automation

Automated OperationsContinuous Built-in SecurityAutomated Builds

23

Customer Example

‘DevSecOps in a Box’: DHS @ Red Hat Innovation Labs

All DevSecOps Red Hat Innovation Labs Residencies:

● Push button infrastructure with recommendations on how to get started○ Integrating security tooling into CI/CD DevOps pipelines○ Building takes place during residency○ Customers transfer what they learned in the residency to their own environment to evaluate

impacts to their current processes

DHS documented their entire Innovation Labs & DevSecOps journey on Github:

● Quote from DHS: ○ ‘Successful adoption of DevSecOps Best Practices through Red Hat Labs Residency’

THANK YOU