SlideShare une entreprise Scribd logo

Automating security policies (compliance) with Rudder

Jonathan Clarke
Jonathan Clarke
Technologie
1  sur  23
Télécharger pour lire hors ligne
Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
Context IT infrastructure Normation – CC-BY-SA normation.com 3
Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
Introducing Rudder Normation – CC-BY-SA normation.com 19
Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

Recommandé

Andy huckridge
Andy huckridgeAndy huckridge
Andy huckridge
Carl Ford
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010
Jonathan Clarke
 
Volunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingVolunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and Counting
Cross-Cultural Solutions
 
Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyond
Jonathan Clarke
 
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Cross-Cultural Solutions
 
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationWhy Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Cross-Cultural Solutions
 
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationVolunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Cross-Cultural Solutions
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice
devopsdaysaustin
 

Recommandé

Andy huckridge
Andy huckridgeAndy huckridge
Andy huckridge
Carl Ford
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010
Jonathan Clarke
 
Volunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and CountingVolunteer Abroad in India - 16 Years and Counting
Volunteer Abroad in India - 16 Years and Counting
Cross-Cultural Solutions
 
Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyond
Jonathan Clarke
 
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Volunteering with Cross-Cultural Solutions: A Canadian Perspective, CCS Webin...
Cross-Cultural Solutions
 
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar PresentationWhy Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Why Volunteer Abroad? A Look at FAQs - CCS Webinar Presentation
Cross-Cultural Solutions
 
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar PresentationVolunteer Impact in CCS Morocco, CCS Webinar Presentation
Volunteer Impact in CCS Morocco, CCS Webinar Presentation
Cross-Cultural Solutions
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice
devopsdaysaustin
 
Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert users
Jonathan Clarke
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
ObserveIT
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Bryan Borra
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaS
R "Ray" Wang
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
Salesforce Developers
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They Matter
Ray Lukas
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
Knoldus Inc.
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
MyNOG
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Compliance
imigrnt
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
ichikaway
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
mjbommar
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
Bot audit
Bot auditBot audit
Bot audit
Anika Mittal
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and Data
Aleksander Kowalski
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/Malware
Mike Rizzo
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized Environments
Anton Chuvakin
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
CompTIA
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary Software
Yun Zhi Lin
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations
OpSource
 
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Jonathan Clarke
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6
Jonathan Clarke
 

Contenu connexe

Similaire à Automating security policies (compliance) with Rudder

Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert users
Jonathan Clarke
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Bryan Borra
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaS
R "Ray" Wang
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
Salesforce Developers
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
Knoldus Inc.
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations
OpSource
 

Similaire à Automating security policies (compliance) with Rudder (20)

Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert users
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
 
Customer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaSCustomer Bill Of Rights: SaaS
Customer Bill Of Rights: SaaS
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
 
Containers and Why They Matter
Containers and Why They MatterContainers and Why They Matter
Containers and Why They Matter
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Compliance
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
 
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and botoAutomating Oracle Database deployment with Amazon Web Services, fabric, and boto
Automating Oracle Database deployment with Amazon Web Services, fabric, and boto
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
 
Bot audit
Bot auditBot audit
Bot audit
 
Drone Strategy - Autonomy and Data
Drone Strategy - Autonomy and DataDrone Strategy - Autonomy and Data
Drone Strategy - Autonomy and Data
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/Malware
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized Environments
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary Software
 
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
apidays LIVE Helsinki & North - Ideas around automating API Management by Mat...
 
Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations Making the Move to SaaS: 10 Key Technical Considerations
Making the Move to SaaS: 10 Key Technical Considerations
 

Plus de Jonathan Clarke

Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...
Jonathan Clarke
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
Jonathan Clarke
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009
Jonathan Clarke
 

Plus de Jonathan Clarke (7)

Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6
 
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalOpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
 
LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009LDAP Synchronization Connector presentation at LDAPCon 2009
LDAP Synchronization Connector presentation at LDAPCon 2009
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Automating security policies (compliance) with Rudder

  • 1. Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
  • 2. Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
  • 3. Context IT infrastructure Normation – CC-BY-SA normation.com 3
  • 4. Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
  • 5. Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
  • 6. Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
  • 7. What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
  • 8. What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
  • 9. What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
  • 10. What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
  • 11. What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
  • 12. How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
  • 13. How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
  • 14. How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
  • 15. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
  • 16. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
  • 17. So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
  • 18. Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
  • 19. Introducing Rudder Normation – CC-BY-SA normation.com 19
  • 20. Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
  • 21. Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
  • 22. Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
  • 23. Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com