automating security and compliance for hybrid environments · container content scanners &...
TRANSCRIPT
![Page 1: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/1.jpg)
Automating Security and Compliance for Hybrid Environments
Lucy KernerSecurity Global Technical Evangelist and Strategist, Red [email protected]@LucyCloudBling
![Page 2: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/2.jpg)
2
COMMON SECURITY CHALLENGES
Security
Dev
Ops
Inconsistent Patching
Inconsistent Configurations
Change WhodunitsSecrets Management
Application Sprawl
Server Sprawl
Security is frequently the last to know!
![Page 3: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/3.jpg)
SECURITY, COMPLIANCE, AND GOVERNANCE CHALLENGESIN A HYBRID ENVIRONMENT
PRIVATE CLOUDPUBLIC CLOUDVIRTUALIZATION CLOUDOS
CONTAINERS
● GROWING COMPLEXITY INTRODUCES RISK● MANUALLY MONITORING SYSTEMS FOR SECURITY + COMPLIANCE BECOMES DIFFICULT● VISIBILITY AND CONTROL (YOU CAN’T CONTROL WHAT YOU CAN’T SEE)● MANAGING SECURITY POLICIES CONSISTENTLY● USER SELF-SERVICE BUT WITH TIGHT CONTROL OVER ENTIRE ENVIRONMENT
![Page 4: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/4.jpg)
WHY AUTOMATE SECURITY AND COMPLIANCE ?
![Page 5: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/5.jpg)
5
81% of hacking-related breaches leveraged either stolen and/or weak passwords.
2017 Verizon Data Breach Investigations Report [http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017]
![Page 6: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/6.jpg)
6
99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident
Focus on the Biggest Security Threats, Not the Most PublicizedGartner, November 2017
![Page 7: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/7.jpg)
7
LET’S MANUALLY ENSURE SECURITY + COMPLIANCE ...
● Very time consuming, tedious, boring ● Highly prone to human error● Bad actions go undetected(no papertrail)● Not easy to do audits
○ Constant back and forth between Operations + Security teams
● Not repeatable , sharable, or verifiable
![Page 8: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/8.jpg)
8
● Centralized management and visibility of your entire heterogeneous infrastructure
○ Windows, Linux, Virtualization, Public/Private Cloud, Containers, Ticketing System, etc
○ You can’t control what you can’t see
● Infrastructure and Security as code
○ Repeatable, sharable, verifiable, easier to do compliance audits
● Make it easier to pass security audits
○ Controlled visibility into the state of compliance of systems for the security team / security auditor
■ Less back and forth between operations and security teams
○ Proactive scanning and compliance to security baselines
● Security hardened and compliant host at provisioning time
○ Consistency: Eliminate snowflake systems from the start
○ Immutable Operating System: OS can’t be changed by untrusted parties
● Automated proactive continuous monitoring and fixing of all systems in hybrid environment that are out of compliance for entire lifecycle
● Build security into your application pipeline. Automate as much as possible!
INSTEAD, WHAT YOU WANT IS ...
![Page 9: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/9.jpg)
9
● Save time and money● Reduce risk and avoid expensive human errors● Protection from security breaches ● Allows you to build security into your application pipeline from the beginning vs having
security as an afterthought● Ensure and enforce ongoing compliance from a consistent centralized place using a common,
easy to learn automation language● Create a compliant host or service at provisioning time● Repeatable, sharable, verifiable, and easier to do compliance audits● Continuous security, monitoring, and fixing of all systems in hybrid environment that are out of
compliance for entire lifecycle● Automation plays an essential role in system configuration management and DevSecOps
WHY AUTOMATION?
![Page 10: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/10.jpg)
HOW CAN RED HAT HELP ?
![Page 11: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/11.jpg)
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted-on
Deploy to trusted platforms with enhanced security capabilities
Automate systems for security & compliance
Revise, update, remediate as the landscape changes
And integrated throughout the IT lifecycleSECURITY MUST BE CONTINUOUS
![Page 12: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/12.jpg)
SECURITY THROUGHOUT THE LIFECYCLE
12TESTED, CERTIFIED, STABLE, AND SUPPORTED OPEN SOURCE SOFT)ARE
RED HAT SECURITY AD(ISORIES
DESIGN BUILD RUN MANAGE ADAPT
12
![Page 13: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/13.jpg)
13
SECURITY THROUGHOUT THE STACK
![Page 14: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/14.jpg)
BUILT-IN SECURITY AUTOMATION WITH OpenSCAP
● NIST validated and certified Security Content Automation Protocol (SCAP) scanner by Red Hat
● Scans systems and containers for:○ known vulnerabilities = unpatched software○ compliance with security policies (PCI-DSS, US Gov baselines, etc)
● Ansible remediation playbooks provided (new with RHEL 7.5)● Included in Red Hat Enterprise Linux base channel● Red Hat natively ships NIST validated National Checklist content ● SCAP Workbench
○ GUI front end tool for OpenSCAP that serves as an SCAP scanner ○ Provides tailoring functionality for SCAP content○ Local scanning of a single machine
![Page 15: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/15.jpg)
Security Remediations with OpenSCAP and Ansible● Ansible remediation playbooks provided (new with RHEL 7.5)
○ Apply pre-generated Ansible playbook (provided by scap-security-guide)
● Generate a new playbook from a specific security profile (input)
$ oscap xccdf generate fix --fix-type ansible --profile stig-rhel7-disa --output stig-rhel7-disa-profile.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
● Generate a playbook of fixes only (from completed scan report)
$ oscap xccdf generate fix --fix-type ansible --result-id xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output standard-playbook-result.yml results.xml
15
![Page 16: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/16.jpg)
Scanning and Hardening/Remediating Containers with OpenSCAP
● Scan container for Unpatched software● Scan container for Configuration compliance
$ sudo atomic scan --scan_type configuration_compliance --scanner_args profile=stig-rhel7-disa,report rhel7:latest
● Remediate the container
$ sudo atomic scan --scan_type configuration_compliance --scanner_args profile=stig-rhel7-disa,report --remediate rhel7:latest
16
![Page 17: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/17.jpg)
MAKING AUDITORS HAPPY WITH OpenSCAP REPORTS
![Page 18: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/18.jpg)
Automated Security and Compliance at scaleacross a hybrid environment with Red Hat
![Page 19: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/19.jpg)
USING RED HAT TECHNOLOGY IN A HYBRID ENVIRONMENT, HOW CAN I:
1) Create a security compliant host at provisioning time2) Do Continuous Monitoring and Security For both VMs and
Containersa) Automate ongoing security compliance and remediationsb) Enforce governance and control in an automated fashionc) Visibility and Control for operations teams
i) Restricted visibility into environment for security teamsd) Proactive Security and Automated Risk Management
![Page 20: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/20.jpg)
Provisioning a security compliant host
![Page 21: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/21.jpg)
21
![Page 22: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/22.jpg)
22
![Page 23: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/23.jpg)
23
![Page 24: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/24.jpg)
24
![Page 25: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/25.jpg)
25
![Page 26: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/26.jpg)
26
![Page 27: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/27.jpg)
27
![Page 28: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/28.jpg)
Enforcing compliance with security policies in an automated fashion
![Page 29: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/29.jpg)
29
![Page 30: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/30.jpg)
30
![Page 31: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/31.jpg)
31
![Page 32: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/32.jpg)
32
![Page 33: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/33.jpg)
33
![Page 34: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/34.jpg)
34
![Page 35: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/35.jpg)
35
![Page 36: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/36.jpg)
36
![Page 37: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/37.jpg)
37
![Page 38: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/38.jpg)
38
![Page 39: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/39.jpg)
39
![Page 40: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/40.jpg)
40
![Page 41: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/41.jpg)
41
![Page 42: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/42.jpg)
42
![Page 43: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/43.jpg)
43
![Page 44: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/44.jpg)
44
![Page 45: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/45.jpg)
45
![Page 46: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/46.jpg)
46
![Page 47: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/47.jpg)
47
![Page 48: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/48.jpg)
48
![Page 49: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/49.jpg)
Automated Security and Compliance with Red Hat Openshift
![Page 50: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/50.jpg)
50
IMPROVING SECURITY WITH CONTAINERS AND OPENSHIFT
In Security, consistency and repeatability is key. Adopting containers in a container platform will improve your
security.
US Government Panel, Openshift Commons Briefing December 2017
US CourtsUS Citizen and Immigration ServicesOak Ridge National LaboratoryInternal Revenue Service
Journey of DevSecOps - US Department Homeland Security June 2017
![Page 51: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/51.jpg)
51
IMPRO(ED SECURITY )ITH CONTAINERS
Improved Patch Management
Consistent & Secure Configurations
Record of ChangesSecrets Management
Application Sprawl
Server Sprawl
Higher Dev Productivity
More Security Built-In
Faster, Easier Deployment for Ops
![Page 52: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/52.jpg)
Security Benefits of Containerized Infrastructure
● Standard, hardened infrastructure○ Force applications to be in line with defined security policies
● Read-only containers = Application whitelisting● Continually (re)deploying from known good source
○ Standardized base container images● No humans in production - SSH turned off● Patching improvements● Complete record of change● Minimal OS● Pipeline Integration moves security left● Security gates: Nothing go to production unless all checks passed.
![Page 53: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/53.jpg)
84% of open source projects do not fix known security defects.
* 2017 State of the Software Supply Chain by Sonatype
![Page 54: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/54.jpg)
54
![Page 55: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/55.jpg)
● Community leadership● Package selection ● Manual inspection● Automated inspection● Packaging guidelines● Trusted builds
● Quality assurance● Certifications● Signing● Distribution● Support● Security updates/patches
Upstream Community projects
Red Hat solutions
Red Hat customers
RED HAT SUPPLY CHAIN SECURITY
![Page 56: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/56.jpg)
Never {pass} defects to downstream work centers.
* The Phoenix Project by George Spafford, Kevin Behr, and Gene Kim
![Page 57: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/57.jpg)
AUTOMATE QUALITY
![Page 58: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/58.jpg)
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
![Page 59: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/59.jpg)
59
![Page 60: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/60.jpg)
60
![Page 61: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/61.jpg)
61
![Page 62: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/62.jpg)
62
![Page 63: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/63.jpg)
63
![Page 64: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/64.jpg)
64
![Page 65: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/65.jpg)
65
![Page 66: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/66.jpg)
66
![Page 67: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/67.jpg)
67
![Page 68: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/68.jpg)
The last thing most managers think about is how to get a new product back if something goes
wrong.* A Strategic Approach to Managing Product Recalls by
N. Craig Smith, Robert J. Thomas, and John Quelch for HBR
![Page 69: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/69.jpg)
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
![Page 70: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/70.jpg)
If you have three days to patch out a CVE in prod, can you?
![Page 71: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/71.jpg)
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
Patch
![Page 72: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/72.jpg)
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
Patch
![Page 73: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/73.jpg)
SOFTWARE SUPPLY CHAIN SECURITYPOWERED BY RED HAT OPENSHIFT
REQ DEV UNITTEST
CODEQUAL
SEC SCAN
INTTEST
QAUAT PROD
-Cucumber-Arquillian-Junit
-Sonarqube-Fortify
-AtomicScan-Blackduck-Twistlock
Trusted code repos
OPENSHIFT SOFTWARE FACTORY
AUTOMATED QUALITY
CCBRAPIDATO
CM CS
-Sysdig-Dynatrace
-Che-JBDSguac
-Jira-Trello
Patch
![Page 74: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/74.jpg)
This is DevSecOps
![Page 75: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/75.jpg)
GENERAL DISTRIBUTION
DEV(SEC)OPS
Everything as code
Automate everything
Application is always releasable
Continuous Integration/Delivery
Application monitoring
Control Planes vs Data Planes
Delivery pipeline
Rebuild vs. Repair
![Page 76: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/76.jpg)
GENERAL DISTRIBUTION76
![Page 77: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/77.jpg)
GENERAL DISTRIBUTION77
![Page 78: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/78.jpg)
OpenShift Application Lifecycle Management(CI/CD)
Build Automation Deployment Automation
Service Catalog(Language Runtimes, Middleware, Databases)
Self-Service
Infrastructure Automation & Cockpit
Networking Storage Registry Logs & Metrics Security
Container Orchestration & Cluster Management(Kubernetes)
Red Hat Enterprise LinuxAnsible / CloudForms
RHEL Container Runtime & Packaging SELinux and SCC
Enterprise Container Host
BRINGING IT ALL TOGETHER
CONTROL
DEFEND
EXTEND
![Page 79: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/79.jpg)
79
Container Content
Container Registry
CI/CD Pipeline
Deployment Policies
Security Ecosystem
CONTROL
DEFEND
EXTEND
Container Host Multi-tenancyContainer Platform
Network Isolation Storage
Audit & Logging API Management
![Page 80: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/80.jpg)
For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as
THE SECURITY ECOSYSTEM
● Network Security● Identity and Access management / Privileged Access
Management● External Certificate Authorities● External (aults / Key Management solutions● Container content scanners & vulnerability management tools● Container runtime analysis tools● Security Information and Event Monitoring SIEM
And use open source & open standardsMore about OpenShift Primed Partners
80
![Page 81: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/81.jpg)
Automate ongoing security compliance and remediations
![Page 82: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/82.jpg)
82
![Page 83: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/83.jpg)
83
![Page 84: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/84.jpg)
84
![Page 85: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/85.jpg)
85
![Page 86: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/86.jpg)
86
![Page 87: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/87.jpg)
87
![Page 88: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/88.jpg)
88
![Page 89: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/89.jpg)
89
![Page 90: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/90.jpg)
90
![Page 91: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/91.jpg)
91
![Page 92: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/92.jpg)
92
![Page 93: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/93.jpg)
Proactive Security and Automated Risk Management with Red Hat
Insights
![Page 94: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/94.jpg)
94
![Page 95: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/95.jpg)
95
![Page 96: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/96.jpg)
96
![Page 97: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/97.jpg)
97
![Page 98: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/98.jpg)
98
![Page 99: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/99.jpg)
99
![Page 100: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/100.jpg)
100
![Page 101: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/101.jpg)
101
![Page 102: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/102.jpg)
102
![Page 103: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/103.jpg)
103
![Page 104: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/104.jpg)
104
![Page 105: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/105.jpg)
USING RED HAT TECHNOLOGY YOU TOO CAN:
1) Create a security compliant host at provisioning time2) Do Continuous Monitoring and Security For both VMs and Containers
a) Automate ongoing security compliance and remediationsb) Enforce governance and control in an automated fashionc) Visibility and Control for operations teams
i) Restricted visibility into environment for security teamsd) Proactive Security and Automated Risk Management
All with FLEXIBILITY + CHOICE using a combination of OpenShift, OpenSCAP, Red Hat CloudForms, Red Hat Satellite, Red Hat Ansible Automation, and Red Hat Insights
![Page 106: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/106.jpg)
![Page 107: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/107.jpg)
● This lab environment is hosted online on the Red Hat Product Demo System (RHPDS)○ Accessible by Red Hat Partners and Red Hat Employees. Red Hat customers, please
work with your Red Hat account team who can access and provision this lab environment for you.
■ Security and Compliance Automation Lab doc: https://github.com/RedHatDemos/SecurityDemos/blob/master/ProactiveSecurityCompliance/documentation/README.adoc
● Ansible playbooks used in lab/demo environment: https://github.com/RedHatDemos/SecurityDemos/tree/master/ProactiveSecurityCompliance
● Also, Ansible remediation playbooks for SCAP profiles available directly in RHEL 7.5■ Red Hat Enterprise Linux Security Technologies Lab doc:
https://github.com/RedHatDemos/SecurityDemos/blob/master/RHELSecurityLabSummit/documentation/README.adoc
Can I try these demos hands on?
![Page 108: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/108.jpg)
SECURITY @ RED HAT SUMMIT 2018Many security sessions, including this session, were recorded and are now on YouTube!(isit: https://www.youtube.com/user/redhatsummit/videos
108
![Page 109: Automating Security and Compliance for Hybrid Environments · Container content scanners & vulnerability management tools Container runtime analysis tools Security Information and](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ec56656fd680a510541047c/html5/thumbnails/109.jpg)
THANK YOU
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHat(ideos
facebook.com/redhatinc
twitter.com/RedHatNews