elizabeth lawler - devops, security, and compliance working in unison

Join the conversation #devseccon

DevOps, Security, and Compliance

WORKING IN UNISON

Co-Founder, Conjur Inc

What I get excited about….

Cybersecurity as a “public health” problem

Providing better security related experiences as a business

Access controls at scale for “silica users” and “robots”

My husband, kids, dog, cat, & chickens

Risk Factors

At risk connections (Cloud & IOT)

People can’t keep upThen Now

Complexity Known # of identifiable components

100s- Millions of system components

Provisioned by People +/- approvals People, Code - ? approvals, ? traceable

Provisioned with

days-weeks-months- … years.... seconds-minutes

Threat concerns

Insiders, Physical/Environmental Tampered code, hijacked systems

Mainframe

Client/Server Web Containerized Cloud

INFRASTRUCTURE

Check

Deploy

Dev team, tools, & tools admins

Dev teamDeveloper

Dev team, tools, tools admins, &

operators

The business sees … Velocity!

INFRASTRUCTURE

Check

Deploy

Dev team, tools, & tools admins

Dev teamDeveloper

Dev team, tools, tools admins, &

operators

Credentials in github

Malware injection

DDOS platform

Side-channel IT resources for bitcoin mining

Out of date libraries

Security and compliance sees….Phished admin creds

Can we trust these people?

Story #1: “Meet the compliance team [Spike]”

• Don’t let security and compliance be unplanned work

GET BUY-IN PLAN IMPROVE

Start Here: Persona Map of Your Organization

Security strategy aligned with

business goals

Policies that map to security and

compliance controls and key threats

Simple security model that scales , no pager

fatigue

Application security policies that work from dev to prod and don’t

mess with “flow”

Say ….“What?!”

• Directive 95/46/EC• HIPAA• NIST-CSF• SOX• PCI• PIPEDA

• ID.AM-2: Software platforms within the organization are inventoried

• ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

• CCS CSC 2• COBIT 5 BAI09.01,

BAI09.02, BAI09.05• ISA 62443-2-1:2009

4.2.3.4• ISA 62443-3-3:2013 SR

7.8• ISO/IEC 27001:2013

A.8.1.1, A.8.1.2• NIST SP 800-53 Rev. 4

CM-8• COBIT 5 APO01.02,

DSS06.03• ISA 62443-2-1:2009

4.3.2.3.3• ISO/IEC 27001:2013

A.6.1.1• NIST SP 800-53 Rev. 4

CP-2, PS-7, PM-11

Technology serves compliant and secure behavior

Step 2: Categorize Risk By Severity/Prevalence

Common threat actions are often “in-scope”

1.Access control

2.Management of virtual assets and inventories

3.Credentials and shared accounts

Source Verizon Breach Report 2015 “Threat Actions by Type”

Step 3: Describe the risk and proposed mitigation

R3. An external actor gains unauthorized access to production or pre-production environments

CS3. Unauthorized access is prevented, detected, and corrected through the regular review of access credentials and system configuration

Source: DevOps Audit Defense Toolkit 2015

INFRASTRUCTURE

Check

Deploy

Dev team, tools, & tools admins

Dev teamDeveloper

Dev team, tools, tools admins, &

operators

Can you run the control through this system?

Step 3: Then Automate the Process (…or not!)

EXAMPLE COMPLIANCE

CONTROL

PR.AC-1: Identities and credentials are managed for authorized devices and users

STATIC OR ACTIVE

ANALYSIS

Processes and procedures for managing identities and credentials are documented

STATIC ANALYSISCompliance procedures

like checklists with signoff, tickets, forms, periodic “hunts” for

violations

EVENT

Hire a new person

Provision a new device

Elevate auth for a system admin

ACTIVE ANALYSISAutomated tooling to provide function or

gate processes, continuous logging of

activities, active autimated warnings,

and executive reporting views as real

time risk communication

Step 4: Test and Verify the Control

Teams that focus on testing, early detection, and measuring progress have 30% fewer [security] defects in production

Source: The Journey to DevSecOps, Shannon Lietz, 2016

NIST CONTROL PR.AC-4

Describe compliance in plain english

What do you have in

place/plan to have in place?

Describe passing

scenarios

Write code that leads to consistent pass state

FAIL

Write tests and run them

Source: Audit Compliance with BDD tools,, Conjur blog

Step 5: Communicate controls to stake holders “Excuse me … do you speak JSON?”

• Repeatable• Reliable • Fast

• Auditable• Reportable• Informative

Improve www.10factor.ci

Where do you fall on the cybersecurity spectrum?

Example NIST-CSF - 4 TIERS OF CYBER SECURITY AWARENESSTIER 1 - PartialTIER 2 - Risk InformedTIER 3 - RepeatableTIER 4 - Adaptive

Automated

There is always more….

Robot, IOT & Machine Identity and Access Control

AI & Access Controls … Access Control for AIs!

Join the conversation #devseccon

Thank YouElizabeth Lawler

@ElizabethLawlerconjur.net

“It takes a village”... Thank you

Kevin GilpinSteve CoplanJosh BregmanAndy EllicottDustin Collins Bryan Sterlingand the team at Conjur

Source: Verizon 2016 Data Breach Investigations Report

Translating to Something Actionable

Control Domains(NIST framework)

● Identify● Protect● Detect● Respond● Recover

Control Activities & Services for Operators● Asset Management (CMDB)● Network Security, Authentication, Key

Management● Log Aggregation and Reporting● Alerting, Incident Communication and

Escalation Plan● Post-mortems, metrics tracking (e.g.,

MTTD, MTTR)