elizabeth lawler - devops, security, and compliance working in unison
TRANSCRIPT
Join the conversation #devseccon
DevOps, Security, and Compliance
WORKING IN UNISON
Co-Founder, Conjur Inc
What I get excited about….
Cybersecurity as a “public health” problem
Providing better security related experiences as a business
Access controls at scale for “silica users” and “robots”
My husband, kids, dog, cat, & chickens
At risk connections (Cloud & IOT)
People can’t keep upThen Now
Complexity Known # of identifiable components
100s- Millions of system components
Provisioned by People +/- approvals People, Code - ? approvals, ? traceable
Provisioned with
days-weeks-months- … years.... seconds-minutes
Threat concerns
Insiders, Physical/Environmental Tampered code, hijacked systems
Mainframe
Client/Server Web Containerized Cloud
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
The business sees … Velocity!
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
Credentials in github
Malware injection
DDOS platform
Side-channel IT resources for bitcoin mining
Out of date libraries
Security and compliance sees….Phished admin creds
Can we trust these people?
Story #1: “Meet the compliance team [Spike]”
• Don’t let security and compliance be unplanned work
GET BUY-IN PLAN IMPROVE
Start Here: Persona Map of Your Organization
Security strategy aligned with
business goals
Policies that map to security and
compliance controls and key threats
Simple security model that scales , no pager
fatigue
Application security policies that work from dev to prod and don’t
mess with “flow”
Say ….“What?!”
• Directive 95/46/EC• HIPAA• NIST-CSF• SOX• PCI• PIPEDA
• ID.AM-2: Software platforms within the organization are inventoried
• ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
• CCS CSC 2• COBIT 5 BAI09.01,
BAI09.02, BAI09.05• ISA 62443-2-1:2009
4.2.3.4• ISA 62443-3-3:2013 SR
7.8• ISO/IEC 27001:2013
A.8.1.1, A.8.1.2• NIST SP 800-53 Rev. 4
CM-8• COBIT 5 APO01.02,
DSS06.03• ISA 62443-2-1:2009
4.3.2.3.3• ISO/IEC 27001:2013
A.6.1.1• NIST SP 800-53 Rev. 4
CP-2, PS-7, PM-11
Technology serves compliant and secure behavior
Step 2: Categorize Risk By Severity/Prevalence
Common threat actions are often “in-scope”
1.Access control
2.Management of virtual assets and inventories
3.Credentials and shared accounts
Source Verizon Breach Report 2015 “Threat Actions by Type”
Step 3: Describe the risk and proposed mitigation
R3. An external actor gains unauthorized access to production or pre-production environments
CS3. Unauthorized access is prevented, detected, and corrected through the regular review of access credentials and system configuration
Source: DevOps Audit Defense Toolkit 2015
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
Can you run the control through this system?
Step 3: Then Automate the Process (…or not!)
EXAMPLE COMPLIANCE
CONTROL
PR.AC-1: Identities and credentials are managed for authorized devices and users
STATIC OR ACTIVE
ANALYSIS
Processes and procedures for managing identities and credentials are documented
STATIC ANALYSISCompliance procedures
like checklists with signoff, tickets, forms, periodic “hunts” for
violations
EVENT
Hire a new person
Provision a new device
Elevate auth for a system admin
ACTIVE ANALYSISAutomated tooling to provide function or
gate processes, continuous logging of
activities, active autimated warnings,
and executive reporting views as real
time risk communication
Step 4: Test and Verify the Control
Teams that focus on testing, early detection, and measuring progress have 30% fewer [security] defects in production
Source: The Journey to DevSecOps, Shannon Lietz, 2016
NIST CONTROL PR.AC-4
Describe compliance in plain english
What do you have in
place/plan to have in place?
Describe passing
scenarios
Write code that leads to consistent pass state
FAIL
Write tests and run them
Source: Audit Compliance with BDD tools,, Conjur blog
Step 5: Communicate controls to stake holders “Excuse me … do you speak JSON?”
• Repeatable• Reliable • Fast
• Auditable• Reportable• Informative
Improve www.10factor.ci
Where do you fall on the cybersecurity spectrum?
Example NIST-CSF - 4 TIERS OF CYBER SECURITY AWARENESSTIER 1 - PartialTIER 2 - Risk InformedTIER 3 - RepeatableTIER 4 - Adaptive
Automated
There is always more….
Robot, IOT & Machine Identity and Access Control
AI & Access Controls … Access Control for AIs!
Join the conversation #devseccon
Thank YouElizabeth Lawler
@ElizabethLawlerconjur.net
“It takes a village”... Thank you
Kevin GilpinSteve CoplanJosh BregmanAndy EllicottDustin Collins Bryan Sterlingand the team at Conjur
Source: Verizon 2016 Data Breach Investigations Report
Translating to Something Actionable
Control Domains(NIST framework)
● Identify● Protect● Detect● Respond● Recover
Control Activities & Services for Operators● Asset Management (CMDB)● Network Security, Authentication, Key
Management● Log Aggregation and Reporting● Alerting, Incident Communication and
Escalation Plan● Post-mortems, metrics tracking (e.g.,
MTTD, MTTR)