security for humans
TRANSCRIPT
SECURITY FOR HUMANS
I am Dustin Collins
Organizer of the Boston DevOps meetupDeveloper Advocate at Conjur
THIS TALK IS NOT ABOUT⊡patching exploits⊡network security⊡container breakout⊡insider threats⊡cloud⊡encryption⊡intrusion analysis⊡security tooling
EXPECTATIONS
THIS TALK IS ABOUT⊡integrating security
into modern workflows⊡managing conflicts of
interest
I'm sorry, Dave. I'm afraid I can't do
that.
high risk, low reward
UNINTENDED CONSEQUENCES
EXAMPLES, PLEASE
⊡ Needs to use a new API to fetch geodata
⊡ Downloads the secret token⊡ gitignores it for development,
keeping it out of source control⊡ App now breaks in production
DEVELOPER
EXAMPLES, PLEASE
⊡ Needs to roll out containers for internal PaaS
⊡ Bakes secrets into Docker images
⊡ Password rotation now requires a redeploy of application
OPERATIONS
EXAMPLES, PLEASE
⊡ Needs to keep an inventory of running services
⊡ Rolls out a tool to do it through an internal web dashboard
⊡ With no API available, is now a bottleneck to launching new services
SECURITY
EXAMPLES, PLEASE⊡ Signs a contract with a vendor
for identity management solution
⊡ Only works on AWS⊡ Dev workflow is full of
workarounds⊡ Ops is constrained to one
platform⊡ Security isn’t happy with built-in
reporting
BUSINESS USER
THE DONNER PARTY
“Addressing the individual needs of the distinct User Personas, and paying
special attention to the points at which their needs intersect is the key to driving adoption, usage, and ultimately
delivering a successful product experience.
Dan Warner, Director of UX @ Conjur
App Developer (engineer)Primarily responsible for feature work. Lives in a Continuous Integration workflow. Supports lots of fun tools locally, but has disdain for imposed “dependencies.” Skills: Typical Python development stack, Vagrant, Homebrew...Equipment: Command Line. IDE. OSX. Laptop with multiple virtualized dev environments.Quotes:“Trying to figure out how to integrate with your system is not a great use of my time.”“It works on my laptop.”Stories:
● As an app developer, I want to write and test features without thinking about security, so that I can continuously deliver.
● As an app developer, I want the code I write to work in prod the same way it works in dev and test, so that I don’t have to spend cycles troubleshooting with QA.
OPS Guy (sysadmin, DevOps *, IT Admin, * of Operations)Primarily responsible for architecting and maintaining IT infrastructure including CI pipeline, SOX (and other audit) compliant data environments, controlling automation costs.Skills: A working knowledge of many diverse technologies — Ruby, ELK stack, Chef, Docker, Stackdriver, Bash Scripting, AWS, Jenkins, Nagios, vagrant...Equipment: Command Line. OSX. Laptop with multiple virtualized dev environments. Homespun Ops Dashboard. The UI’s of various tools like Jenkins and Kibana.Quotes:“The people in the meeting are going to be suits. Rather than show them some command line interface that they don’t understand, I would like to run it through a nice web interface.”“Which of the users on the product team have accessed this secret? When was the last time someone on the product team accessed this secret?”Stories:
● As an ops guy I want to see who has accessed a particular secret (or server, host, etc.), so that I can report to the responsible parties.
● As an ops guy, I want easy queryability (like Facebook search), so that I can find what I want quickly and do some level of discovery.
● As a (less technical) IT Admin I want to be able to spin up a secure server from a GUI.
● As an IT Admin I want to easily identify anomalies in secrets access, so that I can focus my time where it is needed.
Security User (CISO, InfoSec, * of IT Security)Primarily responsible for data security, DLP, incident response, audit and compliance. Skills: A high level understanding of the potential risks posed by new technologies. Equipment: Reports. Dashboards. PowerPoint. Google Docs. Email. Mobile alerts. SIEM.Quotes:XX REDACTED XXStories:
● As a VP of IT Security I want a blueprint for launching a secure server in a non-secure location, so that my team can leverage the public cloud.
● As CISO I want to choose tools that integrate with existing systems and make my team happy, so that my choices don’t slow my team down or demotivate them.
Business User (CIO, CTO, VP IT, Project Manager)Primarily responsible for aligning IT Strategy with the Business Goals, driving efficiency, building and motivating the team, making decisions about where to invest IT dollars, SOX (and other audit) compliant data environments, controlling cost.Skills: High level understanding of many, diverse technologies.Equipment: Reports. Dashboards. PowerPoint. Google Docs. Email.Quotes:“Chef. Docker. Puppet. Amazon. On-prem… we use all of the above.”“I know we are doing DevOps. I’m just not 100% sure what that means.”“My top concern is SOX compliance.”Stories:
● As CTO I want to see who had access to a secure DB server and when, so that I can comply with my SOX strategy.
● As CTO I want real-time, self-service reporting and SIEM integration, so that I know this data is part of our complete security picture and nothing is falling through the cracks.
● As VP of IT I want a blueprint for launching a secure server in a non-secure location, so that my team can leverage the public cloud.
● As VP of IT I want to choose tools that integrate with existing systems and make my team happy, so that my choices don’t slow my team down or demotivate them.
⊡Create and maintain user personas⊡Conduct user interviews⊡Share data with stakeholders⊡Mediate post-mortems for security issues⊡Raise the visibility of how security works
CROSS-FUNCTIONAL SECURITY UX TEAM
SUGGESTION
THINGS TO AVOID
⊡ Developer workflows that depend on gitignoring credentials
⊡ Credential rotation schemes that require redeploys⊡ More than one way to access credentials that depends on
the environment⊡ Cloud-specific solutions⊡ Security tools without programmable APIs⊡ Shoehorning security into collaborative tools - it limits
their effectiveness (Chef, Jenkins, etcd, Docker)⊡ Not checking your security policy into source control
(plain text is better than nothing)
THANKS!
Any questions?You can find me at
dustinrcollins.com
Presentation template by SlidesCarnival